Kerberos主從配置

前言

本篇文檔銜接上一篇 Kerberos 的安裝配置；詳見：https://blog.51cto.com/784687488/2332072

配置指定Kerberos配置文件的系統(tǒng)環(huán)境變量

# 以下配置是 Kerberos 默認(rèn)配置，也可以不配。如果需要改變 Kerberos 默認(rèn)的配置文件路徑則必須配置
echo "export KRB5_CONFIG=/etc/krb5.conf" >>/etc/profile
echo "export KRB5_KDC_PROFILE=/var/kerberos/krb5kdc/kdc.conf" >>/etc/profile

Slave 端安裝

[root@agent02 ~]$ yum install krb5-server krb5-libs krb5-workstation -y

在 /etc/krb5.conf 中添加從機 kdc 配置（M端操作）

# 原配置如下：
[libdefaults]
    renew_lifetime = 7d
    forwardable = true
    default_realm = TEST.COM
    ticket_lifetime = 24h
    DNS_lookup_realm = false
    dns_lookup_kdc = false
    default_ccache_name = /tmp/krb5cc_%{uid}
    #default_tgs_enctypes = aes des3-cbc-sha1 rc4 des-cbc-md5
    #default_tkt_enctypes = aes des3-cbc-sha1 rc4 des-cbc-md5

[logging]
    default = FILE:/var/log/krb5kdc.log
    admin_server = FILE:/var/log/kadmind.log
    kdc = FILE:/var/log/krb5kdc.log

[realms]
    TEST.COM = {
        admin_server = agent01.ambari.com
        kdc = agent01.ambari.com
    }

# 修改后的配置如下：
[libdefaults]
    renew_lifetime = 7d
    forwardable = true
    default_realm = TEST.COM
    ticket_lifetime = 24h
    dns_lookup_realm = false
    dns_lookup_kdc = false
    default_ccache_name = /tmp/krb5cc_%{uid}
    #default_tgs_enctypes = aes des3-cbc-sha1 rc4 des-cbc-md5
    #default_tkt_enctypes = aes des3-cbc-sha1 rc4 des-cbc-md5

[logging]
    default = FILE:/var/log/krb5kdc.log
    admin_server = FILE:/var/log/kadmind.log
    kdc = FILE:/var/log/krb5kdc.log

[realms]
    TEST.COM = {
        admin_server = agent01.ambari.com
        kdc = agent01.ambari.com
        *kdc = agent02.ambari.com*    # 此處為新添加配置項
    }

分別為 Master/Slave 端創(chuàng)建 Principal（M端操作）

[root@agent01 ~]$ kadmin.local
kadmin.local:  addprinc -randkey host/agent01.ambari.com
WARNING: no policy specified for host/agent01.ambari.com@TEST.COM; defaulting to no policy
Principal "host/agent01.ambari.com@TEST.COM" created.
kadmin.local:  addprinc -randkey host/agent02.ambari.com
WARNING: no policy specified for host/agent02.ambari.com@TEST.COM; defaulting to no policy
Principal "host/agent02.ambari.com@TEST.COM" created.
kadmin.local:  quit

分別為 Master/Slave 端提取 Principal 的認(rèn)證 Keytab（M端操作）

[root@agent01 ~]$ kadmin.local -q "ktadd host/agent01.ambari.com@TEST.COM"
Authenticating as principal root/admin@TEST.COM with password.
Entry for principal host/agent01.ambari.com@TEST.COM with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/agent01.ambari.com@TEST.COM with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/agent01.ambari.com@TEST.COM with kvno 2, encryption type des3-cbc-sha1 added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/agent01.ambari.com@TEST.COM with kvno 2, encryption type arcfour-hmac added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/agent01.ambari.com@TEST.COM with kvno 2, encryption type camellia256-cts-cmac added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/agent01.ambari.com@TEST.COM with kvno 2, encryption type camellia128-cts-cmac added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/agent01.ambari.com@TEST.COM with kvno 2, encryption type des-hmac-sha1 added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/agent01.ambari.com@TEST.COM with kvno 2, encryption type des-cbc-md5 added to keytab FILE:/etc/krb5.keytab.

[root@agent01 ~]$ kadmin.local -q "ktadd -k /etc/agent02.keytab host/agent02.ambari.com@TEST.COM" 
Authenticating as principal root/admin@TEST.COM with password.
Entry for principal host/agent02.ambari.com@TEST.COM with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/etc/agent02.keytab.
Entry for principal host/agent02.ambari.com@TEST.COM with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/etc/agent02.keytab.
Entry for principal host/agent02.ambari.com@TEST.COM with kvno 2, encryption type des3-cbc-sha1 added to keytab WRFILE:/etc/agent02.keytab.
Entry for principal host/agent02.ambari.com@TEST.COM with kvno 2, encryption type arcfour-hmac added to keytab WRFILE:/etc/agent02.keytab.
Entry for principal host/agent02.ambari.com@TEST.COM with kvno 2, encryption type camellia256-cts-cmac added to keytab WRFILE:/etc/agent02.keytab.
Entry for principal host/agent02.ambari.com@TEST.COM with kvno 2, encryption type camellia128-cts-cmac added to keytab WRFILE:/etc/agent02.keytab.
Entry for principal host/agent02.ambari.com@TEST.COM with kvno 2, encryption type des-hmac-sha1 added to keytab WRFILE:/etc/agent02.keytab.
Entry for principal host/agent02.ambari.com@TEST.COM with kvno 2, encryption type des-cbc-md5 added to keytab WRFILE:/etc/agent02.keytab.
[root@agent01 ~]$ scp /etc/agent02.keytab agent02.ambari.com:/etc/krb5.keytab

將 Master 端相關(guān)文件分發(fā)至 Slave 端（M端操作）

[root@agent01 ~]$ scp /etc/krb5.conf agent02.ambari.com:/etc/
[root@agent01 ~]$ scp /var/kerberos/krb5kdc/kdc.conf /var/kerberos/krb5kdc/kadm5.acl /var/kerberos/krb5kdc/.k5.TEST.COM agent02.ambari.com:/var/kerberos/krb5kdc/

創(chuàng)建 Slave 端數(shù)據(jù)庫

[root@agent02 ~]$ kdb5_util create -r TEST.COM -s

創(chuàng)建 Principal

[root@agent02 ~]$ kadmin.local 
kadmin.local:  addprinc -randkey host/agent02.ambari.com@TEST.COM 
WARNING: no policy specified for host/agent02.ambari.com@TEST.COM; defaulting to no policy
Principal "host/agent02.ambari.com@TEST.COM" created.
kadmin.local:  addprinc -randkey host/agent01.ambari.com@TEST.COM
WARNING: no policy specified for host/agent01.ambari.com@TEST.COM; defaulting to no policy
Principal "host/agent01.ambari.com@TEST.COM" created.
kadmin.local:  quit

Master 端數(shù)據(jù)庫數(shù)據(jù)通過 kpropd 進(jìn)程傳輸，創(chuàng)建 kpropd.acl 文件明確可進(jìn)行數(shù)據(jù) dump & update & transfer 的 principal

[root@agent02 ~]$ cat >>/var/kerberos/krb5kdc/kpropd.acl<<EOF
> host/agent01.ambari.com@TEST.COM
> host/agent02.ambari.com@TEST.COM
> EOF
[root@agent02 ~]$ scp /var/kerberos/krb5kdc/kpropd.acl agent01.ambari.com:/var/kerberos/krb5kdc/

創(chuàng)建 /etc/inetd.conf

[root@agent02 ~]$ cat >>/etc/inetd.conf<<EOF
krb5_prop stream tcp nowait root /usr/sbin/kpropd kpropd
EOF

定義 kpropd daemon 名稱及端口

[root@agent02 ~]$ echo "krb5_prop       754/tcp               # Kerberos slave propagation" >>/etc/services

啟動 kpropd daemon

[root@agent02 ~]$ systemctl start kprop.service

備份 kerberos-master 數(shù)據(jù)（M 端執(zhí)行）

[root@agent01 ~]$ for n in 21 22;do ssh 10.0.2.$n "mkdir /var/kerberos/data_trans";done
[root@agent01 ~]$ kdb5_util dump /var/kerberos/data_trans/slave_datatrans

創(chuàng)新互聯(lián)專注骨干網(wǎng)絡(luò)服務(wù)器租用10年，服務(wù)更有保障！服務(wù)器租用，光華機房服務(wù)器托管成都服務(wù)器租用，成都服務(wù)器托管，骨干網(wǎng)絡(luò)帶寬，享受低延遲，高速訪問。靈活、實現(xiàn)低成本的共享或公網(wǎng)數(shù)據(jù)中心高速帶寬的專屬高性能服務(wù)器。

傳輸 Master 數(shù)據(jù)至 Slave（M 端執(zhí)行）

[root@agent01 ~]$ kprop -f /var/kerberos/data_trans/slave_datatrans agent02.ambari.com
Database propagation to agent02.ambari.com: SUCCEEDED

創(chuàng)建數(shù)據(jù)傳輸腳本（M端操作）

[root@agent01 ~]$ cat >/var/kerberos/data_trans/data_transfor.sh<<EOF
#!/bin/bash
set -e
datetime=$(date +%Y%m%d%H%M%S)
kdclist="node02.abd3.com"
bakfile=/var/kerberos/data_trans/slave_datatrans.${datetime}
kdb5_util dump ${bakfile}
for kdc in $kdclist
do
        echo $datetime  >>/var/kerberos/data_trans/data_transfor.log
        kprop -f ${bakfile} ${kdc} >>/var/kerberos/data_trans/data_transfor.log
done
exit 0
EOF
[root@agent01 ~]$ scp /var/kerberos/data_trans/data_transfor.sh agent02.ambari.com:/var/kerberos/data_trans/

添加定時任務(wù)

# M 端操作
[root@agent01 ~]$ echo "0 * * * * /bin/sh /var/kerberos/data_trans/data_transfor.sh" >>/var/spool/cron/root
# S 端操作
[root@agent02 ~]$ echo "#0 * * * * /bin/sh /var/kerberos/data_trans/data_transfor.sh" >>/var/spool/cron/root

啟動 Slave 端kdc進(jìn)程

[root@agent02 ~]$ systemctl start krb5kdc.service

主從切換需要手動操作，手動啟動從機kadmin daemon

當(dāng)前名稱：Kerberos主從配置
轉(zhuǎn)載源于：http://muchs.cn/article18/piopdp.html

成都網(wǎng)站建設(shè)公司_創(chuàng)新互聯(lián)，為您提供企業(yè)網(wǎng)站制作、網(wǎng)站收錄、面包屑導(dǎo)航、、網(wǎng)站建設(shè)、網(wǎng)頁設(shè)計公司

聲明：本網(wǎng)站發(fā)布的內(nèi)容（圖片、視頻和文字）以用戶投稿、用戶轉(zhuǎn)載內(nèi)容為主，如果涉及侵權(quán)請盡快告知，我們將會在第一時間刪除。文章觀點不代表本網(wǎng)站立場，如需處理請聯(lián)系客服。電話：028-86922220；郵箱：631063699@qq.com。內(nèi)容未經(jīng)允許不得轉(zhuǎn)載，或轉(zhuǎn)載時需注明來源：創(chuàng)新互聯(lián)

猜你還喜歡下面的內(nèi)容