Shulou(Shulou.com)06/01 Report--

Learn about the installation and configuration of Kerberos under Mac.

I am very upset that the company forces developers to use all mbp, because kerberos using mit under mac is simply a disaster, and applications for installing linux with ordinary laptops are not approved.

MacOSX is a closed-source system, so it is troublesome to install and configure open source things. Yes, port and brew are very convenient, but some required C language development header files do not seem to be soft chain, and the source code compilation still has a lot of dependencies to compile, such as kerberos source code depends on openssl header files, and openssl header files have to be compiled and installed. Of course, it's OK to use sudo to make hard copies, but do you know which ones? I'm sick of it.

There are two said, if only use kadmin, kinit, of course homebrew is enough, but I want to use kerberos header files to compile a kerberos library of python, which is a nuisance, brew installation is actually a header file source code, but did not do soft link to / usr/local/include, so the compilation is not to find the header file. You can only manually soft link to / usr/local/include

Brew install krb5cd / usr/local/includeln-sf.. / Cellar/krb5/1.16.1/include/*. / cd / usr/local/libln-sf.. / Cellar/krb5/1.16.1/lib/*. /

This is the process of preparing the development environment.

Then configuration, because there are few people on mac to do kerberos-related development and use, so how to configure kerberos on mac I directly scientific Internet, found MIT official documents, MIT Kerberos MAC configuration, configuration file is different from Linux, is placed in / User/xianglei/Library/Preferences/edu.mit.Kerberos, do so complex, in fact, it is other people's linux / etc/krb5.conf.

[libdefaults] default_realm = EXAMPLE.COMdns_lookup_kdc = falsedns_lookup_realm = falseticket_lifetime = 1296000renew_lifetime = 2592000forwardable = truedefault_tgs_enctypes = rc4-hmacdefault_tkt_enctypes = rc4-hmacpermitted_enctypes = 1kdc_timeout = 3000 [kdcdefaults] kdc_ports = 88kdc_tcp_ports = 88 [realms] EXAMPLE.COM = {kdc = 192.168.130.128 admin_server = 192.168.130.128 # master_key_type = aes256-cts acl_ File = / var/kerberos/krb5kdc/kadm5.acl dict_file = / usr/share/dict/words admin_keytab = / var/kerberos/krb5kdc/kadm5.keytab supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal max_renewable_life = 30d}

This is the content of / User/xianglei/Library/Preferences/edu.mit.Kerberos, and the IP addresses of kdc server and kadmin server are virtual machines on my local machine.

Kinitxianglei/admin@EXAMPLE.COM's password: Encryption type arcfour-hmac-md5 (23) used for authentication is weak and will be deprecated

There is no problem with kinit login authentication. A discarded warning has been reported. Rc4-hmac is too weak and will be discarded.

However, there is a problem with kadmin login under mac

Kadminkadmin: kadm5_init_with_password: init_sec_context failed with 851968Mather 1765328377

Can only report this kind of segment fault, after the science engine search (Baidu do not think about it, I have not seen a few articles about Kerberos in Chinese. The final conclusion is that the format of the data transferred between the Kerberos implemented on Mac and the Kerberos of MIT is inconsistent. Here's the solution. Use the kinit-S parameter to get ticket directly from kdc, instead of using krbtgt/EXAMPLE.COM in the middle.

Kinit-S kadmin/admin xianglei/admin@EXAMPLE.COMxianglei/admin@EXAMPLE.COM's password: Encryption type arcfour-hmac-md5 (23) used for authentication is weak and will be deprecatedkadminkadmin >? stash, kstash stashdump dump [dump-file] od-dump od-dump [dump-file] init init realm...load load filemerge merge fileadd, ank, add_new_key add principal...passwd, cpw, change_password passwd principal...delete, del Del_entry delete principal...del_enctype del_enctype principal enctype...add_enctype add_enctype principal enctype...ext_keytab ext_keytab principal...get, get_entry get principal...rename rename from tomodify modify principalprivileges, privs privilegeslist list principal...verify-password-quality, pwq verify-password-quality principal passwordcheck check [realm] lock lock unlock unlock help,? Help [command] exit, quit exit

Then you can enter kadmin directly, which is equivalent to using kadmin.local directly.

Then talk about doing Kerberos related C language development under Mac. The cause is that the Cloudera enterprise version purchased by the father of Party An is about to expire, and the father said: son, your technical strength is so strong, coupled with the Sino-US trade war, the father has no money in his pocket to buy the CDH enterprise version, so why don't you maintain it yourself. What can our son of Party B say? gnash his teeth, all right.

However, there is Kerberos in the enterprise version of Dad's side, and it doesn't matter to maintain Hadoop when it expires, but the enterprise version of Kerberos keytab management and distribution function cannot be used when it expires, so it is necessary to develop a set of Kerberos management to replace the original Cloudera Manager function as soon as possible. So I intend to use Python to write an interface to automate the creation and management of all Hadoop-related Keytab, but although Python has a lot of libraries used by kerberos, it does not have a library managed by admin, and finally found a package on PyPI. As a result, there are too many bug, released several years ago, no maintenance, compiling various errors, 7 can not be installed, ubuntu can not be installed. I had to deal with it by calling the command line first. Yesterday I was free to read and modify the C code of admin and reissue a package. That's why I used Kerberos's C development yesterday, and that's why I complained about Mac garbage, there was no source code, and then it wasn't fucking compatible with MIT. Gcc also has to be installed separately, and the default is clang.

Well, the dynamic libraries and header files installed by brew have been soft-linked to / usr/local/lib and / usr/local/include, and then the modified source code can be compiled directly, but due to the call to the dynamic library of Mac itself, the administrator authentication protocol is still different, so although it can be compiled and passed under Mac, it will still report Segment Fault when it is used, but unbuntu The compilation under other linux distributions such as centos7 has been fixed.

For programmers like me, the best development environment is neither Mac nor Windows. It would be great to install a ubuntu or arch for a broken notebook. Software development has to ensure POSIX portability and compatibility. I strongly despise services that can go down with any upgrade of any system patch.

Expand the functionality and repair bug after the open source python-kadmV code is placed on github, compared to the original released a few years ago, in addition to repairing a lot of compiled error, but also increased the function of renaming principal and create keytab features, completely using the C language to prepare the Python package, using kerberos native library to compile and install, no longer need subprocess to call the command line.

I think that after the change, the function is still relatively powerful compared to the original version. You can directly addprinc, delprinc, listprincs, renprinc, ktadd in python. For principal, you can get and set various properties, such as reset password, set random password, set expiration time, etc., which is basically the same as using the kadmin command line directly. The kadmin class that I used to encapsulate to invoke the command line has been completely replaced with this package, with no pressure.

At the same time, it is also posted on pypi, and children who need it can directly

Pip install python-kadmv

However, the experience in this blog may be of little use to most people, except for the python library. Most people will not use kerberos, or even do development based on kerberos, or even do Kerberos development on Mac.

Fuck Apple

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.