Skip to content

Latest commit

 

History

History
88 lines (67 loc) · 3.39 KB

KerberosCheatsheet.md

File metadata and controls

88 lines (67 loc) · 3.39 KB
Raw

Kerberos Cheat Sheet

Introduction

This cheat sheet contains common commands regarding Kerberos administration and troubleshooting.

User commands

List current principal and ticket held in credential cache

$> klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: kafka_producer/[email protected]

Valid starting     Expires            Service principal
05/23/18 08:56:59  05/24/18 08:56:59  krbtgt/[email protected]

Obtaining and caches a token for principal

$> kinit  kafka/admin
Password for kafka/[email protected]:

Obtaining and caches a token for principal from a keytab

$> kinit -k -t /var/lib/secret/kafka.key kafka/admin

List credentials contains in a keytab

$> klist -k -t /var/lib/secret/kafka.key 
Keytab name: FILE:/var/lib/secret/kafka.key
KVNO Timestamp         Principal
---- ----------------- --------------------------------------------------------
   2 05/23/18 08:56:43 zookeeper/[email protected]
   2 05/23/18 08:56:43 zookeeper/[email protected]
   2 05/23/18 08:56:43 kafka/[email protected]
   2 05/23/18 08:56:43 kafka/[email protected]
   2 05/23/18 08:56:43 kafka/[email protected]
   2 05/23/18 08:56:43 kafka/[email protected]
   2 05/23/18 08:56:43 kafka/[email protected]
   2 05/23/18 08:56:43 kafka/[email protected]
   2 05/23/18 08:56:43 kafka_consumer/[email protected]
   2 05/23/18 08:56:43 kafka_consumer/[email protected]
   2 05/23/18 08:56:43 kafka_producer/[email protected]
   2 05/23/18 08:56:43 kafka_producer/[email protected]

Destroy credential cache

$> kdestroy

Administration commands

Adding a new principal to the KDC database

$> kadmin.local -w password -q "add_principal -pw my_password kafka/[email protected]" 
WARNING: no policy specified for [email protected]; defaulting to no policy
Principal "kafka/[email protected]" created

Adding a new principal to the KDC database with a random key

$> kadmin.local -w password -q "add_principal -randkey kafka/[email protected]" 
WARNING: no policy specified for [email protected]; defaulting to no policy
Principal "kafka/[email protected]" created

Exporting principals to a keytab

$> kadmin.local -w password -q "ktadd  -k /var/lib/secret/kafka.key -glob kafka/*"
Entry for principal kafka/[email protected] with kvno 3, encryption type aes256-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab.
Entry for principal kafka/[email protected] with kvno 3, encryption type aes128-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab.
Entry for principal kafka/[email protected] with kvno 3, encryption type aes256-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab.
Entry for principal kafka/[email protected] with kvno 3, encryption type aes128-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab.
Entry for principal kafka/[email protected] with kvno 3, encryption type aes256-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab.
Entry for principal kafka/[email protected] with kvno 3, encryption type aes128-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab