VAGRANTFILE_API_VERSION = "2"
Vagrant.configure(VAGRANTFILE_API_VERSION) do |config|
config.vm.box = "bento/centos-7.3"
config.vm.hostname = "krb5server.vm.internal"
config.vm.provider :virtualbox do |vbox|
vbox.name = "krb5server"
vbox.cpus = 4
vbox.memory = 8192
vbox.customize ["modifyvm", :id, "--nicpromisc2","allow-all"]
end
# private network
config.vm.network "private_network", ip: "192.168.55.87", :netmask => "255.255.255.0"
# bridge netwrok
config.vm.network "public_network", ip: "192.168.1.87", :netmask => "255.255.255.0"
config.vm.network "forwarded_port", guest:22, host:18022, id:"ssh"
config.vm.provision "shell", inline: <<-SHELL
# havegedのインストール
yum -y install epel-release
yum -y install haveged
systemctl enable haveged.service
systemctl start haveged.service
# kerberosインストール
yum -y install krb5-server krb5-workstation pam_krb5
# chrony設定
echo 'allow 192.168.1/24' >> /etc/chrony.conf
echo 'allow 192.168.55/24' >> /etc/chrony.conf
systemctl enable chronyd.service
systemctl start chronyd.service
# kdc.conf/kerb5/conf設定
sed -i -e 's/EXAMPLE.COM/VM.INTERNAL/g' /var/kerberos/krb5kdc/kdc.conf
kdb5_util create -r VM.INTERNAL -s -P admin
sed -i -e 's/# default_realm = EXAMPLE.COM/default_realm = VM.INTERNAL/' /etc/krb5.conf
sed -i -e 's/ default_ccache_name/#default_ccache_name/' /etc/krb5.conf
sed -i -e 's/\\[realms\\]/#[realms]/' /etc/krb5.conf
sed -i -e 's/\\[domain_realm\\]/#[domain_realm]/' /etc/krb5.conf
echo '' >> /etc/krb5.conf
echo '[realms]' >> /etc/krb5.conf
echo 'VM.INTERNAL = {' >> /etc/krb5.conf
echo ' kdc = krb5server.vm.internal' >> /etc/krb5.conf
echo ' admin_server = krb5server.vm.internal' >> /etc/krb5.conf
echo '}' >> /etc/krb5.conf
echo '' >> /etc/krb5.conf
echo '[domain_realm]' >> /etc/krb5.conf
echo '.vm.internal = VM.INTERNAL' >> /etc/krb5.conf
echo 'vm.internal = VM.INTERNAL' >> /etc/krb5.conf
sed -i -e 's/^/#/' /var/kerberos/krb5kdc/kadm5.acl
echo '*/admin@VM.INTERNAL *' >> /var/kerberos/krb5kdc/kadm5.acl
kadmin.local addprinc -pw "admin" root/admin
systemctl enable krb5kdc
systemctl start krb5kdc
systemctl enable kadmin
systemctl start kadmin
# ホスト追加
kadmin.local addprinc -randkey host/krb5server.vm.internal
kadmin.local ktadd host/krb5server.vm.internal
# ユーザ追加
useradd test
kadmin -p root/admin -w admin addprinc -pw test test
#kadmin.local ktadd -norandkey -k /etc/krb5.keytab test
kadmin.local ktadd -norandkey test
kadmin.local xst -norandkey -k test.keytab test@VM.INTERNAL
# sshd/ssh設定
echo 'KerberosAuthentication yes' >> /etc/ssh/sshd_config
sed -i -e 's/GSSAPIAuthentication no/GSSAPIAuthentication yes/' /etc/ssh/sshd_config
sed -i -e 's/GSSAPICleanupCredentials no/GSSAPICleanupCredentials yes/' /etc/ssh/sshd_config
echo 'Host *.vm.internal' >> /etc/ssh/ssh_config
echo ' GSSAPIAuthentication yes' >> /etc/ssh/ssh_config
echo ' GSSAPIDelegateCredentials yes' >> /etc/ssh/ssh_config
authconfig --enablekrb5 --update
systemctl restart sshd
SHELL
end
関連情報Vagrantを使用してkerberos化した1ノードクラスタのhive環境を構築する
0 件のコメント:
コメントを投稿