forked from docs/doc-exports
Yang, Tong
3b1f73dece
Reviewed-by: Hasko, Vladimir <vladimir.hasko@t-systems.com> Co-authored-by: Yang, Tong <yangtong2@huawei.com> Co-committed-by: Yang, Tong <yangtong2@huawei.com>
48 lines
8.6 KiB
HTML
48 lines
8.6 KiB
HTML
<a name="admin_guide_000248"></a><a name="admin_guide_000248"></a>
|
|
|
|
<h1 class="topictitle1">Logging In to a Non-Cluster Node Using a Cluster User in Normal Mode</h1>
|
|
<div id="body1529658735918"><div class="section" id="admin_guide_000248__s1f9cd0b79a0a47e1b6d986f5d4c617e1"><h4 class="sectiontitle">Scenario</h4><p id="admin_guide_000248__p1863003016310">When the cluster is installed in normal mode, the component clients do not support security authentication and cannot use the <strong id="admin_guide_000248__b163013014319">kinit</strong> command. Therefore, nodes outside the cluster cannot use users in the cluster by default. This may result in a user authentication failure when one of these nodes access a component server.</p>
|
|
<p id="admin_guide_000248__en-us_topic_0046736680_p9611044">The node administrator can configure a user who has the same name as that of a user for a node outside the cluster, allow the user to log in to the node using the SSH protocol, and connect to the servers of components in the cluster by using the user who logs in to the OS.</p>
|
|
</div>
|
|
<div class="section" id="admin_guide_000248__sbe7ee2c5d7dd43b7bf502cbb445b214d"><h4 class="sectiontitle">Prerequisites</h4><ul id="admin_guide_000248__en-us_topic_0046736680_ul27129916"><li id="admin_guide_000248__en-us_topic_0046736680_li42842654">Nodes outside the cluster can connect to the service plane of the cluster.</li><li id="admin_guide_000248__en-us_topic_0046736680_li50039568">The KrbServer service of the cluster is running properly.</li><li id="admin_guide_000248__en-us_topic_0046736680_li47702931">You have obtained the password of user <strong id="admin_guide_000248__b46401174143841">root</strong> of the node outside the cluster.</li><li id="admin_guide_000248__en-us_topic_0046736680_li26673201">A human-machine user has been planned and added to the cluster, and you have obtained the authentication credential file. For details, see <a href="admin_guide_000137.html">Creating a User</a> and <a href="admin_guide_000145.html">Exporting an Authentication Credential File</a>.</li></ul>
|
|
</div>
|
|
<div class="section" id="admin_guide_000248__section179746121318"><h4 class="sectiontitle">Procedure</h4><ol id="admin_guide_000248__en-us_topic_0046736680_ol50063735"><li id="admin_guide_000248__en-us_topic_0046736680_li47920438"><span>Log in to the node where a user is to be added as user <strong id="admin_guide_000248__b19520181214182">root</strong>.</span></li><li id="admin_guide_000248__en-us_topic_0046736680_li28630766"><span>Run the following command:</span><p><p id="admin_guide_000248__en-us_topic_0046736680_p56350302"><strong id="admin_guide_000248__en-us_topic_0046736680_b37390672">rpm -qa | grep pam</strong> and <strong id="admin_guide_000248__en-us_topic_0046736680_b971734">rpm -qa| grep krb5-client</strong></p>
|
|
<p id="admin_guide_000248__en-us_topic_0046736680_p8745607">The following RPM packages are displayed:</p>
|
|
<pre class="screen" id="admin_guide_000248__sf55fd799e64d40b59c53b5dcf2a87500">pam_krb5-32bit-2.3.1-47.12.1
|
|
pam-modules-32bit-11-1.22.1
|
|
yast2-pam-2.17.3-0.5.211
|
|
pam-32bit-1.1.5-0.10.17
|
|
pam_mount-32bit-0.47-13.16.1
|
|
pam-config-0.79-2.5.58
|
|
pam_krb5-2.3.1-47.12.1
|
|
pam-doc-1.1.5-0.10.17
|
|
pam-modules-11-1.22.1
|
|
pam_mount-0.47-13.16.1
|
|
pam_ldap-184-147.20
|
|
pam-1.1.5-0.10.17
|
|
krb5-client-1.6.3 </pre>
|
|
</p></li><li id="admin_guide_000248__en-us_topic_0046736680_li37305595"><span>Check whether the RPM packages in the list are installed in the OS.</span><p><ul id="admin_guide_000248__en-us_topic_0046736680_ul206039"><li id="admin_guide_000248__en-us_topic_0046736680_li1854355">If yes, go to <a href="#admin_guide_000248__en-us_topic_0046736680_conf_kerb">5</a>.</li><li id="admin_guide_000248__en-us_topic_0046736680_li15985080">If no, go to <a href="#admin_guide_000248__en-us_topic_0046736680_inst_kerb">4</a>.</li></ul>
|
|
</p></li><li id="admin_guide_000248__en-us_topic_0046736680_inst_kerb"><a name="admin_guide_000248__en-us_topic_0046736680_inst_kerb"></a><a name="en-us_topic_0046736680_inst_kerb"></a><span>Obtain the lacked RPM packages from the OS image, upload the files to the current directory, and run the following command to install the RPM package:</span><p><p id="admin_guide_000248__en-us_topic_0046736680_p43290077"><strong id="admin_guide_000248__en-us_topic_0046736680_b54066375">rpm -ivh *.rpm</strong></p>
|
|
<div class="note" id="admin_guide_000248__en-us_topic_0046736680_note16835328"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p class="text" id="admin_guide_000248__en-us_topic_0046736680_p17300225">The RPM packages to be installed may bring security risks. The risks that may be brought by the installation of these RPM packages must be taken into consideration during OS hardening.</p>
|
|
</div></div>
|
|
<p id="admin_guide_000248__en-us_topic_0046736680_p21484299">After the RPM packages are installed, go to <a href="#admin_guide_000248__en-us_topic_0046736680_conf_kerb">5</a>.</p>
|
|
</p></li><li id="admin_guide_000248__en-us_topic_0046736680_conf_kerb"><a name="admin_guide_000248__en-us_topic_0046736680_conf_kerb"></a><a name="en-us_topic_0046736680_conf_kerb"></a><span>Run the following command to configure Kerberos authentication on PAM:</span><p><p id="admin_guide_000248__en-us_topic_0046736680_p25689059"><strong id="admin_guide_000248__en-us_topic_0046736680_b29874939">pam-config --add --krb5</strong></p>
|
|
<div class="note" id="admin_guide_000248__en-us_topic_0046736680_note439002"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p class="text" id="admin_guide_000248__en-us_topic_0046736680_p3951024">If you need to cancel Kerberos authentication and system user login on a non-cluster node, run the <strong id="admin_guide_000248__b113320497231">pam-config --delete --krb5</strong> command as user <strong id="admin_guide_000248__b92551654172314">root</strong>.</p>
|
|
</div></div>
|
|
</p></li><li id="admin_guide_000248__en-us_topic_0046736680_li51597550"><span>Decompress the authentication credential file to obtain <strong id="admin_guide_000248__b1784814622418">krb5.conf</strong>, use WinSCP to upload this configuration file to the <strong id="admin_guide_000248__b74001816122417">/etc</strong> directory on the node outside the cluster, and run the following command to configure related permission to enable other users to access the file, such as permission <strong id="admin_guide_000248__b5608103014248">604</strong>:</span><p><p id="admin_guide_000248__en-us_topic_0046736680_p61724767"><strong id="admin_guide_000248__b19643477143931">chmod 604 /etc/krb5.conf</strong></p>
|
|
</p></li><li id="admin_guide_000248__li181251871557"><span>Run the following command in the connection session as user <strong id="admin_guide_000248__b27321703259">root</strong> to add the corresponding OS user to the human-machine user, and specify <strong id="admin_guide_000248__b1752151502512">root</strong> as the primary group.</span><p><p id="admin_guide_000248__p14313109151">The OS user password is the same as the initial password when the human-machine user is created on Manager.</p>
|
|
<p id="admin_guide_000248__en-us_topic_0046736680_p33650236"><strong id="admin_guide_000248__en-us_topic_0046736680_b34416674">useradd </strong><em id="admin_guide_000248__i948105622511">User name </em><strong id="admin_guide_000248__en-us_topic_0046736680_b36287209">-m -d /home/admin_test -g root -s /bin/bash</strong></p>
|
|
<p id="admin_guide_000248__en-us_topic_0046736680_p58149428">For example, if the name of the human-machine user is <strong id="admin_guide_000248__b115471122162619">admin_test</strong>, run the following command:</p>
|
|
<p id="admin_guide_000248__en-us_topic_0046736680_p53582808"><strong id="admin_guide_000248__en-us_topic_0046736680_b12483231">useradd admin_test -m -d /home/admin_test -g root -s /bin/bash</strong></p>
|
|
<div class="note" id="admin_guide_000248__en-us_topic_0046736680_note4508766"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p class="text" id="admin_guide_000248__en-us_topic_0046736680_p40578897">When you use the newly added OS user to log in to the node by using the SSH protocol for the first time, the system prompts that the password has expired after you enter the user password, and the system prompts that the password needs to be changed after you enter the user password again. You need to enter a new password that meets the password complexity requirements of both the node OS and the cluster.</p>
|
|
</div></div>
|
|
</p></li></ol>
|
|
</div>
|
|
</div>
|
|
<div>
|
|
<div class="familylinks">
|
|
<div class="parentlink"><strong>Parent topic:</strong> <a href="admin_guide_000243.html">Account Security Settings</a></div>
|
|
</div>
|
|
</div>
|
|
|