kerberos 命令备忘

主体

在 KDC 中新增主体：

$ kadmin.local
kadmin.local:  addprinc webb
WARNING: no policy specified for webb@AMBARI.APACHE.ORG; defaulting to no policy
Enter password for principal "webb@AMBARI.APACHE.ORG":
Re-enter password for principal "webb@AMBARI.APACHE.ORG":
Principal "webb@AMBARI.APACHE.ORG" created.

或者：

$ kadmin.local -q "addprinc hue/u1401.ambari.apache.org@AMBARI.APACHE.ORG"

keytab

为主体 webb@AMBARI.APACHE.ORG 生成 keytab 文件，文件名是 webb.keytab（当前目录下生成）

$ kadmin.local
kadmin.local:  ktadd -k webb.keytab webb@AMBARI.APACHE.ORG
Entry for principal webb@AMBARI.APACHE.ORG with kvno 3, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:webb.keytab.
Entry for principal webb@AMBARI.APACHE.ORG with kvno 3, encryption type arcfour-hmac added to keytab WRFILE:webb.keytab.
Entry for principal webb@AMBARI.APACHE.ORG with kvno 3, encryption type des3-cbc-sha1 added to keytab WRFILE:webb.keytab.
Entry for principal webb@AMBARI.APACHE.ORG with kvno 3, encryption type des-cbc-crc added to keytab WRFILE:webb.keytab.
kadmin.local:  exit

使用keytab文件登录（而不是密码）：

$ kinit -k -t webb.keytab webb

显示keytab文件中主体和加密类型：

$ klist -e -k webb.keytab 
Keytab name: FILE:webb.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   2 webb@AMBARI.APACHE.ORG (aes256-cts-hmac-sha1-96)
   2 webb@AMBARI.APACHE.ORG (arcfour-hmac)
   2 webb@AMBARI.APACHE.ORG (des3-cbc-sha1)
   2 webb@AMBARI.APACHE.ORG (des-cbc-crc)
   3 webb@AMBARI.APACHE.ORG (aes256-cts-hmac-sha1-96)
   3 webb@AMBARI.APACHE.ORG (arcfour-hmac)
   3 webb@AMBARI.APACHE.ORG (des3-cbc-sha1)
   3 webb@AMBARI.APACHE.ORG (des-cbc-crc)

以上是安装了启用了kerberos的AMBARI下的keytab。而仅安装kerberos后测试的结果是：

$  klist -e -k webb.keytab
Keytab name: FILE:webb.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   2 webb@AMBARI.APACHE.ORG (aes256-cts-hmac-sha1-96)
   2 webb@AMBARI.APACHE.ORG (arcfour-hmac)
   2 webb@AMBARI.APACHE.ORG (des3-cbc-sha1)
   2 webb@AMBARI.APACHE.ORG (des-cbc-crc)