我在让我的 kadmin 工作时遇到一些麻烦。 kadmin.local 中一切正常,但每当我使用 kadmin 时,它似乎正在使用 kadm5.acl 文件,但事实并非如此。
我在这个文件中有: $ cat/var/kerberos/krb5kdc/kadm5.acl
*/<a href="https://stackoverflow.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="f392979e9a9db3bbb2b7bcbca3ddb0bcbe" rel="noreferrer noopener nofollow">[email protected]</a> *
kadmin 可以正确连接到 kdc 服务器,并且 dns 查找和反向 dns 也可以工作。
我的krb5.conf是这样的: $ cat/var/kerberos/krb5kdc/kdc.conf
[kdcdefaults]
kdc_ports = 750,88
[realms]
HADOOP.COM = {
admin_keytab = FILE: /var/kerberos/krb5kdc/kadm5.keytab
kadmind_port = 749
kdc_ports = 750,88
max_life = 10h 0m 0s
max_renewable_life = 7d 0h 0m 0s
database_name = /var/kerberos/krb5kdc/principal
acl_file = /var/kerberos/krb5kdc/kadm5.acl
#key_stash_file = /var/kerberos/krb5kdc/.k5.HADOOP.COM
}
和 $ cat/etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = HADOOP.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes
[realms]
HADOOP.COM = {
kdc = evl2400469.eu.verio.net:88
admin_server = evl2400469.eu.verio.net:749
default_domain = hadoop.com
}
[domain_realm]
.hadoop.com = HADOOP.COM
hadoop.com = HADOOP.COM
因此,当我尝试执行添加主体或获取主体列表等操作时,我得到: kadmin: 列表王子 get_principals:检索列表时操作需要“列表”权限。 kadmin: getprivs 当前权限:获取添加修改删除
我真的不知道我的配置问题出在哪里。
我什至尝试在使用 kadmin 控制台之前获取票证: $ klist
Ticket cache: FILE:/tmp/krb5cc_0 Default principal:
kadmin/<a href="https://stackoverflow.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="aacbcec7c3c4eae2ebeee5e5fa84e9e5e7" rel="noreferrer noopener nofollow">[email protected]</a>
Valid starting Expires Service principal 05/21/14
10:13:34 05/21/14 13:13:34 krbtgt/<a href="https://stackoverflow.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="d890999c979788f69b97959890999c979788f69b9795" rel="noreferrer noopener nofollow">[email protected]</a>
renew until 05/22/14 10:13:34
Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached
非常感谢您的帮助:)
最佳答案
尝试编辑 /var/kerberos/krb5kdc/kadm5.acl
*/<a href="https://stackoverflow.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="1677727b7f78565e57525959463855595b" rel="noreferrer noopener nofollow">[email protected]</a> *
需要重新启动 kadmind
守护进程才能使 ACL 文件中的更改生效:
service kadmind restart
关于Kerberos:kadmin 无法正常工作,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/23779468/