Re: Get Kerberized services information from Kerberos KDC

Thu, 06 Oct 2016 16:16:30 -0700 

So the principal names will be visible in the kerberos KDC logging with a
format of service/host.fqdn.name@REALM

You can grep the significant principal name patterns you need (hdfs/*
yarn/* etc) out of that log and see your as_req and as_rep as
authentication events.

Oct 06 15:53:09 nightly58-1 krb5kdc[17178](info): AS_REQ (7 etypes {16 23 1
3 18 17 2}) 10.11.13.120: ISSUE: authtime 1475794389, etypes {rep=16 tkt=16
ses=16}, impala/c58-3.fun.example....@fun.example.com for krbtgt/
fun.example....@fun.example.com

Inter service will be visible for TGS_REQ type log events.  A perl script
or grep/awk could give a pretty good summary of service to service
interactions being set up in the TGS_REQ events...

Oct 06 15:52:49 nightly58-1 krb5kdc[17178](info): TGS_REQ (6 etypes {18 17
16 23 1 3}) 10.11.13.118: ISSUE: authtime 1475757403, etypes {rep=16 tkt=16
ses=16}, hdfs/c58-1.fun.example....@fun.example.com for HTTP/
c58-2.fun.example....@fun.example.com



On Thu, Oct 6, 2016 at 4:25 PM, chen dong <chendong...@gmail.com> wrote:

> Hi ,
>
> Can I query Kerberos KDC database to know how many services have been
> Kerberized in KDC? How many service tickets have been given to clients? How
> many sessions are been built for clients?
>
> I am using Kerberos on Hadoop Security. It makes much easier to do it using
> a management system - Cloudera. After a few clicks which follow the
> instructions, it is done. But is it done? I am not sure and I need to prove
> it. I think the only way to make me confident about it has been done is
> Kerberos tells me. If I get this information from Kerberos, I will be happy
> to tell my boss. My job has finished.
>
> Anyone knows about this, much appreciate for this.
>
> Regards,
>
> Dong
> ________________________________________________
> Kerberos mailing list           Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>



-- 
Todd Grayson
Business Operations Manager
Customer Operations Engineering
Security SME
________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Reply via email to