kerberos 主从安装

hadoop 安全应用kerberos ，搭建KDC使其高可用

操作系统 ubuntu 12.04 

Kerberos Server
#####################	规范介绍	#######################################
    Realm: BJPUC1.COM		--> 建议大写

    Primary KDC: nn1.bjpuc1.com	--> 建议用域名 192.168.88.16

    Secondary KDC: nn2.bjpuc1.com	--> 192.168.88.17

    User principal: bjpuc1

    Admin principal: bjpuc1/admin

    NTP 时间服务器		--> 时间需要同步
#####################	规范介绍	#######################################

Primary KDC

    apt-get install krb5-kdc krb5-admin-server
    krb5_newrealm    
    dpkg-reconfigure krb5-kdc

    cat /etc/krb5.conf    ###此文件为所有应用kerbers 机器通用
        [logging]
                default = FILE:/var/log/krb5libs.log
                kdc = FILE:/var/log/krb5kdc.log
                admin_server = FILE:/var/log/kadmind.log
        [libdefaults]
                default_realm = BJPUC1.COM
                dns_lookup_realm = false
                dns_lookup_kdc = false
                ticket_lifetime = 24h
                renew_lifetime = 2d
                forwardable = true
                renewable = true
        [realms]
                BJPUC1.COM = {
                kdc = nn1.bjpuc1.com
                kdc = nn2.bjpuc1.com
                admin_server = nn1.bjpuc1.com
        }
        [domain_realm]
        
        [kdc]
                profile=/etc/krb5kdc/kdc.conf

    kadmin.local
        Authenticating as principal root/[email protected] with password.
        kadmin.local: addprinc bjpuc1/admin
        WARNING: no policy specified for bjpuc1/[email protected]; defaulting to no policy
        Enter password for principal "bjpuc1/[email protected]": 
        Re-enter password for principal "bjpuc1/[email protected]": 
        Principal "bjpuc1/[email protected]" created.
        kadmin.local: quit

    cat /etc/krb5kdc/kadm5.acl
        bjpuc1/[email protected]        *
    /etc/init.d/krb5-admin-server restart
    kinit bjpuc1/admin
        bjpuc1/[email protected]'s Password:

    cat /etc/hosts        ##或用DNS方式解决
        host/[email protected]
        host/[email protected]

    kadmin -q "addprinc -randkey host/nn1.bjpuc1.com"
    kadmin -q "ktadd -norandkey -k /etc/krb5.keytab host/nn1.bjpuc1.com"
    klist -k /etc/krb5.keytab
    klist -k /etc/krb5.keytab
    kprop -r bjpuc1.com -f /var/lib/krb5kdc/dump nn2.bjpuc1.com
    vi /etc/crontab
        0 * * * * /usr/sbin/kdb5_util dump /var/lib/krb5kdc/dump && /usr/sbin/kprop -r BJPUC1.COM -f /var/lib/krb5kdc/dump nn2.bjpuc1.com

Secondary KDC

    apt-get install krb5-kdc krb5-admin-server
    kadmin -q "addprinc -randkey host/nn2.bjpuc1.com"
    kadmin -q "ktadd -norandkey -k /etc/krb5.keytab host/nn2.bjpuc1.com"
    vi /etc/krb5kdc/kpropd.acl
        host/[email protected]
        host/[email protected]
    kdb5_util -s create
    kpropd -S
    kdb5_util stash
    /etc/init.d/krb5-kdc start

Kerberos Linux Client

    apt-get install krb5-user libpam-krb5 libpam-ccreds auth-client-config