Kerberos cheat sheet Article Number: 4541 ■ Publication Date: May 24, 2018 ■ Author: Pivotal Admin Dec 20, 2018•Knowledge Article SUMMARYSummary of the article that will appear along with the Article Title in any search results of the Knowledge Base. This article lists common commands regarding Kerberos administration. The platform being used is CentOS6. PRODUCT Pivotal HD COMPONENT PRODUCT VERSION SUB COMPONENT OS PURPOSE This article lists common commands regarding Kerberos administration. The platform being used is CentOS6. CAUSEDescription of what caused the problem. PROCEDURE 1. Install the package: yum install krb5-libs krb5-workstation krb5-server 2. Refer to the configuration file below. (Default location for Pivotal HD) KDC configuration on KDC host /var/kerberos/krb5kdc/kdc.conf Kerberos configuration on all hosts /etc/krb5.conf kadmind ACL on KDC host /var/kerberos/krb5kdc/kadm5.acl 3. kdb5_util allows an administrator to perform maintenance procedures on the KDC Database. a. Backup the KDC Database. [root@admin]# kdb5_util dump -verbose /backup/kdc.dump HTTP/hdm.xxx.com@VIADEA.COM HTTP/hdw1.xxx.com@VIADEA.COM HTTP/hdw2.xxx.com@VIADEA.COM b. Then use "string" to check the content of the dump file. strings /backup/kdc.dump c. Restore the KDC Database. kdb5_util load /backup/kdc.dump d. Add a new master key. e. Add a new master key to the master key principal, but do not mark it as active. [root@admin]# kdb5_util add_mkey Creating new master key for master key principal 'K/M@VIADEA.COM' You will be prompted for a new database Master Password. It is important that you NOT FORGET this password. Enter KDC database master key: Re-enter KDC database master key to verify: f. List all master keys g. List all master keys, from most recent to earliest, in the master key principal. [root@admin]# kdb5_util list_mkeys Master keys for Principal: K/M@VIADEA.COM KNVO: 2, Enctype: aes256-cts-hmac-sha1-96, No activate time set KNVO: 1, Enctype: aes256-cts-hmac-sha1-96, Active on: Wed Dec 31 16:00:00 PST 1969 * h. Activate a new master key. Once a master key becomes active, it will be used to encrypt newly created principal keys. kdb5_util use_mkey mkeyVNO [time] Example [root@admin]# kdb5_util use_mkey 2 [root@admin]# kdb5_util list_mkeys Master keys for Principal: K/M@VIADEA.COM KNVO: 2, Enctype: aes256-cts-hmac-sha1-96, Active on: Tue Jun 10 15:39:01 PDT 2014 * KNVO: 1, Enctype: aes256-cts-hmac-sha1-96, Active on: Wed Dec 31 16:00:00 PST 1969 Update all principal keys to be encrypted in the new master key. Update all principal records (Or only those matching the princ-pattern glob pattern) to re-encrypt the key data using the active database master key, if they are encrypted using a different version. Give a count at the end of the number of principals updated. a. Do a dry run. [root@admin]# kdb5_util update_princ_encryption -v -n Principals whose keys WOULD BE re-encrypted to master key vno 2: would update: HTTP/hdm.xxx.com@VIADEA.COM (......) would update: yarn/hdw3.xxx.com@VIADEA.COM 22 principals processed: 22 would be updated, 0 already current b. Run it. [root@admin]# kdb5_util update_princ_encryption -v Re-encrypt all keys not using master key vno 2? (type 'yes' to confirm)? yes Principals whose keys are being re-encrypted to master key vno 2 if necessary: updating: HTTP/hdm.xxx.com@VIADEA.COM skipping: HTTP/hdm.xxx.com@VIADEA.COM updating: HTTP/hdw1.xxx.com@VIADEA.COM (......) 23 principals processed: 22 updated, 1 already current c. Create the stash file for the new master key to replace the existing one. [root@admin]# kdb5_util stash /var/kerberos/krb5kdc/.k5.VIADEA.COM Using existing stashed keys to update stash file. d. Delete old master keys. e. Delete master keys from the master key principal that are not used to protect any principals. f. Do a dry run [root@admin]# kdb5_util purge_mkeys -v -n Would purge the follwing master key(s) from K/M@VIADEA.COM: KVNO: 1 1 key(s) would be purged. g. Run it. [root@admin]# kdb5_util purge_mkeys -v Will purge all unused master keys stored in the 'K/M@VIADEA.COM' principal, are you sure? (type 'yes' to confirm)? yes OK, purging unused master keys from 'K/M@VIADEA.COM'... Purging the follwing master key(s) from K/M@VIADEA.COM: KVNO: 1 1 key(s) purged. h. Create a new database. kdb5_util create -s i. Destroy a database. kdb5_util destroy 4. Principal administration: List principals: kadmin.local: list_principals yarn* yarn/hdm.xxx.com@VIADEA.COM yarn/hdw1.xxx.com@VIADEA.COM yarn/hdw2.xxx.com@VIADEA.COM yarn/hdw3.xxx.com@VIADEA.COM Viewing a principal's attributes: kadmin.local: getprinc yarn/hdm.xxx.com Principal: yarn/hdm.xxx.com@VIADEA.COM Expiration date: [never] Last password change: Sat Jun 07 14:49:36 PDT 2014 Password expiration date: [none] Maximum ticket life: 1 day 00:00:00 Maximum renewable life: 7 days 00:00:00 Last modified: Tue Jun 10 15:49:49 PDT 2014 (K/M@VIADEA.COM) Last successful authentication: [never] Last failed authentication: [never] Failed password attempts: 0 Number of keys: 6 Key: vno 1, aes256-cts-hmac-sha1-96, no salt Key: vno 1, aes128-cts-hmac-sha1-96, no salt Key: vno 1, des3-cbc-sha1, no salt Key: vno 1, arcfour-hmac, no salt Key: vno 1, des-hmac-sha1, no salt Key: vno 1, des-cbc-md5, no salt MKey: vno 2 Attributes: Policy: [none] Creating a new Principal: kadmin.local: addprinc mysuperman/admin@VIADEA.COM WARNING: no policy specified for mysuperman/admin@VIADEA.COM; defaulting to no policy Enter password for principal "mysuperman/admin@VIADEA.COM": Re-enter password for principal "mysuperman/admin@VIADEA.COM": Principal "mysuperman/admin@VIADEA.COM" created. Changing the password for a principal kadmin.local: cpw tim@VIADEA.COM Enter password for principal "tim@VIADEA.COM": Re-enter password for principal "tim@VIADEA.COM": Password for "tim@VIADEA.COM" changed. Alternatively, you can use kpasswd: [root@admin ~]# kpasswd duncan2 Password for duncan2@VIADEA.COM: Enter new password: Enter it again: Delete a principal: kadmin.local: delete_principal testuser Are you sure you want to delete the principal "testuser@VIADEA.COM"? (yes/no): yes Principal "testuser@VIADEA.COM" deleted. Make sure that you have removed this principal from all ACLs before reusing. Rename a principal: kadmin.local: rename_principal duncan duncan2 Are you sure you want to rename the principal "duncan@VIADEA.COM" to "duncan2@VIADEA.COM"? (yes/no): yes Principal "duncan@VIADEA.COM" renamed to "duncan2@VIADEA.COM". Make sure that you have removed the old principal from all ACLs before reusing. Modify a principal to use policy: kadmin.local: modify_principal -policy testpolicy duncan2 Principal "duncan2@VIADEA.COM" modified. Unlock a principal: kadmin.local: modify_principal -unlock duncan2 Principal "duncan2@VIADEA.COM" modified. 5. Policy administration: Create a policy: kadmin.local: add_policy -minlength 1 -minlength 5 -maxlife "999 days" -maxfailure 3 testpolicy List policies: kadmin.local: list_policies testpolicy Modifying a Policy: kadmin.local: modify_policy -minlength 3 testpolicy Viewing a Kerberos policy's Attributes kadmin.local: get_policy testpolicy Policy: testpolicy Maximum password life: 86313600 Minimum password life: 0 Minimum password length: 3 Minimum number of password character classes: 1 Number of old keys kept: 1 Reference count: 0 Maximum password failures before lockout: 3 Password failure count reset interval: 0 days 00:00:00 Password lockout duration: 0 days 00:00:00 Deleting a Policy kadmin.local: delete_policy testpolicy 6. Keytab administration: Add Principals to a Keytab: kadmin.local: ktadd -norandkey -k /tmp/tmp.keytab duncan2@VIADEA.COM Entry for principal duncan2@VIADEA.COM with kvno 1, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/tmp/tmp.keytab. Entry for principal duncan2@VIADEA.COM with kvno 1, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/tmp/tmp.keytab. Entry for principal duncan2@VIADEA.COM with kvno 1, encryption type des3-cbc-sha1 added to keytab WRFILE:/tmp/tmp.keytab. Entry for principal duncan2@VIADEA.COM with kvno 1, encryption type arcfour-hmac added to keytab WRFILE:/tmp/tmp.keytab. Entry for principal duncan2@VIADEA.COM with kvno 1, encryption type des-hmac-sha1 added to keytab WRFILE:/tmp/tmp.keytab. Entry for principal duncan2@VIADEA.COM with kvno 1, encryption type des-cbc-md5 added to keytab WRFILE:/tmp/tmp.keytab. Display keylist (principals) in a keytab file: [root@admin ~]# klist -kt /tmp/tmp.keytab Keytab name: FILE:/tmp/tmp.keytab KVNO Timestamp Principal ---- ----------------- -------------------------------------------------------- 1 06/10/14 22:08:00 duncan2@VIADEA.COM 1 06/10/14 22:08:00 duncan2@VIADEA.COM 1 06/10/14 22:08:00 duncan2@VIADEA.COM 1 06/10/14 22:08:00 duncan2@VIADEA.COM 1 06/10/14 22:08:00 duncan2@VIADEA.COM 1 06/10/14 22:08:00 duncan2@VIADEA.COM Remove keylist (principal) from a keytab file: kadmin.local: ktremove -k /tmp/tmp.keytab duncan2@VIADEA.COM Entry for principal duncan2@VIADEA.COM with kvno 1 removed from keytab WRFILE:/tmp/tmp.keytab. Entry for principal duncan2@VIADEA.COM with kvno 1 removed from keytab WRFILE:/tmp/tmp.keytab. Entry for principal duncan2@VIADEA.COM with kvno 1 removed from keytab WRFILE:/tmp/tmp.keytab. Entry for principal duncan2@VIADEA.COM with kvno 1 removed from keytab WRFILE:/tmp/tmp.keytab. Entry for principal duncan2@VIADEA.COM with kvno 1 removed from keytab WRFILE:/tmp/tmp.keytab. Entry for principal duncan2@VIADEA.COM with kvno 1 removed from keytab WRFILE:/tmp/tmp.keytab. Authentication using keytab: kinit -kt /etc/security/phd/keytab/hdfs.service.keytab hdfs/hdm.xxx.com@VIADEA.COM 7. Credential cache administration: List Principals in Credential Cache [root@admin ~]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: tim@VIADEA.COM Valid starting Expires Service principal 06/10/14 22:24:22 06/11/14 22:24:22 krbtgt/VIADEA.COM@VIADEA.COM renew until 06/17/14 22:24:22 Destroy credential cache: Note: This will only destroy credential cache for this user. [testuser@admin ~]$ ls -altr /tmp/krb5* -rw-------. 1 root root 741 Jun 10 22:24 /tmp/krb5cc_0 -rw-------. 1 testuser testuser 758 Jun 10 22:36 /tmp/krb5cc_501 [root@admin ~]# kdestroy [root@admin ~]# ls -altr /tmp/krb* -rw-------. 1 testuser testuser 758 Jun 10 22:36 /tmp/krb5cc_501 [root@admin ~]# klist klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0) 8. Kerberos services: KDC service: /etc/init.d/krb5kdc start kadmin service: /etc/init.d/kadmin start