192.168.8.181 master1.com (主机)
192.168.8.182 master2.com(备机)
192.168.8.183 slave183.com(客户机)
5.参考:
https://mp.weixin.qq.com/s/Xhl65FpAkG2mR4zMPdh8pA
https://mp.weixin.qq.com/s/7ZiSOgJIysn5zEv6eC7rVg
二.
1.在181 182服务器上安装KDC服务
yum -y install krb5-server krb5-libs krb5-workstation
2.在183上装
yum -y install krb5-workstation krb5-libs
3.修改181配置文件
[root@master1 ~]# cat /var/kerberos/krb5kdc/kdc.conf
[kdcdefaults]
kdc_ports = 88
kdc_tcp_ports = 88
[realms]
MASTER.COM = {
#master_key_type = aes256-cts
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
max_renewable_life= 7d 0h 0m 0s
}
2
[root@master1 ~]# vi /var/kerberos/krb5kdc/kadm5.acl
[root@master1 ~]# cat /var/kerberos/krb5kdc/kadm5.acl
*/admin@MASTER.COM *
3
[root@master1 ~]# vi /etc/krb5.conf
[root@master1 ~]# cat /etc/krb5.conf
# Configuration snippets may be placed in this directory as well
includedir /etc/krb5.conf.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
default_realm = MASTER.COM
#default_ccache_name = KEYRING:persistent:%{uid}
[realms]
MASTER.COM = {
kdc = master1.com
admin_server = master1.com
}
[domain_realm]
.master1.com = MASTER.COM
master1.com = MASTER.COM
4.创建Kerberos数据库
[root@master1 ~]# kdb5_util create –r MASTER.COM -s
Loading random data
Initializing database '/var/kerberos/krb5kdc/principal' for realm 'MASTER.COM',
master key name 'K/M@MASTER.COM'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key:
Re-enter KDC database master key to verify:
5.创建Kerberos的管理账号
[root@master1 ~]# kadmin.local
Authenticating as principal root/admin@MASTER.COM with password.
kadmin.local: addprinc admin/admin@MASTER.COM
WARNING: no policy specified for admin/admin@MASTER.COM; defaulting to no policy
Enter password for principal "admin/admin@MASTER.COM":
Re-enter password for principal "admin/admin@MASTER.COM":
Principal "admin/admin@MASTER.COM" created.
kadmin.local: exit
7.将Kerberos服务添加到自启动服务,并启动krb5kdc和kadmin服务
[root@master1 ~]# systemctl enable krb5kdc
Created symlink from /etc/systemd/system/multi-user.target.wants/krb5kdc.service to /usr/lib/systemd/system/krb5kdc.service.
[root@master1 ~]# systemctl enable kadmin
Created symlink from /etc/systemd/system/multi-user.target.wants/kadmin.service to /usr/lib/systemd/system/kadmin.service.
[root@master1 ~]# systemctl start krb5kdc
[root@master1 ~]# systemctl start kadmin
8.测试Kerberos的管理员账号
[root@master1 ~]# kinit admin/admin@MASTER.COM
Password for admin/admin@MASTER.COM:
[root@master1 ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin/admin@MASTER.COM
Valid starting Expires Service principal
2019-01-18T14:10:11 2019-01-19T14:10:11 krbtgt/MASTER.COM@MASTER.COM
9.在181上安装额外包
yum -y install openldap-clients
10.将181上krb.conf文件拷贝到183上
[root@master1 ~]# scp /etc/krb5.conf root@slave183.com:/etc/
The authenticity of host 'slave183.com (192.168.8.183)' can't be established.
ECDSA key fingerprint is SHA256:Jdb5Ro09SUtqVOcg5tbcXWjLQDSiTapSKKET8ov1Acc.
ECDSA key fingerprint is MD5:8f:bb:27:49:db:76:06:fe:24:d4:05:7c:bd:92:26:67.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'slave183.com' (ECDSA) to the list of known hosts.
root@slave183.com's password:
krb5.conf 100% 562 262.2KB/s 00:00
三.现在是时候做出改变了,我们开始启用高可用
1.切换181进行操作,修改/etc/krb5.conf的配置文件,在realms配置下增加备Kerberos的配置
# Configuration snippets may be placed in this directory as well
includedir /etc/krb5.conf.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
default_realm = MASTER.COM
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
MASTER.COM = {
kdc = master1.com
admin_server = master1.com
kdc = master2.com
admin_server = master2.com
}
[domain_realm]
.master1.com = MASTER.COM
master1.com = MASTER.COM
2.将修改后的/etc/krb5.conf文件同步到集群的所有Kerberos客户端节点相应目录
[root@master1 ~]# scp /etc/krb5.conf root@slave183.com:/etc/
root@slave183.com's password:
krb5.conf 100% 611 330.4KB/s 00:00
3.保存配置,然后重启krb5kdc和kadmin服务
systemctl restart krb5kdc
systemctl restart kadmin
4.创建主从同步账号,并为账号生成keytab文件
[root@master1 ~]# kadmin.local
Authenticating as principal admin/admin@MASTER.COM with password.
kadmin.local: addprinc -randkey host/master1.com
WARNING: no policy specified for host/master1.com@MASTER.COM; defaulting to no policy
Principal "host/master1.com@MASTER.COM" created.
kadmin.local: addprinc -randkey host/master2.com
WARNING: no policy specified for host/master2.com@MASTER.COM; defaulting to no policy
Principal "host/master2.com@MASTER.COM" created.
kadmin.local: ktadd host/master1.com
Entry for principal host/master1.com with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/master1.com with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/master1.com with kvno 2, encryption type des3-cbc-sha1 added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/master1.com with kvno 2, encryption type arcfour-hmac added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/master1.com with kvno 2, encryption type camellia256-cts-cmac added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/master1.com with kvno 2, encryption type camellia128-cts-cmac added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/master1.com with kvno 2, encryption type des-hmac-sha1 added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/master1.com with kvno 2, encryption type des-cbc-md5 added to keytab FILE:/etc/krb5.keytab.
kadmin.local: ktadd host/master2.com
Entry for principal host/master2.com with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/master2.com with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/master2.com with kvno 2, encryption type des3-cbc-sha1 added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/master2.com with kvno 2, encryption type arcfour-hmac added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/master2.com with kvno 2, encryption type camellia256-cts-cmac added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/master2.com with kvno 2, encryption type camellia128-cts-cmac added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/master2.com with kvno 2, encryption type des-hmac-sha1 added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/master2.com with kvno 2, encryption type des-cbc-md5 added to keytab FILE:/etc/krb5.keytab.
5.复制以下文件到182服务器相应目录
将/etc目录下的krb5.conf和krb5.keytab文件拷贝至备Kerberos服务器的/etc目录下
将/var/kerberos/krb5kdc目录下的.k5.CLOUDERA.COM、kadm5.acl和kdc.conf文件拷贝至备Kerberos服务器的/var/kerberos/kdc5kdc目录
[root@master1 ~]# scp /etc/krb5.conf root@master2.com:/etc/
The authenticity of host 'master2.com (192.168.8.182)' can't be established.
ECDSA key fingerprint is SHA256:DMDXYXKebRxKaoL4NYWeas9WIMLoC+JtedQn2jy7334.
ECDSA key fingerprint is MD5:f6:00:37:3a:33:f1:d2:42:22:a4:92:98:f5:57:06:bb.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'master2.com,192.168.8.182' (ECDSA) to the list of known hosts.
root@master2.com's password:
krb5.conf 100% 611 254.1KB/s 00:00
[root@master1 ~]# scp /etc/krb5.keytab root@master2.com:/etc/
root@master2.com's password:
krb5.keytab 100% 1170 757.8KB/s 00:00
[root@master1 ~]# scp /var/kerberos/krb5kdc/.k root@master2.com:/etc/
.k5.MASTER.COM .kadm5.acl.swp .kdc.conf.swm .kdc.conf.swn .kdc.conf.swo .kdc.conf.swp
[root@master1 ~]# scp /var/kerberos/krb5kdc/.k5.MASTER.COM root@master2.com:/var/kerberos/krb5kdc/
root@master2.com's password:
.k5.MASTER.COM 100% 75 54.4KB/s 00:00
[root@master1 ~]# scp /var/kerberos/krb5kdc/kadm5.acl root@master2.com:/var/kerberos/krb5kdc/
root@master2.com's password:
kadm5.acl 100% 21 22.0KB/s 00:00
[root@master1 ~]# scp /var/kerberos/krb5kdc/k root@master2.com:/var/kerberos/krb5kdc/
kadm5.acl kdc.conf
[root@master1~]#scp /var/kerberos/krb5kdc/kdc.conf root@master2.com:/var/kerberos/krb5kdc/
root@master2.com's password:
kdc.conf 100% 483 440.6KB/s 00:00
6.切换到182继续操作
7.继续操作,需要申明用来同步的用户,在/var/kerberos/krb5kdc/kpropd.acl配置文件中添加对应账户,如果配置文件不存在则新增
[root@master1 krb5kdc]# cat kpropd.acl
host/master1.com@MASTER.COM
host/master2.com@MASTER.COM
8.启动kprop服务并加入系统自启动
[root@master1 krb5kdc]# systemctl status kprop
● kprop.service - Kerberos 5 Propagation
Loaded: loaded (/usr/lib/systemd/system/kprop.service; enabled; vendor preset: disabled)
Active: active (running) since 五 2019-01-18 15:05:05 CST; 4s ago
Process: 35171 ExecStart=/usr/sbin/_kpropd $KPROPD_ARGS (code=exited, status=0/SUCCESS)
Main PID: 35172 (kpropd)
Tasks: 1
CGroup: /system.slice/kprop.service
└─35172 /usr/sbin/kpropd
1月 18 15:05:05 master2.com systemd[1]: Starting Kerberos 5 Propagation…
1月 18 15:05:05 master2.com systemd[1]: Started Kerberos 5 Propagation.
9.回到181,我们继续
在主节点上使用kdb5_util命令导出Kerberos数据库文件
[root@master1 ~]# kdb5_util dump /var/kerberos/krb5kdc/master.dump
[root@master1 ~]# cd /var/kerberos/krb5kdc/
[root@master1 krb5kdc]# ll
总用量 48
-rw------- 1 root root 21 1月 18 11:20 kadm5.acl
-rw------- 1 root root 483 1月 18 11:44 kdc.conf
-rw------- 1 root root 8980 1月 18 15:06 master.dump
-rw------- 1 root root 1 1月 18 15:06 master.dump.dump_ok
-rw------- 1 root root 16384 1月 18 14:45 principal
-rw------- 1 root root 8192 1月 18 11:52 principal.kadm5
-rw------- 1 root root 0 1月 18 11:52 principal.kadm5.lock
-rw------- 1 root root 0 1月 18 14:45 principal.ok
2.在主节点上使用kprop命令将master.dump文件同步至备节点
[root@master1 krb5kdc]# kprop -f /var/kerberos/krb5kdc/master.dump -d -P 754 master2.com
8980 bytes sent.
Database propagation to master2.com: SUCCEEDED
3.在备节点的/var/kerberos/krb5kdc目录下查看
[root@master1 krb5kdc]# cd /var/kerberos/krb5kdc/
[root@master1 krb5kdc]# ll
总用量 48
-rw------- 1 root root 8980 1月 18 15:09 from_master
-rw------- 1 root root 21 1月 18 14:53 kadm5.acl
-rw------- 1 root root 483 1月 18 14:57 kdc.conf
-rw-r--r-- 1 root root 56 1月 18 15:03 kpropd.acl
-rw------- 1 root root 16384 1月 18 15:09 principal
-rw------- 1 root root 8192 1月 18 15:09 principal.kadm5
-rw------- 1 root root 0 1月 18 15:09 principal.kadm5.lock
-rw------- 1 root root 0 1月 18 15:09 principal.ok
4.在182上测试通过过来的数据是否能启动Kerberos服务
首先将kprop服务停止,将kpropd.acl文件备份并删除,然后启动krb5kdc和kadmin服务
[root@master1 krb5kdc]# systemctl stop kprop
[root@master1 krb5kdc]# mv kpropd.acl kpropd.acl.bak
[root@master1 krb5kdc]# systemctl start krb5kdc
[root@master1 krb5kdc]# systemctl start kadmin
修改备服务器的/etc/krb5.conf文件,将kdc和kadmin_server修改为备服务器地址,测试kinit是否正常
[realms]
MASTER.COM = {
# kdc = master1.com
# admin_server = master1.com
kdc = master2.com
admin_server = master2.com
}
[root@master1 krb5kdc]# kinit admin/admin@MASTER.COM
Password for admin/admin@MASTER.COM:
[root@master1 krb5kdc]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin/admin@MASTER.COM
Valid starting Expires Service principal
2019-01-18T15:24:56 2019-01-19T15:24:56 krbtgt/MASTER.COM@MASTER.COM
renew until 2019-01-25T15:24:56
测试完成需要将/etc/krb5.conf和kpropd.acl文件还原并启动kprop服务
[root@master1 krb5kdc]# systemctl stop krb5kdc
[root@master1 krb5kdc]# systemctl stop kadmin
[root@master1 krb5kdc]# mv kpropd.acl.bak kpropd.acl
[root@master1 krb5kdc]# vi /etc/krb5.conf
[root@master1 krb5kdc]# systemctl start kprop
5.配置181 crontab任务定时同步数据
[root@master1 krb5kdc]# cat kprop_sync.sh
#!/bin/bash
DUMP=/var/kerberos/krb5kdc/master.dump
PORT=754
SLAVE="master2.com"
TIMESTAMP=`date`
echo "Start at $TIMESTAMP"
sudo kdb5_util dump $DUMP
sudo kprop -f $DUMP -d -P $PORT $SLAVE
root@master1 krb5kdc]# chmod 700 /var/kerberos/krb5kdc/kprop_sync.sh
[root@master1 krb5kdc]# sh /var/kerberos/krb5kdc/kprop_sync.sh
Start at 2019年 01月 18日 星期五 15:41:47 CST
8980 bytes sent.
Database propagation to master2.com: SUCCEEDED
6.配置crontab任务
[root@master1 krb5kdc]# crontab -e
0 * * * * root/var/kerberos/krb5kdc/kprop_sync.sh >/var/kerberos/krb5kdc/lastupdate
退出并保存,启动服务并设置开机启动
crontab: installing new crontab
[root@master1 krb5kdc]# systemctl enable crond
[root@master1 krb5kdc]# systemctl start crond
当出现主节点向备用节点传输数据库数据找不到路由的情况时,可以尝试关闭防火墙