文章目录
主机列表
主机名称 | IP | 硬件配置 |
---|---|---|
pass-eda-hdp-001 | 10.218.12.14 | 80 Core、256 G |
pass-eda-hdp-003 | 10.218.12.18 | 80 Core、256 G |
软件清单
软件名称 | 版本号 | 备注 |
---|---|---|
krb5-server | 1.15.1 | |
krb5-workstation | 1.15.1 | 主备之间同步数据文件用 |
主机规划
主机 | 角色 | 软件 |
---|---|---|
10.218.12.14 | 主 | krb5-server |
10.218.12.18 | 备 | krb5-workstation |
安装部署
服务安装
在两台机器上面分别安装kerberos服务。此处只安装服务,暂不做相应配置及启动服务。
yum install krb5-server krb5-workstation -y
修改配置
这里配置文件均在主备两台同时修改。
配置/etc/krb5.conf
# Configuration snippets may be placed in this directory as well
includedir /etc/krb5.conf.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
pkinit_anchors = /etc/pki/tls/certs/ca-bundle.crt
default_realm = HLJ.CTC
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
HLJ.CTC = {
kdc = pass-eda-hdp-001
kdc = pass-eda-hdp-003
admin_server = pass-eda-hdp-001
}
[domain_realm]
.hlj.ctc = HLJ.CTC
hlj.ctc = HLJ.CTC
说明:
HLJ.CTC是设定的realms。Kerberos可以支持多个realms,大小写敏感,一般为了识别使用全部大写。
kdc代表kdc服务的地址。格式是机器名:端口,端口可以不写默认88。有多少kdc就写几行(admin_server同理)。
配置 /var/kerberos/krb5kdc/kdc.conf
sed -i "s/EXAMPLE.COM/HLJ.CTC/g" /var/kerberos/krb5kdc/kdc.conf
[kdcdefaults]
kdc_ports = 88
kdc_tcp_ports = 88
[realms]
HLJ.CTC = {
#master_key_type = aes256-cts
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
}
配置/var/kerberos/krb5kdc/kadm5.acl
sed -i "s/EXAMPLE.COM/HLJ.CTC/g" /var/kerberos/krb5kdc/kadm5.acl
*/admin@HLJ.CTC *
创建数据库
kdb5_util create -s
拷贝密钥文件
scp -p /var/kerberos/krb5kdc/.k5.CHINATELECOM.CN pass-bigdata-hadoop-009:/var/kerberos/krb5kdc
]()
创建同步账号
kadmin.local -q "addprinc -randkey host/pass-eda-hdp-001"
kadmin.local -q "addprinc -randkey host/pass-eda-hdp-003"
kadmin.local -q "ktadd host/pass-eda-hdp-001"
kadmin.local -q "ktadd host/pass-eda-hdp-003"
拷贝文件keytab文件
scp -p /etc/krb5.keytab pass-eda-hdp-003:/etc/
声明同步账户
注意主节点上不能有该文件,否则kadmin服务无法启动,会报错:Error. This appears to be a slaveserver, found kpropd.acl。
配置/var/kerberos/krb5kdc/kpropd.acl
host/pass-eda-hdp-001@HLJ.CTC
host/pass-eda-hdp-003@HLJ.CTC
启动Kprop服务
systemctl enable kprop
systemctl start kprop
同步数据库
在主节点dump数据文件。
kdb5_util dump /var/kerberos/krb5kdc/slave_datatrans
启动主节点kerberos服务。
systemctl start krb5kdc
同步数据库文件。
kprop -d pass-eda-hdp-003
Database propagation to pass-eda-hdp-003: SUCCEEDED
pass-eda-hdp-003 上日志
[root@kdcslave ~]# kpropd -dS
ready
waiting for a kprop connection
Connection from kdcmaster
krb5_recvauth(4, kprop5_01, host/kdcslave@HAOHAOZHU.COM, ...)
authenticated client: host/kdcmaster@HAOHAOZHU.COM (etype == Triple DES cbc mode with HMAC/sha1)
Full propagation transfer started.
Full propagation transfer finished.
calling kdb5_util to load database
Load PID is 3565
Database load process for full propagation completed.
waiting for a kprop connection
添加自动同步任务
echo -e "* * * * * root kdb5_util dump /var/kerberos/krb5kdc/slave_datatrans && kprop -d pass-eda-hdp-003" >> /etc/cron.d/sync_krb5
systemctl restart crond
sync_db.sh
#!/bin/sh
kdclist="kdcslave"
echo `date`"start to sync!"
sudo kdb5_util dump /var/kerberos/krb5kdc/slave_datatrans
for kdc in $kdclist;
do
sudo kprop -f /var/kerberos/krb5kdc/slave_datatrans $kdc
done
echo `date`"end to sync!"
添加执行权限
chmod +x sync_db.sh
添加定时任务
crontab -e
*/1 * * * * /root/sync_db.sh >> /root/sync.log
启动从节点
systemctl start krb5kdc
启动Kadmin服务
systemctl start kadmin
测试
添加测试账号
sudo kadmin.local -q "addprinc -pw test test/admin"
停止主节点kdc服务
systemctl stop krb5kdc
登陆测试账号
kadmin -p test/admin
Authenticating as principal test/admin with password.
Password for test/admin@HADOOP.COM:
kadmin.local验证
[root@pass-eda-hdp-003 krb5kdc]# kadmin.local
Authenticating as principal root/admin@HLJ.CTC with password.
kadmin.local: listprincs
K/M@HLJ.CTC
host/pass-eda-hdp-001@HLJ.CTC
host/pass-eda-hdp-003@HLJ.CTC
kadmin/admin@HLJ.CTC
kadmin/changepw@HLJ.CTC
kadmin/pass-eda-hdp-001@HLJ.CTC
kiprop/pass-eda-hdp-001@HLJ.CTC
krbtgt/HLJ.CTC@HLJ.CTC
test/admin@HLJ.CTC
kadmin.local: exit
安装脚本
installKerberos.sh
yum install krb5-server krb5-workstation -y
cp /home/krb5.conf /etc/
scp /etc/krb5.conf pass-eda-hdp-003:/etc
sed -i "s/EXAMPLE.COM/HLJ.CTC/g" /var/kerberos/krb5kdc/kdc.conf
scp /var/kerberos/krb5kdc/kdc.conf pass-eda-hdp-003:/var/kerberos/krb5kdc/
sed -i "s/EXAMPLE.COM/HLJ.CTC/g" /var/kerberos/krb5kdc/kadm5.acl
scp /var/kerberos/krb5kdc/kadm5.acl pass-eda-hdp-003:/var/kerberos/krb5kdc/
scp /var/kerberos/krb5kdc/.k5.HLJ.CTC pass-eda-hdp-003:/var/kerberos/krb5kdc/
kadmin.local -q "addprinc -randkey host/pass-eda-hdp-001"
kadmin.local -q "addprinc -randkey host/pass-eda-hdp-003"
kadmin.local -q "ktadd host/pass-eda-hdp-001"
kadmin.local -q "ktadd host/pass-eda-hdp-003"
scp -p /etc/krb5.keytab pass-eda-hdp-003:/etc/
vim /var/kerberos/krb5kdc/kpropd.acl
kprop -f /var/kerberos/krb5kdc/slave_datatrans pass-eda-hdp-003
kprop -d pass-eda-hdp-003
keytab 文件如下方式生成
sudo kadmin.local -q "addprinc -pw ocdp ocdp@HLJ.CTC"
sudo kadmin -padmin/admin -wadmin -q"xst -k /home/ocdp/ocdp.keytab ocdp@HLJ.CTC"
远程添加用户
#/usr/bin/kadmin, -s, 10.4.75.32:749, -p, jzy/admin@GROUPB.HADOOP.CN, -w, jzy, -r, GROUPB.HADOOP.CN, -q, add_principal -pw "a1b2c3d4" test1@GROUPB.HADOOP.CN
sudo kadmin -s 10.4.75.32:749 -p jzy/admin@GROUPB.HADOOP.CN -w jzy -r GROUPB.HADOOP.CN