Kerberos主从配置
前言
本篇文档衔接上一篇 Kerberos 的安装配置;详见:https://blog.51cto.com/784687488/2332072
配置指定Kerberos配置文件的系统环境变量
# 以下配置是 Kerberos 默认配置,也可以不配。如果需要改变 Kerberos 默认的配置文件路径则必须配置
echo "export KRB5_CONFIG=/etc/krb5.conf" >>/etc/profile
echo "export KRB5_KDC_PROFILE=/var/kerberos/krb5kdc/kdc.conf" >>/etc/profile
Slave 端安装
[root@agent02 ~]$ yum install krb5-server krb5-libs krb5-workstation -y
在 /etc/krb5.conf 中添加从机 kdc 配置(M端操作)
# 原配置如下:
[libdefaults]
renew_lifetime = 7d
forwardable = true
default_realm = TEST.COM
ticket_lifetime = 24h
DNS_lookup_realm = false
dns_lookup_kdc = false
default_ccache_name = /tmp/krb5cc_%{uid}
#default_tgs_enctypes = aes des3-cbc-sha1 rc4 des-cbc-md5
#default_tkt_enctypes = aes des3-cbc-sha1 rc4 des-cbc-md5
[logging]
default = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
kdc = FILE:/var/log/krb5kdc.log
[realms]
TEST.COM = {
admin_server = agent01.ambari.com
kdc = agent01.ambari.com
}
# 修改后的配置如下:
[libdefaults]
renew_lifetime = 7d
forwardable = true
default_realm = TEST.COM
ticket_lifetime = 24h
dns_lookup_realm = false
dns_lookup_kdc = false
default_ccache_name = /tmp/krb5cc_%{uid}
#default_tgs_enctypes = aes des3-cbc-sha1 rc4 des-cbc-md5
#default_tkt_enctypes = aes des3-cbc-sha1 rc4 des-cbc-md5
[logging]
default = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
kdc = FILE:/var/log/krb5kdc.log
[realms]
TEST.COM = {
admin_server = agent01.ambari.com
kdc = agent01.ambari.com
*kdc = agent02.ambari.com* # 此处为新添加配置项
}
分别为 Master/Slave 端创建 Principal(M端操作)
[root@agent01 ~]$ kadmin.local
kadmin.local: addprinc -randkey host/agent01.ambari.com
WARNING: no policy specified for host/agent01.ambari.com@TEST.COM; defaulting to no policy
Principal "host/agent01.ambari.com@TEST.COM" created.
kadmin.local: addprinc -randkey host/agent02.ambari.com
WARNING: no policy specified for host/agent02.ambari.com@TEST.COM; defaulting to no policy
Principal "host/agent02.ambari.com@TEST.COM" created.
kadmin.local: quit
分别为 Master/Slave 端提取 Principal 的认证 Keytab(M端操作)
[root@agent01 ~]$ kadmin.local -q "ktadd host/agent01.ambari.com@TEST.COM"
Authenticating as principal root/admin@TEST.COM with password.
Entry for principal host/agent01.ambari.com@TEST.COM with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/agent01.ambari.com@TEST.COM with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/agent01.ambari.com@TEST.COM with kvno 2, encryption type des3-cbc-sha1 added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/agent01.ambari.com@TEST.COM with kvno 2, encryption type arcfour-hmac added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/agent01.ambari.com@TEST.COM with kvno 2, encryption type camellia256-cts-cmac added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/agent01.ambari.com@TEST.COM with kvno 2, encryption type camellia128-cts-cmac added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/agent01.ambari.com@TEST.COM with kvno 2, encryption type des-hmac-sha1 added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/agent01.ambari.com@TEST.COM with kvno 2, encryption type des-cbc-md5 added to keytab FILE:/etc/krb5.keytab.
[root@agent01 ~]$ kadmin.local -q "ktadd -k /etc/agent02.keytab host/agent02.ambari.com@TEST.COM"
Authenticating as principal root/admin@TEST.COM with password.
Entry for principal host/agent02.ambari.com@TEST.COM with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/etc/agent02.keytab.
Entry for principal host/agent02.ambari.com@TEST.COM with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/etc/agent02.keytab.
Entry for principal host/agent02.ambari.com@TEST.COM with kvno 2, encryption type des3-cbc-sha1 added to keytab WRFILE:/etc/agent02.keytab.
Entry for principal host/agent02.ambari.com@TEST.COM with kvno 2, encryption type arcfour-hmac added to keytab WRFILE:/etc/agent02.keytab.
Entry for principal host/agent02.ambari.com@TEST.COM with kvno 2, encryption type camellia256-cts-cmac added to keytab WRFILE:/etc/agent02.keytab.
Entry for principal host/agent02.ambari.com@TEST.COM with kvno 2, encryption type camellia128-cts-cmac added to keytab WRFILE:/etc/agent02.keytab.
Entry for principal host/agent02.ambari.com@TEST.COM with kvno 2, encryption type des-hmac-sha1 added to keytab WRFILE:/etc/agent02.keytab.
Entry for principal host/agent02.ambari.com@TEST.COM with kvno 2, encryption type des-cbc-md5 added to keytab WRFILE:/etc/agent02.keytab.
[root@agent01 ~]$ scp /etc/agent02.keytab agent02.ambari.com:/etc/krb5.keytab
将 Master 端相关文件分发至 Slave 端(M端操作)
[root@agent01 ~]$ scp /etc/krb5.conf agent02.ambari.com:/etc/
[root@agent01 ~]$ scp /var/kerberos/krb5kdc/kdc.conf /var/kerberos/krb5kdc/kadm5.acl /var/kerberos/krb5kdc/.k5.TEST.COM agent02.ambari.com:/var/kerberos/krb5kdc/
创建 Slave 端数据库
[root@agent02 ~]$ kdb5_util create -r TEST.COM -s
创建 Principal
[root@agent02 ~]$ kadmin.local
kadmin.local: addprinc -randkey host/agent02.ambari.com@TEST.COM
WARNING: no policy specified for host/agent02.ambari.com@TEST.COM; defaulting to no policy
Principal "host/agent02.ambari.com@TEST.COM" created.
kadmin.local: addprinc -randkey host/agent01.ambari.com@TEST.COM
WARNING: no policy specified for host/agent01.ambari.com@TEST.COM; defaulting to no policy
Principal "host/agent01.ambari.com@TEST.COM" created.
kadmin.local: quit
Master 端数据库数据通过 kpropd 进程传输,创建 kpropd.acl 文件明确可进行数据 dump & update & transfer 的 principal
[root@agent02 ~]$ cat >>/var/kerberos/krb5kdc/kpropd.acl< host/agent01.ambari.com@TEST.COM
> host/agent02.ambari.com@TEST.COM
> EOF
[root@agent02 ~]$ scp /var/kerberos/krb5kdc/kpropd.acl agent01.ambari.com:/var/kerberos/krb5kdc/
创建 /etc/inetd.conf
[root@agent02 ~]$ cat >>/etc/inetd.conf<
定义 kpropd daemon 名称及端口
[root@agent02 ~]$ echo "krb5_prop 754/tcp # Kerberos slave propagation" >>/etc/services
启动 kpropd daemon
[root@agent02 ~]$ systemctl start kprop.service
备份 kerberos-master 数据(M 端执行)
[root@agent01 ~]$ for n in 21 22;do ssh 10.0.2.$n "mkdir /var/kerberos/data_trans";done
[root@agent01 ~]$ kdb5_util dump /var/kerberos/data_trans/slave_datatrans
创新互联专注骨干网络服务器租用10年,服务更有保障!服务器租用,光华机房服务器托管 成都服务器租用,成都服务器托管,骨干网络带宽,享受低延迟,高速访问。灵活、实现低成本的共享或公网数据中心高速带宽的专属高性能服务器。
传输 Master 数据至 Slave(M 端执行)
[root@agent01 ~]$ kprop -f /var/kerberos/data_trans/slave_datatrans agent02.ambari.com
Database propagation to agent02.ambari.com: SUCCEEDED
创建数据传输脚本(M端操作)
[root@agent01 ~]$ cat >/var/kerberos/data_trans/data_transfor.sh<>/var/kerberos/data_trans/data_transfor.log
kprop -f ${bakfile} ${kdc} >>/var/kerberos/data_trans/data_transfor.log
done
exit 0
EOF
[root@agent01 ~]$ scp /var/kerberos/data_trans/data_transfor.sh agent02.ambari.com:/var/kerberos/data_trans/
添加定时任务
# M 端操作
[root@agent01 ~]$ echo "0 * * * * /bin/sh /var/kerberos/data_trans/data_transfor.sh" >>/var/spool/cron/root
# S 端操作
[root@agent02 ~]$ echo "#0 * * * * /bin/sh /var/kerberos/data_trans/data_transfor.sh" >>/var/spool/cron/root
启动 Slave 端kdc进程
[root@agent02 ~]$ systemctl start krb5kdc.service
主从切换需要手动操作,手动启动从机kadmin daemon
名称栏目:Kerberos主从配置
分享网址:http://hbruida.cn/article/piopdp.html