Kerberos 高可用配置
Kerberos 安裝(主節點操作)
節點信息
data80
data81
data82
data83
- 備註
- 主Kerberos節點:data80
- 備Kerberos節點:data81
安裝 kdc server
-
在KDC(name01)上安裝包 krb5、krb5-server 和 krb5-client
yum install krb5-server krb5-libs krb5-auth-dialog krb5-workstation -y
-
安裝 krb5-devel、krb5-workstation
yum install krb5-devel krb5-workstation -y
修改 krb5.conf
/etc/krb5.conf
includedir /etc/krb5.conf.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
pkinit_anchors = /etc/pki/tls/certs/ca-bundle.crt
default_realm = HADOOP.COM
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
HADOOP.COM = {
kdc = data80
admin_server = data80
kdc = data81
admin_server = data81
}
同步配置文件
sudo scp /etc/krb5.conf data81:/etc/
sudo scp /etc/krb5.conf data82:/etc/
sudo scp /etc/krb5.conf data83:/etc/
創建數據庫(在data80節點)
kdb5_util create -r HADOOP.COM -s
啓動服務(在data80節點)
chkconfig --level 35 krb5kdc on
chkconfig --level 35 kadmin on
service krb5kdc start
service kadmin start
創建主從同步賬號,併爲賬號生成keytab文件
sudo kadmin.local
kadmin.local: addprinc -randkey host/[email protected]
kadmin.local: addprinc -randkey host/[email protected]
kadmin.local: ktadd host/[email protected]
kadmin.local: ktadd host/[email protected]
使用隨機生成祕鑰的方式創建同步賬號,並使用ktadd命令生成同步賬號的keytab文件,默認文件生成在/etc/krb5.keytab下
複製以下文件到備Kerberos服務器相應目錄
-
將/etc目錄下的krb5.conf和krb5.keytab文件拷貝至備Kerberos服務器的/etc目錄下
-
將/var/kerberos/krb5kdc目錄下的.k5.HADOOP.COM、kadm5.acl和krb5.conf文件拷貝至備Kerberos服務器的/var/kerberos/krb5kdc目錄
注意: .k5.HADOOP.COM 爲隱藏文件,一定不要忘記拷貝
備Kerberos節點操作
需要申明用來同步的用戶
在/var/kerberos/krb5kdc/kpropd.acl配置文件中添加對應賬戶,如果配置文件不存在則新增
cd /var/kerberos/krb5kdc
sudo vim kpropd.acl
host/[email protected]
host/[email protected]
啓動kprop服務並加入系統自啓動
sudo systemctl enable kprop
sudo systemctl start kprop
sudo systemctl status kprop
主節點數據同步至備節點
sudo kdb5_util dump /var/kerberos/krb5kdc/master.dump
導出成功後生成master.dump和master.dump.dump_ok兩個文件。
在主節點上使用kprop命令將master.dump文件同步至備節點
sudo kprop -f /var/kerberos/krb5kdc/master.dump -d -P 754 data81
-
日誌
3769 bytes sent. Database propagation to data81: SUCCEEDED
在備節點的/var/kerberos/krb5kdc目錄下查看
-rw-------. 1 root root 3769 Apr 8 01:25 from_master
-rw-------. 1 root root 22 Apr 8 00:22 kadm5.acl
-rw-------. 1 root root 451 Sep 14 2019 kdc.conf
-rw-r--r--. 1 root root 46 Apr 8 00:27 kpropd.acl
-rw-------. 1 root root 8192 Apr 8 01:25 principal
-rw-------. 1 root root 8192 Apr 8 01:25 principal.kadm5
-rw-------. 1 root root 0 Apr 8 00:29 principal.kadm5.lock
-rw-------. 1 root root 0 Apr 8 01:25 principal.ok
在備節點的/var/kerberos/krb5kdc目錄下增加了如下文件:
- from_master
- principal
- principal.kadm5
- principal.kadm5.lock
- principal.ok
在備節點上測試通過過來的數據是否能啓動Kerberos服務
-
首先將kprop服務停止,將kpropd.acl文件備份並刪除,然後啓動krb5kdc和kadmin服務
sudo systemctl stop kprop sudo mv /var/kerberos/krb5kdc/kpropd.acl/var/kerberos/krb5kdc/kpropd.acl.bak sudo systemctl start krb5kdc sudo systemctl start kadmin
-
修改備服務器的/etc/krb5.conf文件,將kdc和kadmin_server修改爲備ls -l服務器地址,測試kinit是否正常
HADOOP.COM = { # kdc = data80 # admin_server = data80 kdc = data81 admin_server = data81 }
設置定時
crontab -e
*/5 * * * * root/var/kerberos/krb5kdc/kprop_sync.sh >/var/kerberos/krb5kdc/lastupdate
常見問題
-
list 無權限
kadmin: list_principals get_principals: Operation requires ``list'' privilege while retrieving list.