Kerberos主从配置

前言

本篇文档衔接上一篇 Kerberos 的安装配置;详见:https://blog.51cto.com/784687488/2332072

配置指定Kerberos配置文件的系统环境变量

# 以下配置是 Kerberos 默认配置,也可以不配。如果需要改变 Kerberos 默认的配置文件路径则必须配置
echo "export KRB5_CONFIG=/etc/krb5.conf" >>/etc/profile
echo "export KRB5_KDC_PROFILE=/var/kerberos/krb5kdc/kdc.conf" >>/etc/profile

Slave 端安装

[root@agent02 ~]$ yum install krb5-server krb5-libs krb5-workstation -y

在 /etc/krb5.conf 中添加从机 kdc 配置(M端操作)

# 原配置如下:
[libdefaults]
    renew_lifetime = 7d
    forwardable = true
    default_realm = TEST.COM
    ticket_lifetime = 24h
    DNS_lookup_realm = false
    dns_lookup_kdc = false
    default_ccache_name = /tmp/krb5cc_%{uid}
    #default_tgs_enctypes = aes des3-cbc-sha1 rc4 des-cbc-md5
    #default_tkt_enctypes = aes des3-cbc-sha1 rc4 des-cbc-md5

[logging]
    default = FILE:/var/log/krb5kdc.log
    admin_server = FILE:/var/log/kadmind.log
    kdc = FILE:/var/log/krb5kdc.log

[realms]
    TEST.COM = {
        admin_server = agent01.ambari.com
        kdc = agent01.ambari.com
    }

# 修改后的配置如下:
[libdefaults]
    renew_lifetime = 7d
    forwardable = true
    default_realm = TEST.COM
    ticket_lifetime = 24h
    dns_lookup_realm = false
    dns_lookup_kdc = false
    default_ccache_name = /tmp/krb5cc_%{uid}
    #default_tgs_enctypes = aes des3-cbc-sha1 rc4 des-cbc-md5
    #default_tkt_enctypes = aes des3-cbc-sha1 rc4 des-cbc-md5

[logging]
    default = FILE:/var/log/krb5kdc.log
    admin_server = FILE:/var/log/kadmind.log
    kdc = FILE:/var/log/krb5kdc.log

[realms]
    TEST.COM = {
        admin_server = agent01.ambari.com
        kdc = agent01.ambari.com
        *kdc = agent02.ambari.com*    # 此处为新添加配置项
    }

分别为 Master/Slave 端创建 Principal(M端操作)

[root@agent01 ~]$ kadmin.local
kadmin.local:  addprinc -randkey host/agent01.ambari.com
WARNING: no policy specified for host/agent01.ambari.com@TEST.COM; defaulting to no policy
Principal "host/agent01.ambari.com@TEST.COM" created.
kadmin.local:  addprinc -randkey host/agent02.ambari.com
WARNING: no policy specified for host/agent02.ambari.com@TEST.COM; defaulting to no policy
Principal "host/agent02.ambari.com@TEST.COM" created.
kadmin.local:  quit

分别为 Master/Slave 端提取 Principal 的认证 Keytab(M端操作)

[root@agent01 ~]$ kadmin.local -q "ktadd host/agent01.ambari.com@TEST.COM"
Authenticating as principal root/admin@TEST.COM with password.
Entry for principal host/agent01.ambari.com@TEST.COM with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/agent01.ambari.com@TEST.COM with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/agent01.ambari.com@TEST.COM with kvno 2, encryption type des3-cbc-sha1 added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/agent01.ambari.com@TEST.COM with kvno 2, encryption type arcfour-hmac added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/agent01.ambari.com@TEST.COM with kvno 2, encryption type camellia256-cts-cmac added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/agent01.ambari.com@TEST.COM with kvno 2, encryption type camellia128-cts-cmac added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/agent01.ambari.com@TEST.COM with kvno 2, encryption type des-hmac-sha1 added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/agent01.ambari.com@TEST.COM with kvno 2, encryption type des-cbc-md5 added to keytab FILE:/etc/krb5.keytab.

[root@agent01 ~]$ kadmin.local -q "ktadd -k /etc/agent02.keytab host/agent02.ambari.com@TEST.COM" 
Authenticating as principal root/admin@TEST.COM with password.
Entry for principal host/agent02.ambari.com@TEST.COM with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/etc/agent02.keytab.
Entry for principal host/agent02.ambari.com@TEST.COM with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/etc/agent02.keytab.
Entry for principal host/agent02.ambari.com@TEST.COM with kvno 2, encryption type des3-cbc-sha1 added to keytab WRFILE:/etc/agent02.keytab.
Entry for principal host/agent02.ambari.com@TEST.COM with kvno 2, encryption type arcfour-hmac added to keytab WRFILE:/etc/agent02.keytab.
Entry for principal host/agent02.ambari.com@TEST.COM with kvno 2, encryption type camellia256-cts-cmac added to keytab WRFILE:/etc/agent02.keytab.
Entry for principal host/agent02.ambari.com@TEST.COM with kvno 2, encryption type camellia128-cts-cmac added to keytab WRFILE:/etc/agent02.keytab.
Entry for principal host/agent02.ambari.com@TEST.COM with kvno 2, encryption type des-hmac-sha1 added to keytab WRFILE:/etc/agent02.keytab.
Entry for principal host/agent02.ambari.com@TEST.COM with kvno 2, encryption type des-cbc-md5 added to keytab WRFILE:/etc/agent02.keytab.
[root@agent01 ~]$ scp /etc/agent02.keytab agent02.ambari.com:/etc/krb5.keytab

将 Master 端相关文件分发至 Slave 端(M端操作)

[root@agent01 ~]$ scp /etc/krb5.conf agent02.ambari.com:/etc/
[root@agent01 ~]$ scp /var/kerberos/krb5kdc/kdc.conf /var/kerberos/krb5kdc/kadm5.acl /var/kerberos/krb5kdc/.k5.TEST.COM agent02.ambari.com:/var/kerberos/krb5kdc/

创建 Slave 端数据库

[root@agent02 ~]$ kdb5_util create -r TEST.COM -s

创建 Principal

[root@agent02 ~]$ kadmin.local 
kadmin.local:  addprinc -randkey host/agent02.ambari.com@TEST.COM 
WARNING: no policy specified for host/agent02.ambari.com@TEST.COM; defaulting to no policy
Principal "host/agent02.ambari.com@TEST.COM" created.
kadmin.local:  addprinc -randkey host/agent01.ambari.com@TEST.COM
WARNING: no policy specified for host/agent01.ambari.com@TEST.COM; defaulting to no policy
Principal "host/agent01.ambari.com@TEST.COM" created.
kadmin.local:  quit

Master 端数据库数据通过 kpropd 进程传输,创建 kpropd.acl 文件明确可进行数据 dump & update & transfer 的 principal

[root@agent02 ~]$ cat >>/var/kerberos/krb5kdc/kpropd.acl< host/agent01.ambari.com@TEST.COM
> host/agent02.ambari.com@TEST.COM
> EOF
[root@agent02 ~]$ scp /var/kerberos/krb5kdc/kpropd.acl agent01.ambari.com:/var/kerberos/krb5kdc/

创建 /etc/inetd.conf

[root@agent02 ~]$ cat >>/etc/inetd.conf<

定义 kpropd daemon 名称及端口

[root@agent02 ~]$ echo "krb5_prop       754/tcp               # Kerberos slave propagation" >>/etc/services

启动 kpropd daemon

[root@agent02 ~]$ systemctl start kprop.service

备份 kerberos-master 数据(M 端执行)

[root@agent01 ~]$ for n in 21 22;do ssh 10.0.2.$n "mkdir /var/kerberos/data_trans";done
[root@agent01 ~]$ kdb5_util dump /var/kerberos/data_trans/slave_datatrans

创新互联专注骨干网络服务器租用10年,服务更有保障!服务器租用,光华机房服务器托管 成都服务器租用,成都服务器托管,骨干网络带宽,享受低延迟,高速访问。灵活、实现低成本的共享或公网数据中心高速带宽的专属高性能服务器。

传输 Master 数据至 Slave(M 端执行)

[root@agent01 ~]$ kprop -f /var/kerberos/data_trans/slave_datatrans agent02.ambari.com
Database propagation to agent02.ambari.com: SUCCEEDED

创建数据传输脚本(M端操作)

[root@agent01 ~]$ cat >/var/kerberos/data_trans/data_transfor.sh<>/var/kerberos/data_trans/data_transfor.log
        kprop -f ${bakfile} ${kdc} >>/var/kerberos/data_trans/data_transfor.log
done
exit 0
EOF
[root@agent01 ~]$ scp /var/kerberos/data_trans/data_transfor.sh agent02.ambari.com:/var/kerberos/data_trans/

添加定时任务

# M 端操作
[root@agent01 ~]$ echo "0 * * * * /bin/sh /var/kerberos/data_trans/data_transfor.sh" >>/var/spool/cron/root
# S 端操作
[root@agent02 ~]$ echo "#0 * * * * /bin/sh /var/kerberos/data_trans/data_transfor.sh" >>/var/spool/cron/root

启动 Slave 端kdc进程

[root@agent02 ~]$ systemctl start krb5kdc.service

主从切换需要手动操作,手动启动从机kadmin daemon


名称栏目:Kerberos主从配置
分享网址:http://hbruida.cn/article/piopdp.html