kerberos主从同步

最新推荐文章于 2022-11-25 15:16:02 发布
最新推荐文章于 2022-11-25 15:16:02 发布
阅读量1.3k 收藏 4
点赞数 2
分类专栏: kerberos
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/woloqun/article/details/89096661
版权
hostip
kdcmaster172.16.242.108
kdcslave172.16.16.82

在kdcmaster上快速安装kerberos,可参考https://blog.csdn.net/woloqun/article/details/76560173

yum -y install krb5-libs krb5-devel krb5-server krb5-workstation

修改配置文件如下
cat /etc/krb5.conf

# Configuration snippets may be placed in this directory as well
includedir /etc/krb5.conf.d/

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 dns_lookup_realm = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 rdns = false
 pkinit_anchors = /etc/pki/tls/certs/ca-bundle.crt
 default_realm = HAOHAOZHU.COM
 default_ccache_name = KEYRING:persistent:%{uid}

[realms]
 HAOHAOZHU.COM = {
  kdc = kdcmaster
  admin_server = kdcmaster
 }

[domain_realm]
 .haohaozhu.com = HAOHAOZHU.COM
 haohaozhu.com = HAOHAOZHU.COM

vi /var/kerberos/krb5kdc/kdc.conf

[kdcdefaults]
 kdc_ports = 88
 kdc_tcp_ports = 88

[realms]
 HAOHAOZHU.COM = {
  acl_file = /var/kerberos/krb5kdc/kadm5.acl
  dict_file = /usr/share/dict/words
  admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
  supported_enctypes = des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
 }

初始化数据库

[root@kdcmaster ~]# kdb5_util create -s -r HAOHAOZHU.COM
Loading random data
Initializing database '/var/kerberos/krb5kdc/principal' for realm 'HAOHAOZHU.COM',
master key name 'K/M@HAOHAOZHU.COM'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key:
Re-enter KDC database master key to verify:

添加管理员账号

[root@kdcmaster ~]# kadmin.local -q "addprinc admin/admin"
Authenticating as principal root/admin@HAOHAOZHU.COM with password.
WARNING: no policy specified for admin/admin@HAOHAOZHU.COM; defaulting to no policy
Enter password for principal "admin/admin@HAOHAOZHU.COM":
Re-enter password for principal "admin/admin@HAOHAOZHU.COM":
Principal "admin/admin@HAOHAOZHU.COM" created.

修改kadm5.acl

vi /var/kerberos/krb5kdc/kadm5.acl
*/admin@HAOHAOZHU.COM   *

在kdcmaster上启动kdc和kadmin

[root@kdcmaster ~]# service krb5kdc start
Redirecting to /bin/systemctl start krb5kdc.service
[root@kdcmaster ~]# service kadmin start
Redirecting to /bin/systemctl start kadmin.service

kdcslave上安装kerberos

yum -y install krb5-libs krb5-devel krb5-server krb5-workstation

在kdcmaster上添加host key

[root@kdcmaster ~]# kadmin
Authenticating as principal admin/admin@HAOHAOZHU.COM with password.
Password for admin/admin@HAOHAOZHU.COM:
kadmin:  addprinc -randkey host/kdcmaster
WARNING: no policy specified for host/kdcmaster@HAOHAOZHU.COM; defaulting to no policy
Principal "host/kdcmaster@HAOHAOZHU.COM" created.
kadmin:  addprinc -randkey host/kdcslave
WARNING: no policy specified for host/kdcslave@HAOHAOZHU.COM; defaulting to no policy
Principal "host/kdcslave@HAOHAOZHU.COM" created.

生成host keytab

kadmin:  ktadd host/kdcmaster
Entry for principal host/kdcmaster with kvno 2, encryption type des3-cbc-sha1 added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/kdcmaster with kvno 2, encryption type arcfour-hmac added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/kdcmaster with kvno 2, encryption type camellia256-cts-cmac added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/kdcmaster with kvno 2, encryption type camellia128-cts-cmac added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/kdcmaster with kvno 2, encryption type des-hmac-sha1 added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/kdcmaster with kvno 2, encryption type des-cbc-md5 added to keytab FILE:/etc/krb5.keytab.
kadmin:  ktadd -k /tmp/kerberos-1.keytab host/kdcslave
Entry for principal host/kdcslave with kvno 2, encryption type des3-cbc-sha1 added to keytab WRFILE:/tmp/kerberos-1.keytab.
Entry for principal host/kdcslave with kvno 2, encryption type arcfour-hmac added to keytab WRFILE:/tmp/kerberos-1.keytab.
Entry for principal host/kdcslave with kvno 2, encryption type camellia256-cts-cmac added to keytab WRFILE:/tmp/kerberos-1.keytab.
Entry for principal host/kdcslave with kvno 2, encryption type camellia128-cts-cmac added to keytab WRFILE:/tmp/kerberos-1.keytab.
Entry for principal host/kdcslave with kvno 2, encryption type des-hmac-sha1 added to keytab WRFILE:/tmp/kerberos-1.keytab.
Entry for principal host/kdcslave with kvno 2, encryption type des-cbc-md5 added to keytab WRFILE:/tmp/kerberos-1.keytab.

将/tmp/kerberos-1.keytab复制到kdcslave的/etc目录下,并命名为krb5.keytab

[root@kdcmaster ~]# scp /tmp/kerberos-1.keytab root@kdcslave:/etc/krb5.keytab
The authenticity of host 'kdcslave (172.16.16.82)' can't be established.
ECDSA key fingerprint is SHA256:mXyA1uwn8huNuzL3LPZMl1YU0lpoqKP093F88zWRONI.
ECDSA key fingerprint is MD5:f5:01:60:29:98:bb:b7:18:1b:a1:f2:4b:b5:20:37:4e.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'kdcslave,172.16.16.82' (ECDSA) to the list of known hosts.
root@kdcslave's password:
kerberos-1.keytab

修改kmaster上的/etc/krb5.conf,添加kdc条目

 HAOHAOZHU.COM = {
  kdc = kdcmaster
  kdc = kdcslave
  admin_server = kdcmaster
 }

将kdcmaster的如下文件复制到kdcslave对应目录下

scp /etc/krb5.conf root@kdcslave:/etc/
scp /var/kerberos/krb5kdc/kdc.conf root@kdcslave:/var/kerberos/krb5kdc/
scp /var/kerberos/krb5kdc/kadm5.acl root@kdcslave:/var/kerberos/krb5kdc/
scp /var/kerberos/krb5kdc/.k5.HAOHAOZHU.COM root@kdcslave:/var/kerberos/krb5kdc/

在所有节点上创建
vi /var/kerberos/krb5kdc/kpropd.acl

host/kdcmaster@HAOHAOZHU.COM
host/kdcslave@HAOHAOZHU.COM

在kdcslave上启动kpropd

[root@kdcslave ~]# kpropd -dS
ready
waiting for a kprop connection

在kdcmaster上导出数据库,并同步到kdcslave

[root@kdcmaster ~]# kdb5_util dump /var/kerberos/krb5kdc/slave_datatrans
[root@kdcmaster ~]# kprop -f /var/kerberos/krb5kdc/slave_datatrans kdcslave
Database propagation to kdcslave: SUCCEEDED

kdcslave 上日志

[root@kdcslave ~]# kpropd -dS
ready
waiting for a kprop connection
Connection from kdcmaster
krb5_recvauth(4, kprop5_01, host/kdcslave@HAOHAOZHU.COM, ...)
authenticated client: host/kdcmaster@HAOHAOZHU.COM (etype == Triple DES cbc mode with HMAC/sha1)
Full propagation transfer started.
Full propagation transfer finished.
calling kdb5_util to load database
Load PID is 3565
Database load process for full propagation completed.
waiting for a kprop connection

此时启动kdcslave节点上的kdc,看看数据是否同步过来了

[root@kdcslave krb5kdc]# kadmin.local
Authenticating as principal root/admin@HAOHAOZHU.COM with password.
kadmin.local:  list_principals
K/M@HAOHAOZHU.COM
admin/admin@HAOHAOZHU.COM
host/kdcmaster@HAOHAOZHU.COM
host/kdcslave@HAOHAOZHU.COM
kadmin/admin@HAOHAOZHU.COM
kadmin/changepw@HAOHAOZHU.COM
kadmin/kdcmaster.lan@HAOHAOZHU.COM
kiprop/kdcmaster.lan@HAOHAOZHU.COM
krbtgt/HAOHAOZHU.COM@HAOHAOZHU.COM

可以看见数据已经同步了,现在要做就是写个脚本定时同步数据库

vi /root/sync_db.sh

#!/bin/sh

kdclist="kdcslave"
echo `date`"start to sync!"
sudo kdb5_util dump /var/kerberos/krb5kdc/slave_datatrans
for kdc in $kdclist;
do
    sudo kprop -f /var/kerberos/krb5kdc/slave_datatrans $kdc
done
echo `date`"end to sync!"

添加执行权限

chmod +x sync_db.sh

添加定时任务
crontab -e

*/1 * * * * /root/sync_db.sh >> /root/sync.log

测试,在kdcmaster添加用户usertest1

[root@kdcmaster ~]# kadmin.local
Authenticating as principal admin/admin@HAOHAOZHU.COM with password.
kadmin.local:  add
addpol         add_policy     addprinc       add_principal
kadmin.local:  addprinc usertest1
WARNING: no policy specified for usertest1@HAOHAOZHU.COM; defaulting to no policy
Enter password for principal "usertest1@HAOHAOZHU.COM":
Re-enter password for principal "usertest1@HAOHAOZHU.COM":
Principal "usertest1@HAOHAOZHU.COM" created.

在kdcslave上查看,是否同步

[root@kdcslave krb5kdc]# kadmin.local
Authenticating as principal root/admin@HAOHAOZHU.COM with password.
kadmin.local:  list_principals
K/M@HAOHAOZHU.COM
admin/admin@HAOHAOZHU.COM
host/kdcmaster@HAOHAOZHU.COM
host/kdcslave@HAOHAOZHU.COM
kadmin/admin@HAOHAOZHU.COM
kadmin/changepw@HAOHAOZHU.COM
kadmin/kdcmaster.lan@HAOHAOZHU.COM
kiprop/kdcmaster.lan@HAOHAOZHU.COM
krbtgt/HAOHAOZHU.COM@HAOHAOZHU.COM
usertest1@HAOHAOZHU.COM

数据同步已经完成

参考

woloqun
关注
  • 2
    点赞
  • 4
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
专栏目录
Kerberos 主从安装
qq_33023859的博客
08-04 756
主机列表 主机名称 IP 硬件配置 pass-eda-hdp-001 10.218.12.14 80 Core、256 G pass-eda-hdp-003 10.218.12.18 80 Core、256 G 软件清单 软件名称 版本号 备注 krb5-server 1.15.1 krb5-workstation 1.15.1 主备之间同步数据文件用 主机规划 主机 角色 软件 10.218.12.14 主 ......
Kerberos主KDC数据库同步到从KDC报错:Key table entry not found while getting initial credentials
07-08 3500
***报错详情:*** Kerberos开启高可用模式,主KDC数据库同步到从KDC时执行命令: `kprop -f /var/kerberos/krb5kdc/slave_datatrans slavehost` 报错: ``` Error:kprop: Key table entry not found while getting initial credentials? ``` ***解决办法:*** 1.查看文件/etc/krb5.conf配置是否修改正确(如KDC服务器端口不为默认的88,则需要在
kerberos从节点同步数据异常--returned a bad exit status (1)
wflh323的专栏
03-12 437
去年kerberos主从服务,从节点一直导入数据失败,异常日志 /var/log/messages Jan1611:00:33cluster102kpropd[177612]:Connectionfrom namenodestandby.lakala.com Jan1611:00:33 clusterkpropd[177612]:/usr/sbin/kpropd:/u...
kerberos主备配置
weixin_41350766的博客
09-20 841
see Kerberos主从搭建 1.备用节点安装kerberos yum -y install krb5-server krb5-libs krb5-auth-dialog krb5-workstation 2.主节点配置 新增kdc vi /etc/krb5.conf [realms] POSINDA.COM = { kdc = master_hostname kdc = ...
kerberos 主从安装
jzy3711的博客
05-19 1217
文章目录主机列表软件清单主机规划安装部署服务安装修改配置创建数据库拷贝密钥文件创建同步账号拷贝文件keytab文件声明同步账户启动Kprop服务同步数据库添加自动同步任务启动从节点启动Kadmin服务测试添加测试账号停止主节点kdc服务登陆测试账号kadmin.local验证安装脚本 主机列表 主机名称 IP 硬件配置 pass-eda-hdp-001 10.218.12.14 80 Core、256 G pass-eda-hdp-003 10.218.12.18 80 Core、256
CDH集群与Kerberos集成手册
qq_45360515的博客
10-18 2201
kerberos是由MIT开发的提供网络认证服务的系统。它可用来为网络上的各种server提供认证服务,使得口令不再是以明文方式在网络上传输,并且联接之间通讯是加密的。它和PKI认证的原理不一样,PKI使用公钥体制(不对称密码体制),kerberos基于私钥体制(对称密码体制)。Kerberos称为可信的第三方验证协议,意味着它运行在独立于任何客户机或服务器的服务器之上。此名称来自看守地狱入口的三头犬。
Kerberos主从配置.doc
10-03
本文将详细介绍如何在CentOS 6.7/RedHat 6.7环境下进行Kerberos主从同步配置。 **1. Kerberos主从同步机制** 在Kerberos主从架构中,有一个主要的Key Distribution Center (KDC)服务器,即Master KDC,负责处理...
kerberos安装包
01-01
安装kerberos5时需要的rpm包,版本1.15.1-37.el7_6.x86_64。里面4个文件:krb5-libs-1.15.1-37.el7_6.x86_64.rpm;krb5-server-1.15.1-37.el7_6.x86_64.rpm;krb5-workstation-1.15.1-37.el7_6.x86_64.rpm;libkadm5...
kerberos+hadoop搭建
04-01
Kerberos+Hadoop 搭建 Kerberos 是一个身份验证协议,用于提供安全的身份验证和票据授予机制。Hadoop 是一个大数据处理框架,用于处理和存储大量数据。下面将详细介绍 Kerberos+Hadoop 搭建的过程。 环境准备 在...
Kerberos配置文件
最新发布
06-27
"Kerberos配置文件" Kerberos是一种计算机网络认证协议,用来在非安全网络中,对个人通信以安全的手段进行身份认证。这个协议由麻省理工学院开发的一套计算机软件,采用客户端/服务器结构,并且能够进行相互认证,...
kerberos环境搭建
06-27
Kerberos是一种网络认证协议,它为用户提供了一种安全的身份验证机制,特别是在分布式环境中。该协议基于密钥分发中心(KDC),确保了通信双方的身份,并提供了会话的加密,防止中间人攻击。现在,我们将详细探讨...
[Kerberos基础]-- kdc集群主从搭建(kerberos相关)
热门推荐
欢迎来到我的博客,一起探索代码里的世界!
03-02 1万+
主机规划 10.10.100.94   master 10.10.100.93   slave 10.10.100.92   client   (一)环境:  名称            版本         CentOS        CentOS release 6.7(Final)        Kerberos        krb5-server-1.10.3-57.e...
kerberos高可用---主从部署
CarbonDioxide12138的博客
03-18 3250
1.  选择slave的master(node2)和slave(node3)上添加对方为可信用户在已有kerbero环境中,再选择一台主机作为slave安装kerbero服务端yum -y install krb5-server krb5-libs krb5-auth-dialog 2.  在kerberosMaster kadmin: addprinc -randkey host/node2 ...
Kerberos安装及使用2(Kerberos服务器KDC安装及配置)
u011250186的博客
11-25 3658
Kerberos安装及使用2(Kerberos服务器KDC安装及配置)
centos kerberos 主从同步搭建
qq_31024251的博客
09-16 331
一、 主机规划 主机ip 服务部署 192.168.88.130 kdcmaster 192.168.88.131 kdcslave 二、安装过程 192.168.88.130 操作如下 2.1 192.168.88.130 安装 # yum -y install krb5-libs krb5-devel krb5-server krb5-workstation 1 2.2 192.168.88.130 修改配置文件如下 cat /etc/krb5.conf #Con
kerberos搭建完整实操主备已测试
记录工作所遇问题及个人概念理解
10-11 458
2台机子都安装 yum -y install krb5-libs krb5-server krb5-workstation 配置/var/kerberos/krb5kdc/kdc.conf 创建/data/emr/krb5文件夹 [logging] default = FILE:/data/emr/krb5/krb5libs.log kdc = FILE:/data/emr/krb5/krb5kdc.log admin_server = FILE:/data/emr/krb5/kad
centos7.5 kerberos 主从配置
weixin_30795127的博客
08-20 269
主机规划: 192.168.2.132 master192.168.2.131 slave 环境: 名称 版本 CentOS CentOS release 7.5 下载jce_policy-8.zip cp jce_policy-8.zip /usr/java/jdk1.8.0_152/jre/lib/securityunzi...
Kerberos 主从配置
weixin_34088583的博客
12-27 311
前言 本篇文档衔接上一篇 Kerberos 的安装配置;详见:https://blog.51cto.com/784687488/2332072 配置指定Kerberos配置文件的系统环境变量 # 以下配置是 Kerberos 默认配置,也可以不配。如果需要改变 Kerberos 默认的配置文件路径则必须配置 echo "export KRB5_CONFIG=/etc/krb5.conf" >...
kerberos安装及高可用配置
qq_32012809的博客
01-18 7520
一. 1. Redhat7.4 2. CDH5.15 3. 采用root用户进行操作 4. 192.168.8.181 master1.com 192.168.8.182 master2.com 192.168.8.183 slave183.com 5. 二. 1.在181 182服务器上安装KDC服务 yum -y install krb5-server krb5-libs krb5-auth-...

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值