一、主节点 kerberos部署
1、安装
yum -y install krb5-server krb5-libs krb5-workstation krb5-devel
下列出现的 ABC.COM 都可以根据实际需要修改;
2、配置
配置krb5.conf :
default_realm 需要修改
# Configuration snippets may be placed in this directory as well
#includedir /etc/krb5.conf.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = ABC.COM
dns_lookup_kdc = false
dns_lookup_realm = false
ticket_lifetime = 86400
renew_lifetime = 604800
forwardable = true
default_tgs_enctypes = aes256-cts
default_tkt_enctypes = aes256-cts
permitted_enctypes = aes256-cts
udp_preference_limit = 1
kdc_timeout = 3000
[realms]
ABC.COM = {
kdc = 192.168.107.10
admin_server = 192.168.107.10
}
[domain_realm]
配置/var/kerberos/krb5kdc/kdc.conf :
[kdcdefaults]
kdc_ports = 88
kdc_tcp_ports = 88
[realms]
ABC.COM = {
#master_key_type = aes256-cts
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
}
配置/var/kerberos/krb5kdc/kadm5.acl:
*/[email protected] *
3、初始化数据库
#要输入密码,需要记下来,命令: kdb5_util create -s -r ABC.COM
4、启动
[root@hadoop-107-10 ~]# systemctl start kadmin [root@hadoop-107-10 ~]# systemctl start krb5kdc [root@hadoop-107-10 ~]# systemctl enable kadmin [root@hadoop-107-10 ~]# systemctl enable krb5kdc
5、创建账号测试
#这里创建一个管理员,密码需要记下来 [root@hadoop-107-10 ~]# kadmin.local #登录进去 Authenticating as principal root/[email protected] with password.
kadmin.local: addprinc admin/admin
kerberos的主从部署,需要主节点和从节点之间来回操作多个步骤;
二、从节点 kerberos部署
1、安装
yum -y install krb5-server krb5-libs krb5-workstation krb5-devel
安装完,先不用配置;
三、主节点操作
1、拷贝数据文件到从节点
主节点操作:
cd /var/kerberos/krb5kdc/ scp .k5.ABC.COM kdc.conf kadm5.acl node2:/var/kerberos/krb5kdc/
2、生成主、从节点的host凭证,
主节点操作:
#这里的node1 node2视为主、从节点的主机名 kadmin.local -q "addprinc -randkey host/node1" kadmin.local -q "addprinc -randkey host/node2" kadmin.local -q "ktadd host/node1" kadmin.local -q "ktadd host/node2"
3、主节点cp keytab文件到从节点
主节点操作:
scp /etc/krb5.keytab node2:/etc/
四、从节点操作
1、配置/var/kerberos/krb5kdc/kpropd.acl
注意 主节点上不能有该文件,否则kadmin服务无法启动,会报错;
cd /var/kerberos/krb5kdc vi kpropd.acl #内容如下两行 host/[email protected] host/[email protected]
2、从节点启动kpropd服务
systemctl enable kprop systemctl start kprop
五、主节点操作
1、同步数据到从节点上
#以下两条命令,都是在主节点操作 #在主节点dump数据文件 kdb5_util dump /var/kerberos/krb5kdc/slave_datatrans #同步数据库文件到node2(node2这里视为从节点主机名) kprop -f /var/kerberos/krb5kdc/slave_datatrans node2
如果同步没问题,会显示:SUCCEEDED
六、从节点操作
1、启动,其实主要是krb5kdc服务需要起来
systemctl start krb5kdc systemctl start kadmin systemctl enable krb5kdc systemctl enable kadmin
2、验证
可以用之前主节点上的账号,在从节点上登录测试,看是否有问题,并登录进kerberos,看之前的账号是否都存在;
listprincs
如果没问题,至此kerberos主从完成;
但是可见kerberos的主从是不会自动同步的,还需要设置定时任务,定时同步;
七、kerberos主从定时同步
1、主节点定时同步,一个简单的脚本
#!/bin/sh
#
kdclist="kdcslave"
echo `date`"start to sync!"
sudo kdb5_util dump /var/kerberos/krb5kdc/slave_datatrans
for kdc in $kdclist
do
sudo kprop -f /var/kerberos/krb5kdc/slave_datatrans $kdc
done
echo `date`"end to sync!"
添加执行权限:
chmod +x sync_db.sh
crontab:
30 23 * * * sh /root/sync_db.sh >> /root/sync.log
标签:krb5,部署,kerberos,节点,kadmin,krb5kdc,var,主从 From: https://www.cnblogs.com/weiyiming007/p/17393451.html