1.环境准备
system-OS:centos73
CDH version:5.11
cat /etc/hosts
192.168.11.181 deploy-1
192.168.11.182 deploy-2
192.168.11.183 deploy-3
主备节点使用keepalived虚IP漂移
vip:192.168.17.180
主节点:deploy-2
备节点:deploy-3
2.krb安装
#主节点
yum install -y krb5-server krb5-libs openldap-clients
#备节点
yum install -y krb5-server krb5-libs openldap-clients
#所有节点
yum install -y krb5-workstation krb5-devel
3.修改配置文件
3.1 /etc/krb5.conf,同步到所有节点
cat /etc/krb5.conf
# Configuration snippets may be placed in this directory as well
includedir /etc/krb5.conf.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
pkinit_anchors = /etc/pki/tls/certs/ca-bundle.crt
default_realm = BDE.COM
#default_ccache_name = KEYRING:persistent:%{uid}
[realms]
BDE.COM = {
kdc = deploy-2
admin_server = deploy-2
kdc = deploy-3
admin_server = deploy-3
default_domain = BDE.COM
}
[domain_realm]
.bde.com = BDE.COM
bde.com = BDE.COM
3.2 主节点 /var/kerberos/krb5kdc/kdc.conf 和 /var/kerberos/krb5kdc/kadm5.acl
cat /var/kerberos/krb5kdc/kdc.conf
[kdcdefaults]
kdc_ports = 88
kdc_tcp_ports = 88
[realms]
BDE.COM = {
# master_key_type = aes256-cts
max_renewable_life = 365d 0h 0m 0s
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
}
cat /var/kerberos/krb5kdc/kadm5.acl
*/admin@BDE.COM *
3.2 备节点 /var/kerberos/krb5kdc/kpropd.acl
cat /var/kerberos/krb5kdc/kpropd.acl
host/deploy-2@BDE.COM
host/deploy-3@BDE.COM
4.初始化主节点KDC数据库并生成(principal)凭证krb5.keytab,拷贝到备节点KDC上
kdb5_util create -r BDE.COM -s
kadmin.local -q "ank -randkey host/deploy-2@BDE.COM"
kadmin.local -q "ank -randkey host/deploy-3@BDE.COM"
kadmin.local -q "xst host/deploy-2@BDE.COM"
kadmin.local -q "xst host/deploy-3@BDE.COM"
klist -ket /etc/krb5.keytab
#主节点scp到备节点
scp /var/kerberos/krb5kdc/kdc.conf deploy-3:/var/kerberos/krb5kdc/
scp /var/kerberos/krb5kdc/kadm5.acl deploy-3:/var/kerberos/krb5kdc/
scp /var/kerberos/krb5kdc/.k5.BDE.COM deploy-3:/var/kerberos/krb5kdc/
scp /etc/krb5.keytab deploy-3:/etc/krb5.keytab
4.分别在主备KDC启动服务
#主节点启动
systemctl start krb5kdc
systemctl enable krb5kdc
systemctl start kadmin
systemctl start kadmin
#备节点启动
systemctl start kprop
systemctl enable kprop
5.将主KDC数据库同步到备KDC数据库中
#将主KDC数据库同步到备KDC数据库中
#主节点
kdb5_util dump /var/kerberos/krb5kdc/slave_datatrans
kprop -f /var/kerberos/krb5kdc/slave_datatrans deploy-3
mkdir /var/kerberos/{shell,log}
vi /var/kerberos/shell/dump_principal.sh
#!/bin/bash
/usr/sbin/kdb5_util dump /var/kerberos/krb5kdc/slave_datatrans
/usr/sbin/kprop -f /var/kerberos/krb5kdc/slave_datatrans deploy-3
chmod +x /var/kerberos/shell/dump_principal.sh
crontab -e
* * * * * /bin/date >> /var/kerberos/log/dump.log 2>&1;/var/kerberos/shell/dump_principal.sh >> /var/kerberos/log/dump.log 2>&1
* * * * * sleep 10; /bin/date >> /var/kerberos/log/dump.log 2>&1; /var/kerberos/shell/dump_principal.sh >> /var/kerberos/log/dump.log 2>&1
* * * * * sleep 20; /bin/date >> /var/kerberos/log/dump.log 2>&1; /var/kerberos/shell/dump_principal.sh >> /var/kerberos/log/dump.log 2>&1
* * * * * sleep 30; /bin/date >> /var/kerberos/log/dump.log 2>&1; /var/kerberos/shell/dump_principal.sh >> /var/kerberos/log/dump.log 2>&1
* * * * * sleep 40; /bin/date >> /var/kerberos/log/dump.log 2>&1; /var/kerberos/shell/dump_principal.sh >> /var/kerberos/log/dump.log 2>&1
* * * * * sleep 50; /bin/date >> /var/kerberos/log/dump.log 2>&1; /var/kerberos/shell/dump_principal.sh >> /var/kerberos/log/dump.log 2>&1
6.备节点启动krb5kdc
#备节点启动
systemctl start krb5kdc
systemctl status krb5kdc
systemctl enable krb5kdc
7.添加管理员用户
#使用kadmin.local添加管理员用户
kadmin.local -q "addprinc admin"
kadmin.local q "addprinc hadoop1/admin@BDE.COM"
kadmin.local -q "listprincs"
klist
kinit admin
klist -e