2台机子都安装
yum -y install krb5-libs krb5-server krb5-workstation
配置/var/kerberos/krb5kdc/kdc.conf
创建/data/emr/krb5文件夹
[logging]
default = FILE:/data/emr/krb5/krb5libs.log
kdc = FILE:/data/emr/krb5/krb5kdc.log
admin_server = FILE:/data/emr/krb5/kadmin.log
[kdcdefaults]
kdc_ports = 88
kdc_tcp_ports = 88
[realms]
BINGSHENG.TC = {
#master_key_type = aes256-cts
max_life = 12h 0m 0s
max_renewable_life = 7d 0h 0m 0s
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
}
修改vim /etc/krb5.conf
# Configuration snippets may be placed in this directory as well
includedir /etc/krb5.conf.d/
[logging]
default = FILE:/data/emr/krb5/krb5libs.log
kdc = FILE:/data/emr/krb5/krb5kdc.log
admin_server = FILE:/data/emr/krb5/kadmin.log
[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
default_tgs_enctypes = rc4-hmac
default_tkt_enctypes = rc4-hmac
permitted_enctypes = rc4-hmac
default_realm = BINGSHENG.TC
# pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt
# default_realm = EXAMPLE.COM
# default_ccache_name = KEYRING:persistent:%{uid}
[realms]
BING.TC = {
kdc = 172.24.46.15:88
admin_server = 172.24.46.15
kdc = 172.24.46.6:88
admin_server = 172.24.46.6
}
[domain_realm]
.bing.tc = BING.TC
bing.tc = BING.TC
配置kadm5.acl
[root@172 ~]# cat /var/kerberos/krb5kdc/kadm5.acl
*/admin@BING.TC *
*K/M@BING.TC *
初始化下数据库
kdb5_util create -r BINGSHENG.TC -s
密码123@2020
添加key
/cfs/为挂载目录
备份15的数据
/usr/sbin/kdb5_util dump /cfs/keytab/backup.dump
在6上load
/usr/sbin/kdb5_util load /cfs/keytab/backup.dump
验证:
kadmin.local:list_principals
添加同步任务
crontab -e
15主节点
*/5 * * * * /usr/sbin/kdb5_util dump /cfs/keytab/backup.dump
6备节点
*/5 * * * * /usr/sbin/kdb5_util load /cfs/keytab/backup.dump
默认没有启动服务
/bin/systemctl status krb5kdc.service
/bin/systemctl status kadmin.service
/bin/systemctl start krb5kdc.service
/bin/systemctl start kadmin.service
客户端安装
yum install -y krb5-lib krb5-workstation
scp /etc/krb5.conf root@172.24.215.7:/etc/
/etc/krb5.conf
分发到所有客户端节点
验证
klist
kinit -kt a.keytab a
启动报错
systemctl enable kadmin.service
systemctl enable krb5kdc.service
rm -f /var/kerberos/krb5kdc/principal*
重新初始化数据库
kdb5_util create -r BINGSHENG.TC -s
密码
如果启动一直报错,肯定是配置这2文件配置有误,严格检查域名
/var/kerberos/krb5kdc/kdc.conf
/etc/krb5.conf
然后执行,就好了
/bin/systemctl status krb5kdc.service
/bin/systemctl status kadmin.service
/bin/systemctl start krb5kdc.service
/bin/systemctl start kadmin.service
添加开机启动报错
chkconfig krb5kdc on
chkconfig kadmin on
根据提示先执行以下命令:
systemctl enable kadmin.service
systemctl enable krb5kdc.service