kerberos安装及高可用配置

一．

1.

	Redhat7.4

2.

	CDH5.15

3.

	采用root用户进行操作

4.

	192.168.8.181 master1.com （主机）
	192.168.8.182 master2.com（备机）
	192.168.8.183 slave183.com（客户机）

5.参考：

https://mp.weixin.qq.com/s/Xhl65FpAkG2mR4zMPdh8pA
https://mp.weixin.qq.com/s/7ZiSOgJIysn5zEv6eC7rVg

二．

1.在181 182服务器上安装KDC服务

yum -y install krb5-server krb5-libs krb5-workstation

2.在183上装

yum -y install krb5-workstation krb5-libs 

3.修改181配置文件

[root@master1 ~]# cat /var/kerberos/krb5kdc/kdc.conf 
[kdcdefaults]
 kdc_ports = 88
 kdc_tcp_ports = 88

[realms]
 MASTER.COM = {
  #master_key_type = aes256-cts
  acl_file = /var/kerberos/krb5kdc/kadm5.acl
  dict_file = /usr/share/dict/words
  admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
  supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
  max_renewable_life= 7d 0h 0m 0s
}

2

[root@master1 ~]# vi /var/kerberos/krb5kdc/kadm5.acl 
[root@master1 ~]# cat /var/kerberos/krb5kdc/kadm5.acl 
*/[email protected]	*

3

[root@master1 ~]# vi /etc/krb5.conf
[root@master1 ~]# cat /etc/krb5.conf
# Configuration snippets may be placed in this directory as well
includedir /etc/krb5.conf.d/

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 dns_lookup_realm = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 rdns = false
 default_realm = MASTER.COM
 #default_ccache_name = KEYRING:persistent:%{uid}

[realms]
 MASTER.COM = {
  kdc = master1.com
  admin_server = master1.com
}

[domain_realm]
 .master1.com = MASTER.COM
 master1.com = MASTER.COM

4.创建Kerberos数据库

[root@master1 ~]# kdb5_util create –r MASTER.COM -s
Loading random data
Initializing database '/var/kerberos/krb5kdc/principal' for realm 'MASTER.COM',
master key name 'K/[email protected]'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key: 
Re-enter KDC database master key to verify:

5.创建Kerberos的管理账号

[root@master1 ~]# kadmin.local
Authenticating as principal root/[email protected] with password.
kadmin.local:  addprinc admin/[email protected]
WARNING: no policy specified for admin/[email protected]; defaulting to no policy
Enter password for principal "admin/[email protected]": 
Re-enter password for principal "admin/[email protected]": 
Principal "admin/[email protected]" created.
kadmin.local:  exit

7.将Kerberos服务添加到自启动服务，并启动krb5kdc和kadmin服务

[root@master1 ~]#  systemctl enable krb5kdc
Created symlink from /etc/systemd/system/multi-user.target.wants/krb5kdc.service to /usr/lib/systemd/system/krb5kdc.service.
[root@master1 ~]# systemctl enable kadmin
Created symlink from /etc/systemd/system/multi-user.target.wants/kadmin.service to /usr/lib/systemd/system/kadmin.service.
[root@master1 ~]# systemctl start krb5kdc
[root@master1 ~]# systemctl start kadmin

8.测试Kerberos的管理员账号

[root@master1 ~]# kinit admin/[email protected]
Password for admin/[email protected]: 
[root@master1 ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin/[email protected]

Valid starting       Expires              Service principal
2019-01-18T14:10:11  2019-01-19T14:10:11  krbtgt/[email protected]

9.在181上安装额外包

yum -y install openldap-clients
10.将181上krb.conf文件拷贝到183上
[root@master1 ~]# scp /etc/krb5.conf [email protected]:/etc/
The authenticity of host 'slave183.com (192.168.8.183)' can't be established.
ECDSA key fingerprint is SHA256:Jdb5Ro09SUtqVOcg5tbcXWjLQDSiTapSKKET8ov1Acc.
ECDSA key fingerprint is MD5:8f:bb:27:49:db:76:06:fe:24:d4:05:7c:bd:92:26:67.
Are you sure you want to continue connecting (yes/no)? yes 
Warning: Permanently added 'slave183.com' (ECDSA) to the list of known hosts.
[email protected]'s password: 
krb5.conf                                                                     100%  562   262.2KB/s   00:00    

三．现在是时候做出改变了，我们开始启用高可用

1.切换181进行操作，修改/etc/krb5.conf的配置文件，在realms配置下增加备Kerberos的配置
# Configuration snippets may be placed in this directory as well
includedir /etc/krb5.conf.d/

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 dns_lookup_realm = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 rdns = false
 default_realm = MASTER.COM
# default_ccache_name = KEYRING:persistent:%{uid}

[realms]
 MASTER.COM = {
  kdc = master1.com
  admin_server = master1.com
  kdc = master2.com
  admin_server = master2.com
 }

[domain_realm]
 .master1.com = MASTER.COM
 master1.com = MASTER.COM

2.将修改后的/etc/krb5.conf文件同步到集群的所有Kerberos客户端节点相应目录

[root@master1 ~]# scp /etc/krb5.conf [email protected]:/etc/
[email protected]'s password: 
krb5.conf                                                                     100%  611   330.4KB/s   00:00  

3.保存配置，然后重启krb5kdc和kadmin服务

systemctl restart krb5kdc
systemctl restart kadmin

4.创建主从同步账号，并为账号生成keytab文件

[root@master1 ~]#  kadmin.local
Authenticating as principal admin/[email protected] with password.
kadmin.local:  addprinc -randkey host/master1.com
WARNING: no policy specified for host/[email protected]; defaulting to no policy
Principal "host/[email protected]" created.
kadmin.local:  addprinc -randkey host/master2.com
WARNING: no policy specified for host/[email protected]; defaulting to no policy
Principal "host/[email protected]" created.
kadmin.local:  ktadd host/master1.com
Entry for principal host/master1.com with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/master1.com with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/master1.com with kvno 2, encryption type des3-cbc-sha1 added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/master1.com with kvno 2, encryption type arcfour-hmac added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/master1.com with kvno 2, encryption type camellia256-cts-cmac added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/master1.com with kvno 2, encryption type camellia128-cts-cmac added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/master1.com with kvno 2, encryption type des-hmac-sha1 added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/master1.com with kvno 2, encryption type des-cbc-md5 added to keytab FILE:/etc/krb5.keytab.
kadmin.local:  ktadd host/master2.com
Entry for principal host/master2.com with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/master2.com with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/master2.com with kvno 2, encryption type des3-cbc-sha1 added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/master2.com with kvno 2, encryption type arcfour-hmac added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/master2.com with kvno 2, encryption type camellia256-cts-cmac added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/master2.com with kvno 2, encryption type camellia128-cts-cmac added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/master2.com with kvno 2, encryption type des-hmac-sha1 added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/master2.com with kvno 2, encryption type des-cbc-md5 added to keytab FILE:/etc/krb5.keytab.

5.复制以下文件到182服务器相应目录

将/etc目录下的krb5.conf和krb5.keytab文件拷贝至备Kerberos服务器的/etc目录下

将/var/kerberos/krb5kdc目录下的.k5.CLOUDERA.COM、kadm5.acl和kdc.conf文件拷贝至备Kerberos服务器的/var/kerberos/kdc5kdc目录

[root@master1 ~]# scp /etc/krb5.conf [email protected]:/etc/
The authenticity of host 'master2.com (192.168.8.182)' can't be established.
ECDSA key fingerprint is SHA256:DMDXYXKebRxKaoL4NYWeas9WIMLoC+JtedQn2jy7334.
ECDSA key fingerprint is MD5:f6:00:37:3a:33:f1:d2:42:22:a4:92:98:f5:57:06:bb.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'master2.com,192.168.8.182' (ECDSA) to the list of known hosts.
[email protected]'s password: 
krb5.conf                                                                     100%  611   254.1KB/s   00:00 
[root@master1 ~]# scp /etc/krb5.keytab [email protected]:/etc/
[email protected]'s password: 
krb5.keytab                                                                   100% 1170   757.8KB/s   00:00 
[root@master1 ~]# scp /var/kerberos/krb5kdc/.k [email protected]:/etc/
.k5.MASTER.COM  .kadm5.acl.swp  .kdc.conf.swm   .kdc.conf.swn   .kdc.conf.swo   .kdc.conf.swp
[root@master1 ~]# scp /var/kerberos/krb5kdc/.k5.MASTER.COM [email protected]:/var/kerberos/krb5kdc/
[email protected]'s password: 
.k5.MASTER.COM                          100%   75    54.4KB/s   00:00    
[root@master1 ~]# scp /var/kerberos/krb5kdc/kadm5.acl [email protected]:/var/kerberos/krb5kdc/
[email protected]'s password: 
kadm5.acl                                  100%   21    22.0KB/s   00:00    
[root@master1 ~]# scp /var/kerberos/krb5kdc/k [email protected]:/var/kerberos/krb5kdc/
kadm5.acl  kdc.conf   
[root@master1~]#scp /var/kerberos/krb5kdc/kdc.conf [email protected]:/var/kerberos/krb5kdc/
[email protected]'s password: 
kdc.conf                     100%  483   440.6KB/s   00:00 

6.切换到182继续操作

7.继续操作，需要申明用来同步的用户，在/var/kerberos/krb5kdc/kpropd.acl配置文件中添加对应账户，如果配置文件不存在则新增

[root@master1 krb5kdc]# cat kpropd.acl 
host/[email protected]
host/[email protected]

8.启动kprop服务并加入系统自启动

[root@master1 krb5kdc]# systemctl status kprop
● kprop.service - Kerberos 5 Propagation
   Loaded: loaded (/usr/lib/systemd/system/kprop.service; enabled; vendor preset: disabled)
   Active: active (running) since 五 2019-01-18 15:05:05 CST; 4s ago
  Process: 35171 ExecStart=/usr/sbin/_kpropd $KPROPD_ARGS (code=exited, status=0/SUCCESS)
 Main PID: 35172 (kpropd)
    Tasks: 1
   CGroup: /system.slice/kprop.service
           └─35172 /usr/sbin/kpropd

1月 18 15:05:05 master2.com systemd[1]: Starting Kerberos 5 Propagation...
1月 18 15:05:05 master2.com systemd[1]: Started Kerberos 5 Propagation.

9.回到181，我们继续

在主节点上使用kdb5_util命令导出Kerberos数据库文件

[root@master1 ~]# kdb5_util dump /var/kerberos/krb5kdc/master.dump
[root@master1 ~]# cd /var/kerberos/krb5kdc/
[root@master1 krb5kdc]# ll
总用量 48
-rw------- 1 root root    21 1月  18 11:20 kadm5.acl
-rw------- 1 root root   483 1月  18 11:44 kdc.conf
-rw------- 1 root root  8980 1月  18 15:06 master.dump
-rw------- 1 root root     1 1月  18 15:06 master.dump.dump_ok
-rw------- 1 root root 16384 1月  18 14:45 principal
-rw------- 1 root root  8192 1月  18 11:52 principal.kadm5
-rw------- 1 root root     0 1月  18 11:52 principal.kadm5.lock
-rw------- 1 root root     0 1月  18 14:45 principal.ok

2.在主节点上使用kprop命令将master.dump文件同步至备节点

[root@master1 krb5kdc]# kprop -f /var/kerberos/krb5kdc/master.dump -d -P 754 master2.com
8980 bytes sent.
Database propagation to master2.com: SUCCEEDED

3.在备节点的/var/kerberos/krb5kdc目录下查看

[root@master1 krb5kdc]# cd /var/kerberos/krb5kdc/
[root@master1 krb5kdc]# ll
总用量 48
-rw------- 1 root root  8980 1月  18 15:09 from_master
-rw------- 1 root root    21 1月  18 14:53 kadm5.acl
-rw------- 1 root root   483 1月  18 14:57 kdc.conf
-rw-r--r-- 1 root root    56 1月  18 15:03 kpropd.acl
-rw------- 1 root root 16384 1月  18 15:09 principal
-rw------- 1 root root  8192 1月  18 15:09 principal.kadm5
-rw------- 1 root root     0 1月  18 15:09 principal.kadm5.lock
-rw------- 1 root root     0 1月  18 15:09 principal.ok

4.在182上测试通过过来的数据是否能启动Kerberos服务

首先将kprop服务停止，将kpropd.acl文件备份并删除，然后启动krb5kdc和kadmin服务

[root@master1 krb5kdc]# systemctl stop kprop
[root@master1 krb5kdc]# mv kpropd.acl kpropd.acl.bak
[root@master1 krb5kdc]# systemctl start krb5kdc
[root@master1 krb5kdc]# systemctl start kadmin

修改备服务器的/etc/krb5.conf文件，将kdc和kadmin_server修改为备服务器地址，测试kinit是否正常

[realms]
 MASTER.COM = {
#  kdc = master1.com
#  admin_server = master1.com
  kdc = master2.com
  admin_server = master2.com
 }
[root@master1 krb5kdc]# kinit admin/[email protected]
Password for admin/[email protected]: 
[root@master1 krb5kdc]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin/[email protected]

Valid starting       Expires              Service principal
2019-01-18T15:24:56  2019-01-19T15:24:56  krbtgt/[email protected]
	renew until 2019-01-25T15:24:56

测试完成需要将/etc/krb5.conf和kpropd.acl文件还原并启动kprop服务

[root@master1 krb5kdc]# systemctl stop krb5kdc
[root@master1 krb5kdc]#  systemctl stop kadmin
[root@master1 krb5kdc]# mv kpropd.acl.bak kpropd.acl
[root@master1 krb5kdc]# vi /etc/krb5.conf
[root@master1 krb5kdc]# systemctl start kprop

5.配置181 crontab任务定时同步数据

[root@master1 krb5kdc]# cat kprop_sync.sh 
#!/bin/bash
DUMP=/var/kerberos/krb5kdc/master.dump
PORT=754
SLAVE="master2.com"
TIMESTAMP=`date`
echo "Start at $TIMESTAMP"
sudo kdb5_util dump $DUMP
sudo kprop -f $DUMP -d -P $PORT $SLAVE
root@master1 krb5kdc]# chmod 700 /var/kerberos/krb5kdc/kprop_sync.sh
[root@master1 krb5kdc]# sh /var/kerberos/krb5kdc/kprop_sync.sh 
Start at 2019年 01月 18日 星期五 15:41:47 CST
8980 bytes sent.
Database propagation to master2.com: SUCCEEDED

6.配置crontab任务

[root@master1 krb5kdc]# crontab -e
0 * * * * root/var/kerberos/krb5kdc/kprop_sync.sh >/var/kerberos/krb5kdc/lastupdate

退出并保存，启动服务并设置开机启动

crontab: installing new crontab
[root@master1 krb5kdc]#  systemctl enable crond
[root@master1 krb5kdc]#  systemctl start crond