1.環境準備
system-OS:centos73
CDH version:5.11
cat /etc/hosts
192.168.11.181 deploy-1
192.168.11.182 deploy-2
192.168.11.183 deploy-3
主備節點使用keepalived虛IP漂移
vip:192.168.17.180
主節點:deploy-2
備節點:deploy-3
2.krb安裝
#主節點
yum install -y krb5-server krb5-libs
#備節點
yum install -y krb5-server krb5-libs openldap-clients
#所有節點
yum install -y krb5-workstation krb5-deve
3.修改配置文件
3.1 /etc/krb5.conf,同步到所有節點
cat /etc/krb5.conf
# Configuration snippets may be placed in this directory as well
includedir /etc/krb5.conf.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
pkinit_anchors = /etc/pki/tls/certs/ca-bundle.crt
default_realm = BDE.COM
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
BDE.COM = {
kdc = deploy-2
kdc = deploy-3
admin_server = deploy-2
default_domain = BDE.COM
}
[domain_realm]
.bde.com = BDE.COM
bde.com = BDE.COM
3.2 主節點 /var/kerberos/krb5kdc/kdc.conf 和 /var/kerberos/krb5kdc/kadm5.acl
cat /var/kerberos/krb5kdc/kdc.conf
[kdcdefaults]
kdc_ports = 88
kdc_tcp_ports = 88
[realms]
BDE.COM = {
master_key_type = aes256-cts
max_renewable_life = 365d 0h 0m 0s
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
}
cat /var/kerberos/krb5kdc/kadm5.acl
*/[email protected] *
3.2 備節點 /var/kerberos/krb5kdc/kpropd.acl
cat /var/kerberos/krb5kdc/kpropd.acl
host/[email protected]
host/[email protected]
4.初始化主節點KDC數據庫並生成(principal)憑證krb5.keytab,拷貝到備節點KDC上
kdb5_util create -r BDE.COM -s
kadmin.local -q "ank -randkey host/[email protected]"
kadmin.local -q "ank -randkey host/[email protected]"
kadmin.local -q "xst host/[email protected]"
kadmin.local -q "xst host/[email protected]"
klist -ket /etc/krb5.keytab
#主節點scp到備節點
scp /var/kerberos/krb5kdc/kdc.conf deploy-3:/var/kerberos/krb5kdc/
scp /var/kerberos/krb5kdc/kadm5.acl deploy-3:/var/kerberos/krb5kdc/
scp /var/kerberos/krb5kdc/.k5.BDE.COM deploy-3:/var/kerberos/krb5kdc/
scp /etc/krb5.keytab deploy-3:/etc/krb5.keytab
4.分別在主備KDC啓動服務
#主節點啓動
systemctl start krb5kdc
systemctl enable krb5kdc
systemctl start kadmin
systemctl start kadmin
#備節點啓動
systemctl start kprop
systemctl enable kprop
5.將主KDC數據庫同步到備KDC數據庫中
#將主KDC數據庫同步到備KDC數據庫中
#主節點
kdb5_util dump /var/kerberos/krb5kdc/slave_datatrans
kprop -f /var/kerberos/krb5kdc/slave_datatrans deploy-3
mkdir /var/kerberos/{shell,log}
vi /var/kerberos/shell/dump_principal.sh
#!/bin/bash
/usr/sbin/kdb5_util dump /var/kerberos/krb5kdc/slave_datatrans
/usr/sbin/kprop -f /var/kerberos/krb5kdc/slave_datatrans deploy-3
chmod +x /var/kerberos/shell/dump_principal.sh
crontab -e
* * * * * /bin/date >> /var/kerberos/log/dump.log 2>&1;/var/kerberos/shell/dump_principal.sh >> /var/kerberos/log/dump.log 2>&1
* * * * * sleep 10; /bin/date >> /var/kerberos/log/dump.log 2>&1; /var/kerberos/shell/dump_principal.sh >> /var/kerberos/log/dump.log 2>&1
* * * * * sleep 20; /bin/date >> /var/kerberos/log/dump.log 2>&1; /var/kerberos/shell/dump_principal.sh >> /var/kerberos/log/dump.log 2>&1
* * * * * sleep 30; /bin/date >> /var/kerberos/log/dump.log 2>&1; /var/kerberos/shell/dump_principal.sh >> /var/kerberos/log/dump.log 2>&1
* * * * * sleep 40; /bin/date >> /var/kerberos/log/dump.log 2>&1; /var/kerberos/shell/dump_principal.sh >> /var/kerberos/log/dump.log 2>&1
* * * * * sleep 50; /bin/date >> /var/kerberos/log/dump.log 2>&1; /var/kerberos/shell/dump_principal.sh >> /var/kerberos/log/dump.log 2>&1
6.備節點啓動krb5kdc
#備節點啓動
systemctl start krb5kdc
systemctl status krb5kdc
systemctl enable krb5kdc
7.添加管理員用戶
#使用kadmin.local添加管理員用戶
kadmin.local -q "addprinc admin"
kadmin.local q "addprinc hadoop1/[email protected]"
kadmin.local -q "listprincs"
klist
kinit admin
klist -e
