Get Kerberized services information from Kerberos KDC
Todd Grayson
tgrayson at cloudera.com
Thu Oct 6 19:11:10 EDT 2016
So the principal names will be visible in the kerberos KDC logging with a
format of service/host.fqdn.name at REALM
You can grep the significant principal name patterns you need (hdfs/*
yarn/* etc) out of that log and see your as_req and as_rep as
authentication events.
Oct 06 15:53:09 nightly58-1 krb5kdc[17178](info): AS_REQ (7 etypes {16 23 1
3 18 17 2}) 10.11.13.120: ISSUE: authtime 1475794389, etypes {rep=16 tkt=16
ses=16}, impala/c58-3.fun.example.com at FUN.EXAMPLE.COM for krbtgt/
FUN.EXAMPLE.COM at FUN.EXAMPLE.COM
Inter service will be visible for TGS_REQ type log events. A perl script
or grep/awk could give a pretty good summary of service to service
interactions being set up in the TGS_REQ events...
Oct 06 15:52:49 nightly58-1 krb5kdc[17178](info): TGS_REQ (6 etypes {18 17
16 23 1 3}) 10.11.13.118: ISSUE: authtime 1475757403, etypes {rep=16 tkt=16
ses=16}, hdfs/c58-1.fun.example.com at FUN.EXAMPLE.COM for HTTP/
c58-2.fun.example.com at FUN.EXAMPLE.COM
On Thu, Oct 6, 2016 at 4:25 PM, chen dong <chendong.jy at gmail.com> wrote:
> Hi ,
>
> Can I query Kerberos KDC database to know how many services have been
> Kerberized in KDC? How many service tickets have been given to clients? How
> many sessions are been built for clients?
>
> I am using Kerberos on Hadoop Security. It makes much easier to do it using
> a management system - Cloudera. After a few clicks which follow the
> instructions, it is done. But is it done? I am not sure and I need to prove
> it. I think the only way to make me confident about it has been done is
> Kerberos tells me. If I get this information from Kerberos, I will be happy
> to tell my boss. My job has finished.
>
> Anyone knows about this, much appreciate for this.
>
> Regards,
>
> Dong
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
--
Todd Grayson
Business Operations Manager
Customer Operations Engineering
Security SME
More information about the Kerberos
mailing list