[37730] in Kerberos
Re: Get Kerberized services information from Kerberos KDC
daemon@ATHENA.MIT.EDU (Todd Grayson)
Thu Oct 6 19:11:52 2016
MIME-Version: 1.0
In-Reply-To: <CAP9-bN7ZRgKYXcm3MpD1rXSBkWORie49wHfcY61XcTNJPm8paA@mail.gmail.com>
From: Todd Grayson <tgrayson@cloudera.com>
Date: Thu, 6 Oct 2016 17:11:10 -0600
Message-ID: <CALNT6MXA_QWk13TFEOwGXDBBNATZOn9PGuWepR_V1KSJ0DT75Q@mail.gmail.com>
To: chen dong <chendong.jy@gmail.com>
Cc: "kerberos@MIT.EDU" <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
So the principal names will be visible in the kerberos KDC logging with a
format of service/host.fqdn.name@REALM
You can grep the significant principal name patterns you need (hdfs/*
yarn/* etc) out of that log and see your as_req and as_rep as
authentication events.
Oct 06 15:53:09 nightly58-1 krb5kdc[17178](info): AS_REQ (7 etypes {16 23 1
3 18 17 2}) 10.11.13.120: ISSUE: authtime 1475794389, etypes {rep=16 tkt=16
ses=16}, impala/c58-3.fun.example.com@FUN.EXAMPLE.COM for krbtgt/
FUN.EXAMPLE.COM@FUN.EXAMPLE.COM
Inter service will be visible for TGS_REQ type log events. A perl script
or grep/awk could give a pretty good summary of service to service
interactions being set up in the TGS_REQ events...
Oct 06 15:52:49 nightly58-1 krb5kdc[17178](info): TGS_REQ (6 etypes {18 17
16 23 1 3}) 10.11.13.118: ISSUE: authtime 1475757403, etypes {rep=16 tkt=16
ses=16}, hdfs/c58-1.fun.example.com@FUN.EXAMPLE.COM for HTTP/
c58-2.fun.example.com@FUN.EXAMPLE.COM
On Thu, Oct 6, 2016 at 4:25 PM, chen dong <chendong.jy@gmail.com> wrote:
> Hi ,
>
> Can I query Kerberos KDC database to know how many services have been
> Kerberized in KDC? How many service tickets have been given to clients? How
> many sessions are been built for clients?
>
> I am using Kerberos on Hadoop Security. It makes much easier to do it using
> a management system - Cloudera. After a few clicks which follow the
> instructions, it is done. But is it done? I am not sure and I need to prove
> it. I think the only way to make me confident about it has been done is
> Kerberos tells me. If I get this information from Kerberos, I will be happy
> to tell my boss. My job has finished.
>
> Anyone knows about this, much appreciate for this.
>
> Regards,
>
> Dong
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
--
Todd Grayson
Business Operations Manager
Customer Operations Engineering
Security SME
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
