我在 Ubuntu 18.04 机器上运行一个 Web 服务器(在本例中为 airflow),它需要访问域/AD 上的 SQL Server 数据库。
问:如何在 systemd 服务中使用 Kerberos 身份验证来访问域上的 MSSQL 数据库?
子问题:我如何才能自动续订门票?我费尽心思k5开始有一段时间没有成功,有没有标准化的方法来做到这一点?
从 shell 运行:
airflow@airflow:~$ kinit [email protected]
Password for [email protected]:
airflow@airflow:~$ klist -A
Ticket cache: KEYRING:persistent:478604841:478604841
Default principal: [email protected]
Valid starting Expires Service principal
11/08/2019 22:34:41 11/09/2019 08:34:41 krbtgt/[email protected]
renew until 11/09/2019 08:34:41
airflow@airflow:~$ airflow webserver
结果:webserver 通过 Kerberos 成功连接到 SQL Server
附注:如上所述运行 Web 服务器后,klist显示 SQL Server 的 SPN:
airflow@airflow:~$ klist
Ticket cache: KEYRING:persistent:478604841:478604841
Default principal: [email protected]
Valid starting Expires Service principal
11/08/2019 23:00:22 11/09/2019 09:00:18 MSSQLSvc/dbserver.example.com:[email protected]
renew until 11/15/2019 23:00:14
11/08/2019 23:00:18 11/09/2019 09:00:18 krbtgt/[email protected]
renew until 11/15/2019 23:00:14
然后启动服务
airflow@airflow:~$ kinit [email protected]
airflow@airflow:~$ sudo service airflow-webserver start
airflow@airflow:~$ journalctl -u airflow-webserver.service -xe
输出
Nov 08 18:12:11 airflow airflow[54723]: File "/home/EXAMPLE.COM/airflow/.pyenv/versions/3.7.4/lib/python3.7/site-packages/sqlalchemy/engine/default.py", line 481, in connect
Nov 08 18:12:11 airflow airflow[54723]: return self.dbapi.connect(*cargs, **cparams)
Nov 08 18:12:11 airflow airflow[54723]: sqlalchemy.exc.DBAPIError: (pyodbc.Error) ('HY000', '[HY000] [Microsoft][ODBC Driver 17 for SQL Server]SSPI Provider: No Kerberos credentials available (default cache: FILE:/tmp/krb5cc_478604841) (851968) (SQLDriverConnect)')
Nov 08 18:12:11 airflow airflow[54723]: (Background on this error at: http://sqlalche.me/e/dbapi)
/etc/krb5.conf
[libdefaults]
default_realm = EXAMPLE.COM
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
ccache_type = 5
default_ccache_name = KEYRING:persistent:%{uid}
default_client_keytab_name = /home/%d/%u.keytab
[realms]
EXAMPLE.COM = {
kdc = exampledc1.example.com
kdc = exampledc2.example.com
}
[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM
/etc/systemd/system/airflow-webserver.service
[Unit]
Description=Airflow web server daemon
After=network.target
[Service]
EnvironmentFile=/etc/sysconfig/airflow
User=airflow
Group=airflow
Type=simple
ExecStart = /home/EXAMPLE.COM/airflow/.pyenv/versions/3.7.4/bin/airflow webserver
Restart=on-failure
RestartSec=5s
[Install]
WantedBy=multi-user.target
答案1
通常的做法是分离保持您的 Kerberos 票证刷新的服务,并在 MS SQL 服务中将KRB5CCNAME环境变量设置为其他服务保持刷新的凭据缓存的路径。
在 MS SQL 服务中:
# systemd service file
...
[Service]
Environment="KRB5CCNAME=FILE:/tmp/cache.tkt"
...
以下是“复习”服务:
[Unit]
Description=My Kerberos Ticket Service
Wants=network-online.target
After=network-online.target
[Service]
Type=simple
ExecStart=/usr/bin/k5start -U -f /path/to/keytab \
-k /tmp/cache.tkt -l 10h -K 30 \
-m 600 -o root -g root
# Restart on any failure after 5 seconds
Restart=on-failure
RestartSec=5s
您可能需要调整凭证缓存文件权限,以确保 MS SQL 服务可以读取该文件。当然,您需要有一个包含正确凭证的 keytab 文件。
答案2
在最近的 MIT Kerberos 版本中引入了客户端密钥表。GSS-API如果缺少凭据缓存,它们将用于获取凭据缓存。您只需找到默认位置:
krb5-config --defcktname
并使用以下命令创建密钥表kadmin:
ktadd -k <location> [email protected]