Kerberos主從搭建

cdh集群需要開啟Kerberos認(rèn)證,但是 KDC存在單點(diǎn)故障的問題,這就需要搭建主備,這方面的問題網(wǎng)上的文檔很多,但是照著坐下來基本都是失敗,大多說只是介紹了搭建的具體過程而沒講前提腳尖,結(jié)果導(dǎo)致失敗,我就自己寫了一篇,做一個(gè)記錄。
主機(jī)環(huán)境: 192.168.157.20 master.posinda.com -->主 KDC
192.168.157.30 slave.posinda.com -->從KDC
kadmin和主KDC安裝到一個(gè)節(jié)點(diǎn)
主機(jī)要求:
關(guān)閉防火墻,關(guān)閉selinux,主機(jī)時(shí)間同步,安裝Oracle jdk,下載JCE文件,放置到$JAVA_HOME/jre/lib/security文件夾中,這些環(huán)境準(zhǔn)備一定要做好,以免后來出現(xiàn)各種奇怪的錯(cuò)誤
master Kerberos安裝:

    yum install krb5-server krb5-libs krb5-workstation openldap-clients -y

/etc/krb5.conf 客戶端配置文件
說明:配置這些文件的時(shí)候不要直接復(fù)制黏貼,會(huì)啟動(dòng)異常,主要是格式不正確,我有次直接復(fù)制下面的文件,結(jié)果日志文件總出不來,弄了好久,結(jié)果發(fā)現(xiàn)是[logging]這個(gè)標(biāo)簽沒有頂格寫。。。所以不要直接復(fù)制

 # Configuration snippets may be placed in this directory as well
 includedir /etc/krb5.conf.d/

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 dns_lookup_realm = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 rdns = false
 default_realm = POSINDA.COM
 renewable = true

[realms]
POSINDA.COM = {
  kdc = master.posinda.com
  kdc = slave.posinda.com
  admin_server = master.posinda.com
  default_domain = posinda.com
 }

[domain_realm]
.posinda.com=POSINDA.COM
posinda.com=POSINDA.COM

vi /var/kerberos/krb5kdc/kdc.conf

[kdcdefaults]
 kdc_ports = 88
 kdc_tcp_ports = 88

[realms]
POSINDA.COM = {
master_key_type = aes256-cts
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
max_life = 1d
max_renewable_life = 7d
supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-    hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal $
 }

vi /var/kerberos/krb5kdc/kadm5.acl

/admin@POSINDA.COM     *

修改完成,創(chuàng)建數(shù)據(jù)庫

kdb5_util create -r POSINDA.COM -s
Loading random data
Initializing database '/var/kerberos/krb5kdc/principal' for realm 'POSINDA.COM',
master key name 'K/M@POSINDA.COM'
You will be prompted for the database Master Password. 
It is important that you NOT FORGET this password.
Enter KDC database master key: 
Re-enter KDC database master key to verify:

輸入認(rèn)證的密碼為: POSINDA.COM

添加管理賬號(hào):

kadmin.local
Authenticating as principal root/admin@POSINDA.COM with password.
kadmin.local:  addprinc admin/admin@POSINDA.COM 
WARNING: no policy specified for admin/admin@POSINDA.COM; defaulting to no policy
Enter password for principal "admin/admin@POSINDA.COM":  [輸入密碼]
Re-enter password for principal "admin/admin@POSINDA.COM":  [輸入密碼]
Principal "admin/admin@POSINDA.COM" created.
kadmin.local: q

啟動(dòng)KDC和Kadmin服務(wù)

systemctl start krb5kdc.service
systemctl start kadmin.service
systemctl enable krb5kdc.service
systemctl enable kadmin.service

驗(yàn)證服務(wù),添加host/master.posinda.com,host/slave.posinda.com賬戶,生成keytab文件

[root@master krb5kdc]# kinit admin/admin
Password for admin/admin@POSINDA.COM:
[root@master krb5kdc]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin/admin@POSINDA.COM

Valid starting       Expires              Service principal
12/06/2018 17:04:25  12/07/2018 17:04:24  krbtgt/POSINDA.COM@POSINDA.COM
    renew until 12/13/2018 17:04:24
kadmin.local
addprinc -randkey host/master.posinda.com
addprinc -randkey host/slave.posinda.com
ktadd host/master.posinda.com
ktadd host/slave.posinda.com
ktadd kiprop/master.posinda.com

生成的keytab文件位于/etc/krb5.keytab,查看密碼文件

[root@master krb5kdc]# klist -ket /etc/krb5.keytab
Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp           Principal
---- ------------------- ------------------------------------------------------
5 12/05/2018 16:00:00 host/master.posinda.com@POSINDA.COM (aes256-cts-hmac-sha1-96)
5 12/05/2018 16:00:00 host/master.posinda.com@POSINDA.COM (aes128-cts-hmac-sha1-96)
5 12/05/2018 16:00:00 host/master.posinda.com@POSINDA.COM (des3-cbc-sha1)
5 12/05/2018 16:00:00 host/master.posinda.com@POSINDA.COM (arcfour-hmac)
5 12/05/2018 16:00:00 host/master.posinda.com@POSINDA.COM (camellia256-cts-cmac)
5 12/05/2018 16:00:00 host/master.posinda.com@POSINDA.COM (camellia128-cts-cmac)
5 12/05/2018 16:00:00 host/master.posinda.com@POSINDA.COM (des-hmac-sha1)
5 12/05/2018 16:00:00 host/master.posinda.com@POSINDA.COM (des-cbc-md5)
5 12/05/2018 16:00:12 host/slave.posinda.com@POSINDA.COM (aes256-cts-hmac-sha1-96)
5 12/05/2018 16:00:12 host/slave.posinda.com@POSINDA.COM (aes128-cts-hmac-sha1-96)
5 12/05/2018 16:00:12 host/slave.posinda.com@POSINDA.COM (des3-cbc-sha1)
5 12/05/2018 16:00:12 host/slave.posinda.com@POSINDA.COM (arcfour-hmac)
5 12/05/2018 16:00:12 host/slave.posinda.com@POSINDA.COM (camellia256-cts-cmac)
5 12/05/2018 16:00:12 host/slave.posinda.com@POSINDA.COM (camellia128-cts-cmac)
5 12/05/2018 16:00:12 host/slave.posinda.com@POSINDA.COM (des-hmac-sha1)
5 12/05/2018 16:00:12 host/slave.posinda.com@POSINDA.COM (des-cbc-md5)
4 12/05/2018 16:00:26 kiprop/master.posinda.com@POSINDA.COM (aes256-cts-hmac-sha1-96)
4 12/05/2018 16:00:26 kiprop/master.posinda.com@POSINDA.COM (aes128-cts-hmac-sha1-96)
4 12/05/2018 16:00:26 kiprop/master.posinda.com@POSINDA.COM (des3-cbc-sha1)
4 12/05/2018 16:00:26 kiprop/master.posinda.com@POSINDA.COM (arcfour-hmac)
4 12/05/2018 16:00:26 kiprop/master.posinda.com@POSINDA.COM (camellia256-cts-cmac)
4 12/05/2018 16:00:26 kiprop/master.posinda.com@POSINDA.COM (camellia128-cts-cmac)
4 12/05/2018 16:00:26 kiprop/master.posinda.com@POSINDA.COM (des-hmac-sha1)
4 12/05/2018 16:00:26 kiprop/master.posinda.com@POSINDA.COM (des-cbc-md5)
[root@master krb5kdc]#

slave節(jié)點(diǎn) Kerberos安裝:

    yum install krb5-server krb5-libs krb5-workstation openldap-clients -y

將master.posinda.com節(jié)點(diǎn)的以下文件發(fā)送到slave.posinda.com節(jié)點(diǎn)

/etc/krb5.keytab
/etc/krb5.conf
/var/kerberos/krb5kdc/kadm5.acl
/var/kerberos/krb5kdc/kdc.conf
/var/kerberos/krb5kdc/.k5.POSINDA.COM

在slave.posinda.com節(jié)點(diǎn)啟動(dòng)kpropd服務(wù)

kpropd -S

在slave服務(wù)器上創(chuàng)建kpropd.acl

vim /var/kerberos/krb5kdc/kpropd.acl,添加以下內(nèi)容
host/master.posinda.com@POSINDA.COM
host/slave.posinda.com@POSINDA.COM

這時(shí)由于slave節(jié)點(diǎn)還沒有數(shù)據(jù)庫文件,所以不能啟動(dòng)KDC
將master節(jié)點(diǎn)的數(shù)據(jù)庫文件增量同步到slave節(jié)點(diǎn),在master節(jié)點(diǎn)進(jìn)行操作

kdb5_util dump /var/kerberos/krb5kdc/kdc.dump
kprop -f /var/kerberos/krb5kdc/kdc.dump slave.posinda.com

成功后,會(huì)出現(xiàn)以下信息:

Database propagation to slave.posinda.com: SUCCEEDED

如果沒出現(xiàn)?那就是沒成功了,檢查以下吧。
測(cè)試主從是否生效(成功)
1)從第三臺(tái)服務(wù)器,使用kinit獲取ticket,正常情況下會(huì)從master上獲取
2)關(guān)閉master上的kdc服務(wù)
3)再次從第三臺(tái)服務(wù)器上,使用kinit 獲取ticket,如果成功,說明生效。
也可以觀察kdc的日志,在 /var/log/krb5kdc.log

當(dāng)有多臺(tái)slave時(shí),定時(shí)更新腳本可以這樣:

 #!/bin/sh
 #從KDC主機(jī)名列表
 kdclist = "node1 node2 node3"

 kdb5_util dump /var/kerberos/krb5kdc/kdc.dump

 for kdc in $kdclist

 do

   kprop -f  /var/kerberos/krb5kdc/kdc.dump $kdc

done

當(dāng)在主節(jié)點(diǎn)操作kadmin.local的時(shí)候?qū)嶋H是對(duì)本地文件進(jìn)行讀寫的操作,所以關(guān)閉主節(jié)點(diǎn)的KDC的時(shí)候依然可以操作kadmin.local進(jìn)行賬戶的添加或者刪除操作,從KDC讀取的是本地的文件,而不是主節(jié)點(diǎn)上的文件,當(dāng)搭建主從復(fù)制的時(shí)候,不要在從節(jié)點(diǎn)上進(jìn)行賬戶的添加,刪除或者修改操作,只是作為當(dāng)主KDC異常的時(shí)候的驗(yàn)證節(jié)點(diǎn),在主節(jié)點(diǎn)進(jìn)行的賬戶添加,刪除或者修改操作,從KDC不能立即感應(yīng)到,只有當(dāng)主節(jié)點(diǎn)向從節(jié)點(diǎn)進(jìn)行數(shù)據(jù)同步的時(shí)候,從節(jié)點(diǎn)才有相應(yīng)的結(jié)果,所以當(dāng)主機(jī)點(diǎn)進(jìn)行相應(yīng)操作的時(shí)候,都需要向從節(jié)點(diǎn)數(shù)據(jù)同步,當(dāng)有多個(gè)從KDC的時(shí)候,可以使用上面的腳本進(jìn)行數(shù)據(jù)同步。

最后編輯于
?著作權(quán)歸作者所有,轉(zhuǎn)載或內(nèi)容合作請(qǐng)聯(lián)系作者
【社區(qū)內(nèi)容提示】社區(qū)部分內(nèi)容疑似由AI輔助生成,瀏覽時(shí)請(qǐng)結(jié)合常識(shí)與多方信息審慎甄別。
平臺(tái)聲明:文章內(nèi)容(如有圖片或視頻亦包括在內(nèi))由作者上傳并發(fā)布,文章內(nèi)容僅代表作者本人觀點(diǎn),簡(jiǎn)書系信息發(fā)布平臺(tái),僅提供信息存儲(chǔ)服務(wù)。

相關(guān)閱讀更多精彩內(nèi)容

友情鏈接更多精彩內(nèi)容