CDH构建大数据平台-Kerberos高可用部署【完结篇】
作者:尹正杰
版权声明:原创作品,谢绝转载!否则将追究法律责任。
一.安装Kerberos相关的软件包并同步配置文件
1>.实验环境说明
[root@node101.yinzhengjie.org.cn ~]# cat /etc/redhat-release
CentOS Linux release 7.6. (Core)
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# free -h
total used free shared buff/cache available
Mem: .9G 265M .3G 9.5M 368M .4G
Swap: .0G 0B .0G
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# uname -r
3.10.-.el7.x86_64
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# uname -m
x86_64
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# cat /etc/hosts
#主KDC服务器
172.30.1.101 node101.yinzhengjie.org.cn node101
#备KDC服务器
172.30.1.102 node102.yinzhengjie.org.cn node102
#其他主机,即Kerberos客户端
172.30.1.103 node103.yinzhengjie.org.cn node103
172.30.1.110 node110.yinzhengjie.org.cn node110
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]#
2>.在主KDC服务器上安装所需的Kerberos软件包并修改相应的配置文件
[root@node101.yinzhengjie.org.cn ~]# yum -y install krb5-server krb5-auth-dialog krb5-workstation krb5-devel krb5-libs
Loaded plugins: fastestmirror
Determining fastest mirrors
* base: mirrors.aliyun.com
* extras: mirrors.aliyun.com
* updates: mirrors.aliyun.com
base | 3.6 kB ::
extras | 3.4 kB ::
mysql-connectors-community | 2.5 kB ::
mysql-tools-community | 2.5 kB ::
mysql56-community | 2.5 kB ::
updates | 3.4 kB ::
zabbix | 2.9 kB ::
zabbix-non-supported | B ::
(/): extras//x86_64/primary_db | kB ::
(/): mysql-connectors-community/x86_64/primary_db | kB ::
(/): mysql-tools-community/x86_64/primary_db | kB ::
(/): updates//x86_64/primary_db | 4.2 MB ::
No package krb5-auth-dialog available.
Resolving Dependencies
--> Running transaction check
---> Package krb5-devel.x86_64 :1.15.-.el7_6 will be installed
--> Processing Dependency: libkadm5(x86-) = 1.15.-.el7_6 for package: krb5-devel-1.15.-.el7_6.x86_64
--> Processing Dependency: libverto-devel for package: krb5-devel-1.15.-.el7_6.x86_64
--> Processing Dependency: libselinux-devel for package: krb5-devel-1.15.-.el7_6.x86_64
--> Processing Dependency: libcom_err-devel for package: krb5-devel-1.15.-.el7_6.x86_64
--> Processing Dependency: keyutils-libs-devel for package: krb5-devel-1.15.-.el7_6.x86_64
---> Package krb5-libs.x86_64 :1.15.-.el7 will be updated
---> Package krb5-libs.x86_64 :1.15.-.el7_6 will be an update
---> Package krb5-server.x86_64 :1.15.-.el7_6 will be installed
updates//x86_64/filelists_db | 3.4 MB ::
--> Processing Dependency: libverto-module-base for package: krb5-server-1.15.-.el7_6.x86_64
--> Processing Dependency: /usr/share/dict/words for package: krb5-server-1.15.-.el7_6.x86_64
extras//x86_64/filelists_db | kB ::
mysql-connectors-community/x86_64/filelists_db | kB ::
mysql-tools-community/x86_64/filelists_db | kB ::
mysql56-community/x86_64/filelists_db | kB ::
zabbix/x86_64/filelists_db | kB ::
zabbix-non-supported/x86_64/filelists | B ::
---> Package krb5-workstation.x86_64 :1.15.-.el7_6 will be installed
--> Running transaction check
---> Package keyutils-libs-devel.x86_64 :1.5.-.el7 will be installed
---> Package libcom_err-devel.x86_64 :1.42.-.el7 will be installed
---> Package libkadm5.x86_64 :1.15.-.el7_6 will be installed
---> Package libselinux-devel.x86_64 :2.5-14.1.el7 will be installed
--> Processing Dependency: libsepol-devel(x86-) >= 2.5- for package: libselinux-devel-2.5-14.1.el7.x86_64
--> Processing Dependency: pkgconfig(libsepol) for package: libselinux-devel-2.5-14.1.el7.x86_64
--> Processing Dependency: pkgconfig(libpcre) for package: libselinux-devel-2.5-14.1.el7.x86_64
---> Package libverto-devel.x86_64 :0.2.-.el7 will be installed
---> Package libverto-libevent.x86_64 :0.2.-.el7 will be installed
---> Package words.noarch :3.0-.el7 will be installed
--> Running transaction check
---> Package libsepol-devel.x86_64 :2.5-.el7 will be installed
---> Package pcre-devel.x86_64 :8.32-.el7 will be installed
--> Finished Dependency ResolutionDependencies Resolved===================================================================================================================================================================================================================
Package Arch Version Repository Size
===================================================================================================================================================================================================================
Installing:
krb5-devel x86_64 1.15.-.el7_6 updates k
krb5-server x86_64 1.15.-.el7_6 updates 1.0 M
krb5-workstation x86_64 1.15.-.el7_6 updates k
Updating:
krb5-libs x86_64 1.15.-.el7_6 updates k
Installing for dependencies:
keyutils-libs-devel x86_64 1.5.-.el7 base k
libcom_err-devel x86_64 1.42.-.el7 base k
libkadm5 x86_64 1.15.-.el7_6 updates k
libselinux-devel x86_64 2.5-14.1.el7 base k
libsepol-devel x86_64 2.5-.el7 base k
libverto-devel x86_64 0.2.-.el7 base k
libverto-libevent x86_64 0.2.-.el7 base 8.9 k
pcre-devel x86_64 8.32-.el7 base k
words noarch 3.0-.el7 base 1.4 MTransaction Summary
===================================================================================================================================================================================================================
Install Packages (+ Dependent packages)
Upgrade PackageTotal download size: 5.2 M
Downloading packages:
Delta RPMs disabled because /usr/bin/applydeltarpm not installed.
(/): keyutils-libs-devel-1.5.-.el7.x86_64.rpm | kB ::
(/): krb5-devel-1.15.-.el7_6.x86_64.rpm | kB ::
(/): krb5-libs-1.15.-.el7_6.x86_64.rpm | kB ::
(/): libcom_err-devel-1.42.-.el7.x86_64.rpm | kB ::
(/): krb5-server-1.15.-.el7_6.x86_64.rpm | 1.0 MB ::
(/): krb5-workstation-1.15.-.el7_6.x86_64.rpm | kB ::
(/): libkadm5-1.15.-.el7_6.x86_64.rpm | kB ::
(/): libsepol-devel-2.5-.el7.x86_64.rpm | kB ::
(/): libselinux-devel-2.5-14.1.el7.x86_64.rpm | kB ::
(/): libverto-devel-0.2.-.el7.x86_64.rpm | kB ::
(/): libverto-libevent-0.2.-.el7.x86_64.rpm | 8.9 kB ::
(/): pcre-devel-8.32-.el7.x86_64.rpm | kB ::
(/): words-3.0-.el7.noarch.rpm | 1.4 MB ::
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Total 2.3 MB/s | 5.2 MB ::
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Updating : krb5-libs-1.15.-.el7_6.x86_64 /
Installing : libkadm5-1.15.-.el7_6.x86_64 /
Installing : words-3.0-.el7.noarch /
Installing : libcom_err-devel-1.42.-.el7.x86_64 /
Installing : libsepol-devel-2.5-.el7.x86_64 /
Installing : pcre-devel-8.32-.el7.x86_64 /
Installing : libselinux-devel-2.5-14.1.el7.x86_64 /
Installing : libverto-libevent-0.2.-.el7.x86_64 /
Installing : libverto-devel-0.2.-.el7.x86_64 /
Installing : keyutils-libs-devel-1.5.-.el7.x86_64 /
Installing : krb5-devel-1.15.-.el7_6.x86_64 /
Installing : krb5-server-1.15.-.el7_6.x86_64 /
Installing : krb5-workstation-1.15.-.el7_6.x86_64 /
Cleanup : krb5-libs-1.15.-.el7.x86_64 /
Verifying : keyutils-libs-devel-1.5.-.el7.x86_64 /
Verifying : libverto-devel-0.2.-.el7.x86_64 /
Verifying : krb5-workstation-1.15.-.el7_6.x86_64 /
Verifying : krb5-libs-1.15.-.el7_6.x86_64 /
Verifying : libkadm5-1.15.-.el7_6.x86_64 /
Verifying : libverto-libevent-0.2.-.el7.x86_64 /
Verifying : pcre-devel-8.32-.el7.x86_64 /
Verifying : libselinux-devel-2.5-14.1.el7.x86_64 /
Verifying : krb5-server-1.15.-.el7_6.x86_64 /
Verifying : libsepol-devel-2.5-.el7.x86_64 /
Verifying : libcom_err-devel-1.42.-.el7.x86_64 /
Verifying : krb5-devel-1.15.-.el7_6.x86_64 /
Verifying : words-3.0-.el7.noarch /
Verifying : krb5-libs-1.15.-.el7.x86_64 / Installed:
krb5-devel.x86_64 :1.15.-.el7_6 krb5-server.x86_64 :1.15.-.el7_6 krb5-workstation.x86_64 :1.15.-.el7_6 Dependency Installed:
keyutils-libs-devel.x86_64 :1.5.-.el7 libcom_err-devel.x86_64 :1.42.-.el7 libkadm5.x86_64 :1.15.-.el7_6 libselinux-devel.x86_64 :2.5-14.1.el7 libsepol-devel.x86_64 :2.5-.el7
libverto-devel.x86_64 :0.2.-.el7 libverto-libevent.x86_64 :0.2.-.el7 pcre-devel.x86_64 :8.32-.el7 words.noarch :3.0-.el7 Updated:
krb5-libs.x86_64 :1.15.-.el7_6 Complete!
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# yum -y install krb5-server krb5-auth-dialog krb5-workstation krb5-devel krb5-libs
[root@node101.yinzhengjie.org.cn ~]# cat /etc/krb5.conf
# Configuration snippets may be placed in this directory as well
includedir /etc/krb5.conf.d/[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log[libdefaults]
default_realm = YINZHENGJIE.COM
kdc_timeout =
max_retries =
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 10d
renew_lifetime = 10d
renewable = false
forwardable = false[realms]
YINZHENGJIE.COM = {
kdc = node101.yinzhengjie.org.cn:
kdc = node102.yinzhengjie.org.cn:
admin_server = node101.yinzhengjie.org.cn:
default_domain = YINZHENGJIE.COM
}[domain_realm]
.yinzhengjie.com = YINZHENGJIE.COM
yinzhengjie.com = YINZHENGJIE.COM[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# cat /etc/krb5.conf
[root@node101.yinzhengjie.org.cn ~]# cat /var/kerberos/krb5kdc/kdc.conf
[kdcdefaults]
kdc_ports =
kdc_tcp_ports = [realms]
YINZHENGJIE.COM = {
master_key_type = aes256-cts
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
supported_enctypes = aes256-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
max_life = 10d
max_renewable_life = 10d
}
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# cat /var/kerberos/krb5kdc/kdc.conf
[root@node101.yinzhengjie.org.cn ~]# cat /var/kerberos/krb5kdc/kadm5.acl
*/admin@YINZHENGJIE.COM *
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# cat /var/kerberos/krb5kdc/kadm5.acl
3>.在备KDC服务器上安装所需的Kerberos软件包并修改相应的配置文件
[root@node102.yinzhengjie.org.cn ~]# yum install -y krb5-server openldap-clients krb5-workstation krb5-libs
Loaded plugins: fastestmirror
Determining fastest mirrors
* base: mirrors.aliyun.com
* extras: mirrors.aliyun.com
* updates: mirrors.aliyun.com
base | 3.6 kB ::
extras | 3.4 kB ::
updates | 3.4 kB ::
zabbix | 2.9 kB ::
zabbix-non-supported | B ::
(/): extras//x86_64/primary_db | kB ::
(/): updates//x86_64/primary_db | 4.2 MB ::
Resolving Dependencies
--> Running transaction check
---> Package krb5-libs.x86_64 :1.15.-.el7 will be updated
---> Package krb5-libs.x86_64 :1.15.-.el7_6 will be an update
---> Package krb5-server.x86_64 :1.15.-.el7_6 will be installed
updates//x86_64/filelists_db | 3.4 MB ::
--> Processing Dependency: libkadm5(x86-) = 1.15.-.el7_6 for package: krb5-server-1.15.-.el7_6.x86_64
--> Processing Dependency: libverto-module-base for package: krb5-server-1.15.-.el7_6.x86_64
--> Processing Dependency: libkadm5srv_mit.so.(kadm5srv_mit_11_MIT)(64bit) for package: krb5-server-1.15.-.el7_6.x86_64
--> Processing Dependency: libkadm5clnt_mit.so.(kadm5clnt_mit_11_MIT)(64bit) for package: krb5-server-1.15.-.el7_6.x86_64
--> Processing Dependency: /usr/share/dict/words for package: krb5-server-1.15.-.el7_6.x86_64
extras//x86_64/filelists_db | kB ::
zabbix/x86_64/filelists_db | kB ::
zabbix-non-supported/x86_64/filelists | B ::
--> Processing Dependency: libkadm5srv_mit.so.()(64bit) for package: krb5-server-1.15.-.el7_6.x86_64
--> Processing Dependency: libkadm5clnt_mit.so.()(64bit) for package: krb5-server-1.15.-.el7_6.x86_64
---> Package krb5-workstation.x86_64 :1.15.-.el7_6 will be installed
---> Package openldap-clients.x86_64 :2.4.-.el7_6 will be installed
--> Processing Dependency: openldap(x86-) = 2.4.-.el7_6 for package: openldap-clients-2.4.-.el7_6.x86_64
--> Running transaction check
---> Package libkadm5.x86_64 :1.15.-.el7_6 will be installed
---> Package libverto-libevent.x86_64 :0.2.-.el7 will be installed
--> Processing Dependency: libevent-2.0.so.()(64bit) for package: libverto-libevent-0.2.-.el7.x86_64
---> Package openldap.x86_64 :2.4.-.el7 will be updated
---> Package openldap.x86_64 :2.4.-.el7_6 will be an update
---> Package words.noarch :3.0-.el7 will be installed
--> Running transaction check
---> Package libevent.x86_64 :2.0.-.el7 will be installed
--> Finished Dependency ResolutionDependencies Resolved===================================================================================================================================================================================================================
Package Arch Version Repository Size
===================================================================================================================================================================================================================
Installing:
krb5-server x86_64 1.15.-.el7_6 updates 1.0 M
krb5-workstation x86_64 1.15.-.el7_6 updates k
openldap-clients x86_64 2.4.-.el7_6 updates k
Updating:
krb5-libs x86_64 1.15.-.el7_6 updates k
Installing for dependencies:
libevent x86_64 2.0.-.el7 base k
libkadm5 x86_64 1.15.-.el7_6 updates k
libverto-libevent x86_64 0.2.-.el7 base 8.9 k
words noarch 3.0-.el7 base 1.4 M
Updating for dependencies:
openldap x86_64 2.4.-.el7_6 updates kTransaction Summary
===================================================================================================================================================================================================================
Install Packages (+ Dependent packages)
Upgrade Package (+ Dependent package)Total download size: 4.9 M
Downloading packages:
Delta RPMs disabled because /usr/bin/applydeltarpm not installed.
(/): krb5-libs-1.15.-.el7_6.x86_64.rpm | kB ::
(/): libevent-2.0.-.el7.x86_64.rpm | kB ::
(/): krb5-server-1.15.-.el7_6.x86_64.rpm | 1.0 MB ::
(/): libkadm5-1.15.-.el7_6.x86_64.rpm | kB ::
(/): krb5-workstation-1.15.-.el7_6.x86_64.rpm | kB ::
(/): openldap-clients-2.4.-.el7_6.x86_64.rpm | kB ::
(/): openldap-2.4.-.el7_6.x86_64.rpm | kB ::
(/): words-3.0-.el7.noarch.rpm | 1.4 MB ::
(/): libverto-libevent-0.2.-.el7.x86_64.rpm | 8.9 kB ::
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Total kB/s | 4.9 MB ::
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Updating : krb5-libs-1.15.-.el7_6.x86_64 /
Installing : libkadm5-1.15.-.el7_6.x86_64 /
Installing : words-3.0-.el7.noarch /
Updating : openldap-2.4.-.el7_6.x86_64 /
Installing : libevent-2.0.-.el7.x86_64 /
Installing : libverto-libevent-0.2.-.el7.x86_64 /
Installing : krb5-server-1.15.-.el7_6.x86_64 /
Installing : openldap-clients-2.4.-.el7_6.x86_64 /
Installing : krb5-workstation-1.15.-.el7_6.x86_64 /
Cleanup : openldap-2.4.-.el7.x86_64 /
Cleanup : krb5-libs-1.15.-.el7.x86_64 /
Verifying : krb5-workstation-1.15.-.el7_6.x86_64 /
Verifying : krb5-libs-1.15.-.el7_6.x86_64 /
Verifying : libkadm5-1.15.-.el7_6.x86_64 /
Verifying : libevent-2.0.-.el7.x86_64 /
Verifying : libverto-libevent-0.2.-.el7.x86_64 /
Verifying : krb5-server-1.15.-.el7_6.x86_64 /
Verifying : openldap-2.4.-.el7_6.x86_64 /
Verifying : openldap-clients-2.4.-.el7_6.x86_64 /
Verifying : words-3.0-.el7.noarch /
Verifying : krb5-libs-1.15.-.el7.x86_64 /
Verifying : openldap-2.4.-.el7.x86_64 / Installed:
krb5-server.x86_64 :1.15.-.el7_6 krb5-workstation.x86_64 :1.15.-.el7_6 openldap-clients.x86_64 :2.4.-.el7_6 Dependency Installed:
libevent.x86_64 :2.0.-.el7 libkadm5.x86_64 :1.15.-.el7_6 libverto-libevent.x86_64 :0.2.-.el7 words.noarch :3.0-.el7 Updated:
krb5-libs.x86_64 :1.15.-.el7_6 Dependency Updated:
openldap.x86_64 :2.4.-.el7_6 Complete!
[root@node102.yinzhengjie.org.cn ~]#
[root@node102.yinzhengjie.org.cn ~]# yum install -y krb5-server openldap-clients krb5-workstation krb5-libs
[root@node102.yinzhengjie.org.cn ~]# cat /var/kerberos/krb5kdc/kpropd.acl
host/node101.yinzhengjie.org.cn@YINZHENGJIE.COM
host/node102.yinzhengjie.org.cn@YINZHENGJIE.COM
[root@node102.yinzhengjie.org.cn ~]#
[root@node102.yinzhengjie.org.cn ~]# cat /var/kerberos/krb5kdc/kpropd.acl
4>.初始化主KDC数据库并生成凭证(principal),这步骤目的是为了生成“krb5.keytab”文件,下一步将其拷贝到备KDC上
[root@node101.yinzhengjie.org.cn ~]# kdb5_util create -r YINZHENGJIE.COM -s
Loading random data
Initializing database '/var/kerberos/krb5kdc/principal' for realm 'YINZHENGJIE.COM',
master key name 'K/M@YINZHENGJIE.COM'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key:
Re-enter KDC database master key to verify:
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# kdb5_util create -r YINZHENGJIE.COM -s
[root@node101.yinzhengjie.org.cn ~]# kadmin.local -q "ank -randkey host/node101.yinzhengjie.org.cn@YINZHENGJIE.COM"
Authenticating as principal root/admin@YINZHENGJIE.COM with password.
WARNING: no policy specified for host/node101.yinzhengjie.org.cn@YINZHENGJIE.COM; defaulting to no policy
Principal "host/node101.yinzhengjie.org.cn@YINZHENGJIE.COM" created.
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# kadmin.local -q “ank -randkey host/node101.yinzhengjie.org.cn@YINZHENGJIE.COM”
[root@node101.yinzhengjie.org.cn ~]# kadmin.local -q "ank -randkey host/node102.yinzhengjie.org.cn@YINZHENGJIE.COM"
Authenticating as principal root/admin@YINZHENGJIE.COM with password.
WARNING: no policy specified for host/node102.yinzhengjie.org.cn@YINZHENGJIE.COM; defaulting to no policy
Principal "host/node102.yinzhengjie.org.cn@YINZHENGJIE.COM" created.
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# kadmin.local -q “ank -randkey host/node102.yinzhengjie.org.cn@YINZHENGJIE.COM”
[root@node101.yinzhengjie.org.cn ~]# kadmin.local -q "xst host/node101.yinzhengjie.org.cn@YINZHENGJIE.COM"
Authenticating as principal root/admin@YINZHENGJIE.COM with password.
Entry for principal host/node101.yinzhengjie.org.cn@YINZHENGJIE.COM with kvno , encryption type aes256-cts-hmac-sha1- added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/node101.yinzhengjie.org.cn@YINZHENGJIE.COM with kvno , encryption type des3-cbc-sha1 added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/node101.yinzhengjie.org.cn@YINZHENGJIE.COM with kvno , encryption type arcfour-hmac added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/node101.yinzhengjie.org.cn@YINZHENGJIE.COM with kvno , encryption type des-hmac-sha1 added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/node101.yinzhengjie.org.cn@YINZHENGJIE.COM with kvno , encryption type des-cbc-md5 added to keytab FILE:/etc/krb5.keytab.
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# kadmin.local -q “xst host/node101.yinzhengjie.org.cn@YINZHENGJIE.COM”
[root@node101.yinzhengjie.org.cn ~]# kadmin.local -q "xst host/node102.yinzhengjie.org.cn@YINZHENGJIE.COM"
Authenticating as principal root/admin@YINZHENGJIE.COM with password.
Entry for principal host/node102.yinzhengjie.org.cn@YINZHENGJIE.COM with kvno , encryption type aes256-cts-hmac-sha1- added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/node102.yinzhengjie.org.cn@YINZHENGJIE.COM with kvno , encryption type des3-cbc-sha1 added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/node102.yinzhengjie.org.cn@YINZHENGJIE.COM with kvno , encryption type arcfour-hmac added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/node102.yinzhengjie.org.cn@YINZHENGJIE.COM with kvno , encryption type des-hmac-sha1 added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/node102.yinzhengjie.org.cn@YINZHENGJIE.COM with kvno , encryption type des-cbc-md5 added to keytab FILE:/etc/krb5.keytab.
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# kadmin.local -q “xst host/node102.yinzhengjie.org.cn@YINZHENGJIE.COM”
[root@node101.yinzhengjie.org.cn ~]# klist -ket /etc/krb5.keytab
Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp Principal
---- ------------------- ------------------------------------------------------
// :: host/node101.yinzhengjie.org.cn@YINZHENGJIE.COM (aes256-cts-hmac-sha1-)
// :: host/node101.yinzhengjie.org.cn@YINZHENGJIE.COM (des3-cbc-sha1)
// :: host/node101.yinzhengjie.org.cn@YINZHENGJIE.COM (arcfour-hmac)
// :: host/node101.yinzhengjie.org.cn@YINZHENGJIE.COM (des-hmac-sha1)
// :: host/node101.yinzhengjie.org.cn@YINZHENGJIE.COM (des-cbc-md5)
// :: host/node102.yinzhengjie.org.cn@YINZHENGJIE.COM (aes256-cts-hmac-sha1-)
// :: host/node102.yinzhengjie.org.cn@YINZHENGJIE.COM (des3-cbc-sha1)
// :: host/node102.yinzhengjie.org.cn@YINZHENGJIE.COM (arcfour-hmac)
// :: host/node102.yinzhengjie.org.cn@YINZHENGJIE.COM (des-hmac-sha1)
// :: host/node102.yinzhengjie.org.cn@YINZHENGJIE.COM (des-cbc-md5)
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# klist -ket /etc/krb5.keytab
5>.将master节点的数据到slava节点上
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# scp /etc/krb5.conf node102.yinzhengjie.org.cn:/etc/
krb5.conf % .6MB/s :
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# scp /var/kerberos/krb5kdc/kdc.conf node102.yinzhengjie.org.cn:/var/kerberos/krb5kdc/
kdc.conf % .7KB/s :
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# scp /var/kerberos/krb5kdc/kadm5.acl node102.yinzhengjie.org.cn:/var/kerberos/krb5kdc/
kadm5.acl % .0KB/s :
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# scp /var/kerberos/krb5kdc/.k5.YINZHENGJIE.COM node102.yinzhengjie.org.cn:/var/kerberos/krb5kdc/
.k5.YINZHENGJIE.COM % .2KB/s :
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# scp /etc/krb5.keytab node102.yinzhengjie.org.cn:/etc/krb5.keytab
krb5.keytab % .6MB/s :
[root@node101.yinzhengjie.org.cn ~]#
6>.其他主机安装相应的服务,并将主KDC的
[root@node103.yinzhengjie.org.cn ~]# yum install -y krb5-workstation krb5-devel
Loaded plugins: fastestmirror
Determining fastest mirrors
* base: mirrors.aliyun.com
* extras: mirrors.aliyun.com
* updates: mirrors.aliyun.com
base | 3.6 kB ::
extras | 3.4 kB ::
updates | 3.4 kB ::
zabbix | 2.9 kB ::
zabbix-non-supported | B ::
(/): extras//x86_64/primary_db | kB ::
(/): updates//x86_64/primary_db | 4.2 MB ::
Resolving Dependencies
--> Running transaction check
---> Package krb5-devel.x86_64 :1.15.-.el7_6 will be installed
--> Processing Dependency: libkadm5(x86-) = 1.15.-.el7_6 for package: krb5-devel-1.15.-.el7_6.x86_64
--> Processing Dependency: krb5-libs(x86-) = 1.15.-.el7_6 for package: krb5-devel-1.15.-.el7_6.x86_64
--> Processing Dependency: libverto-devel for package: krb5-devel-1.15.-.el7_6.x86_64
--> Processing Dependency: libselinux-devel for package: krb5-devel-1.15.-.el7_6.x86_64
--> Processing Dependency: libcom_err-devel for package: krb5-devel-1.15.-.el7_6.x86_64
--> Processing Dependency: keyutils-libs-devel for package: krb5-devel-1.15.-.el7_6.x86_64
---> Package krb5-workstation.x86_64 :1.15.-.el7_6 will be installed
--> Running transaction check
---> Package keyutils-libs-devel.x86_64 :1.5.-.el7 will be installed
---> Package krb5-libs.x86_64 :1.15.-.el7 will be updated
---> Package krb5-libs.x86_64 :1.15.-.el7_6 will be an update
---> Package libcom_err-devel.x86_64 :1.42.-.el7 will be installed
---> Package libkadm5.x86_64 :1.15.-.el7_6 will be installed
---> Package libselinux-devel.x86_64 :2.5-14.1.el7 will be installed
--> Processing Dependency: libsepol-devel(x86-) >= 2.5- for package: libselinux-devel-2.5-14.1.el7.x86_64
--> Processing Dependency: pkgconfig(libsepol) for package: libselinux-devel-2.5-14.1.el7.x86_64
--> Processing Dependency: pkgconfig(libpcre) for package: libselinux-devel-2.5-14.1.el7.x86_64
---> Package libverto-devel.x86_64 :0.2.-.el7 will be installed
--> Running transaction check
---> Package libsepol-devel.x86_64 :2.5-.el7 will be installed
---> Package pcre-devel.x86_64 :8.32-.el7 will be installed
--> Finished Dependency ResolutionDependencies Resolved===================================================================================================================================================================================================================
Package Arch Version Repository Size
===================================================================================================================================================================================================================
Installing:
krb5-devel x86_64 1.15.-.el7_6 updates k
krb5-workstation x86_64 1.15.-.el7_6 updates k
Installing for dependencies:
keyutils-libs-devel x86_64 1.5.-.el7 base k
libcom_err-devel x86_64 1.42.-.el7 base k
libkadm5 x86_64 1.15.-.el7_6 updates k
libselinux-devel x86_64 2.5-14.1.el7 base k
libsepol-devel x86_64 2.5-.el7 base k
libverto-devel x86_64 0.2.-.el7 base k
pcre-devel x86_64 8.32-.el7 base k
Updating for dependencies:
krb5-libs x86_64 1.15.-.el7_6 updates kTransaction Summary
===================================================================================================================================================================================================================
Install Packages (+ Dependent packages)
Upgrade ( Dependent package)Total download size: 2.8 M
Downloading packages:
Delta RPMs disabled because /usr/bin/applydeltarpm not installed.
(/): krb5-devel-1.15.-.el7_6.x86_64.rpm | kB ::
(/): keyutils-libs-devel-1.5.-.el7.x86_64.rpm | kB ::
(/): krb5-libs-1.15.-.el7_6.x86_64.rpm | kB ::
(/): libkadm5-1.15.-.el7_6.x86_64.rpm | kB ::
(/): krb5-workstation-1.15.-.el7_6.x86_64.rpm | kB ::
(/): libselinux-devel-2.5-14.1.el7.x86_64.rpm | kB ::
(/): libsepol-devel-2.5-.el7.x86_64.rpm | kB ::
(/): libverto-devel-0.2.-.el7.x86_64.rpm | kB ::
(/): pcre-devel-8.32-.el7.x86_64.rpm | kB ::
(/): libcom_err-devel-1.42.-.el7.x86_64.rpm | kB ::
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Total kB/s | 2.8 MB ::
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Updating : krb5-libs-1.15.-.el7_6.x86_64 /
Installing : libkadm5-1.15.-.el7_6.x86_64 /
Installing : libcom_err-devel-1.42.-.el7.x86_64 /
Installing : libsepol-devel-2.5-.el7.x86_64 /
Installing : pcre-devel-8.32-.el7.x86_64 /
Installing : libselinux-devel-2.5-14.1.el7.x86_64 /
Installing : libverto-devel-0.2.-.el7.x86_64 /
Installing : keyutils-libs-devel-1.5.-.el7.x86_64 /
Installing : krb5-devel-1.15.-.el7_6.x86_64 /
Installing : krb5-workstation-1.15.-.el7_6.x86_64 /
Cleanup : krb5-libs-1.15.-.el7.x86_64 /
Verifying : keyutils-libs-devel-1.5.-.el7.x86_64 /
Verifying : libverto-devel-0.2.-.el7.x86_64 /
Verifying : krb5-workstation-1.15.-.el7_6.x86_64 /
Verifying : krb5-libs-1.15.-.el7_6.x86_64 /
Verifying : libkadm5-1.15.-.el7_6.x86_64 /
Verifying : pcre-devel-8.32-.el7.x86_64 /
Verifying : libselinux-devel-2.5-14.1.el7.x86_64 /
Verifying : libsepol-devel-2.5-.el7.x86_64 /
Verifying : libcom_err-devel-1.42.-.el7.x86_64 /
Verifying : krb5-devel-1.15.-.el7_6.x86_64 /
Verifying : krb5-libs-1.15.-.el7.x86_64 / Installed:
krb5-devel.x86_64 :1.15.-.el7_6 krb5-workstation.x86_64 :1.15.-.el7_6 Dependency Installed:
keyutils-libs-devel.x86_64 :1.5.-.el7 libcom_err-devel.x86_64 :1.42.-.el7 libkadm5.x86_64 :1.15.-.el7_6 libselinux-devel.x86_64 :2.5-14.1.el7 libsepol-devel.x86_64 :2.5-.el7
libverto-devel.x86_64 :0.2.-.el7 pcre-devel.x86_64 :8.32-.el7 Dependency Updated:
krb5-libs.x86_64 :1.15.-.el7_6 Complete!
[root@node103.yinzhengjie.org.cn ~]#
[root@node103.yinzhengjie.org.cn ~]# yum install -y krb5-workstation krb5-devel
[root@node101.yinzhengjie.org.cn ~]# scp /etc/krb5.conf node103.yinzhengjie.org.cn:/etc/krb5.conf
krb5.conf % .7MB/s :
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# scp /etc/krb5.conf node103.yinzhengjie.org.cn:/etc/krb5.conf
7>.备份配置文件(主备都需要)
待更新….
二.配置KDC的主从同步
1>.分别在主备KDC启动服务
[root@node101.yinzhengjie.org.cn ~]# systemctl start krb5kdc
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# systemctl status krb5kdc
● krb5kdc.service - Kerberos KDC
Loaded: loaded (/usr/lib/systemd/system/krb5kdc.service; disabled; vendor preset: disabled)
Active: active (running) since Fri -- :: CST; 4s ago
Process: ExecStart=/usr/sbin/krb5kdc -P /var/run/krb5kdc.pid $KRB5KDC_ARGS (code=exited, status=/SUCCESS)
Main PID: (krb5kdc)
CGroup: /system.slice/krb5kdc.service
└─ /usr/sbin/krb5kdc -P /var/run/krb5kdc.pidMay :: node101.yinzhengjie.org.cn systemd[]: Starting Kerberos KDC...
May :: node101.yinzhengjie.org.cn systemd[]: Started Kerberos KDC.
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# systemctl enable krb5kdc
Created symlink from /etc/systemd/system/multi-user.target.wants/krb5kdc.service to /usr/lib/systemd/system/krb5kdc.service.
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# systemctl start krb5kdc #主KDC执行
[root@node101.yinzhengjie.org.cn ~]# systemctl start kadmin
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# systemctl status kadmin
● kadmin.service - Kerberos Password-changing and Administration
Loaded: loaded (/usr/lib/systemd/system/kadmin.service; disabled; vendor preset: disabled)
Active: active (running) since Fri -- :: CST; 1s ago
Process: ExecStart=/usr/sbin/_kadmind -P /var/run/kadmind.pid $KADMIND_ARGS (code=exited, status=/SUCCESS)
Main PID: (kadmind)
CGroup: /system.slice/kadmin.service
└─ /usr/sbin/kadmind -P /var/run/kadmind.pidMay :: node101.yinzhengjie.org.cn systemd[]: Starting Kerberos Password-changing and Administration...
May :: node101.yinzhengjie.org.cn systemd[]: Started Kerberos Password-changing and Administration.
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# systemctl enable kadmin
Created symlink from /etc/systemd/system/multi-user.target.wants/kadmin.service to /usr/lib/systemd/system/kadmin.service.
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# systemctl start kadmin #主KDC执行
[root@node102.yinzhengjie.org.cn ~]# systemctl start kprop
[root@node102.yinzhengjie.org.cn ~]#
[root@node102.yinzhengjie.org.cn ~]# systemctl status kprop
● kprop.service - Kerberos Propagation
Loaded: loaded (/usr/lib/systemd/system/kprop.service; disabled; vendor preset: disabled)
Active: active (running) since Fri -- :: CST; 1s ago
Process: ExecStart=/usr/sbin/_kpropd $KPROPD_ARGS (code=exited, status=/SUCCESS)
Main PID: (kpropd)
CGroup: /system.slice/kprop.service
└─ /usr/sbin/kpropdMay :: node102.yinzhengjie.org.cn systemd[]: Starting Kerberos Propagation...
May :: node102.yinzhengjie.org.cn systemd[]: Started Kerberos Propagation.
[root@node102.yinzhengjie.org.cn ~]#
[root@node102.yinzhengjie.org.cn ~]#
[root@node102.yinzhengjie.org.cn ~]# systemctl enable kprop
Created symlink from /etc/systemd/system/multi-user.target.wants/kprop.service to /usr/lib/systemd/system/kprop.service.
[root@node102.yinzhengjie.org.cn ~]#
[root@node102.yinzhengjie.org.cn ~]#
[root@node102.yinzhengjie.org.cn ~]# systemctl start kprop #备KDC执行
2>.将主KDC数据库同步到备KDC数据库中
[root@node101.yinzhengjie.org.cn ~]# kdb5_util dump /var/kerberos/krb5kdc/slave_datatrans
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# kprop -f /var/kerberos/krb5kdc/slave_datatrans node102.yinzhengjie.org.cn #如果该步骤出现问题(比如:“kprop: Key table entry not found while getting initial credentials”),请排查第一部分的第3,4步是否有出入,比如:主机名称是否对应?
Database propagation to node102.yinzhengjie.org.cn: SUCCEEDED
[root@node101.yinzhengjie.org.cn ~]# 温馨提示:
上面的操作是咱们手动将主KDC的凭据配置信息同步到备KDC中的,我们可以编写个脚本定期执行上述两天命令。
[root@node101.yinzhengjie.org.cn ~]# mkdir /var/kerberos/{shell,log}
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# vi /var/kerberos/shell/dump_principal.sh
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# chmod +x /var/kerberos/shell/dump_principal.sh
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# which kdb5_util
/usr/sbin/kdb5_util
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# which kprop
/usr/sbin/kprop
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# cat /var/kerberos/shell/dump_principal.sh
#!/bin/bash
#@author :yinzhengjie
#blog:http://www.cnblogs.com/yinzhengjie
#EMAIL:y1053419035@qq.com
#Data:Thu Oct :: CST /usr/sbin/kdb5_util dump /var/kerberos/krb5kdc/slave_datatrans
/usr/sbin/kprop -f /var/kerberos/krb5kdc/slave_datatrans node102.yinzhengjie.org.cn
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# crontab -e
no crontab for root - using an empty one
crontab: installing new crontab
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# crontab -l
* * * * * /bin/date >> /var/kerberos/log/dump.log >&;/var/kerberos/shell/dump_principal.sh >> /var/kerberos/log/dump.log >&
* * * * * sleep ; /bin/date >> /var/kerberos/log/dump.log >&; /var/kerberos/shell/dump_principal.sh >> /var/kerberos/log/dump.log >&
* * * * * sleep ; /bin/date >> /var/kerberos/log/dump.log >&; /var/kerberos/shell/dump_principal.sh >> /var/kerberos/log/dump.log >&
* * * * * sleep ; /bin/date >> /var/kerberos/log/dump.log >&; /var/kerberos/shell/dump_principal.sh >> /var/kerberos/log/dump.log >&
* * * * * sleep ; /bin/date >> /var/kerberos/log/dump.log >&; /var/kerberos/shell/dump_principal.sh >> /var/kerberos/log/dump.log >&
* * * * * sleep ; /bin/date >> /var/kerberos/log/dump.log >&; /var/kerberos/shell/dump_principal.sh >> /var/kerberos/log/dump.log >&
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# cat /var/kerberos/shell/dump_principal.sh #编写脚本定期同步主KDC数据到从KDC中
[root@node101.yinzhengjie.org.cn ~]# tail -100f /var/kerberos/log/dump.log
Fri May :: CST
Database propagation to node102.yinzhengjie.org.cn: SUCCEEDED
Fri May :: CST
Database propagation to node102.yinzhengjie.org.cn: SUCCEEDED
Fri May :: CST
Database propagation to node102.yinzhengjie.org.cn: SUCCEEDED
Fri May :: CST
Database propagation to node102.yinzhengjie.org.cn: SUCCEEDED
Fri May :: CST
Database propagation to node102.yinzhengjie.org.cn: SUCCEEDED
Fri May :: CST
Database propagation to node102.yinzhengjie.org.cn: SUCCEEDED
Fri May :: CST
Database propagation to node102.yinzhengjie.org.cn: SUCCEEDED
Fri May :: CST
Database propagation to node102.yinzhengjie.org.cn: SUCCEEDED
Fri May :: CST
Database propagation to node102.yinzhengjie.org.cn: SUCCEEDED
Fri May :: CST
Database propagation to node102.yinzhengjie.org.cn: SUCCEEDED
^C
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# tail -100f /var/kerberos/log/dump.log #可以查看日志的记录信息
3>.启动备KDC服务
[root@node102.yinzhengjie.org.cn ~]# systemctl start krb5kdc
[root@node102.yinzhengjie.org.cn ~]#
[root@node102.yinzhengjie.org.cn ~]# systemctl status krb5kdc
● krb5kdc.service - Kerberos KDC
Loaded: loaded (/usr/lib/systemd/system/krb5kdc.service; disabled; vendor preset: disabled)
Active: active (running) since Fri -- :: CST; 1s ago
Process: ExecStart=/usr/sbin/krb5kdc -P /var/run/krb5kdc.pid $KRB5KDC_ARGS (code=exited, status=/SUCCESS)
Main PID: (krb5kdc)
CGroup: /system.slice/krb5kdc.service
└─ /usr/sbin/krb5kdc -P /var/run/krb5kdc.pidMay :: node102.yinzhengjie.org.cn systemd[]: Starting Kerberos KDC...
May :: node102.yinzhengjie.org.cn systemd[]: Started Kerberos KDC.
[root@node102.yinzhengjie.org.cn ~]#
[root@node102.yinzhengjie.org.cn ~]# systemctl enable krb5kdc
Created symlink from /etc/systemd/system/multi-user.target.wants/krb5kdc.service to /usr/lib/systemd/system/krb5kdc.service.
[root@node102.yinzhengjie.org.cn ~]#
[root@node102.yinzhengjie.org.cn ~]# systemctl start krb5kdc
4>.登陆kadmin.local命令行
root使用kadmin.local命令,kadmin.local可以直接进入并管理Kerberos数据库,无需通过Kerberos认证。
[root@node101.yinzhengjie.org.cn ~]# klist
klist: No credentials cache found (filename: /tmp/krb5cc_0)
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# kadmin.local
Authenticating as principal root/admin@YINZHENGJIE.COM with password.
kadmin.local:
kadmin.local: listprincs
K/M@YINZHENGJIE.COM
host/node101.yinzhengjie.org.cn@YINZHENGJIE.COM
host/node102.yinzhengjie.org.cn@YINZHENGJIE.COM
kadmin/admin@YINZHENGJIE.COM
kadmin/changepw@YINZHENGJIE.COM
kadmin/node101.yinzhengjie.org.cn@YINZHENGJIE.COM
kiprop/node101.yinzhengjie.org.cn@YINZHENGJIE.COM
krbtgt/YINZHENGJIE.COM@YINZHENGJIE.COM
kadmin.local:
kadmin.local: quit
[root@node101.yinzhengjie.org.cn ~]#
5>.使用kadmin.local添加管理员用户
可以直接使用“kadmin.local” 进入kadmin.local命令行,也可以直接使用“kadmin.local -q”指定要执行的语句。
[root@node101.yinzhengjie.org.cn ~]# kadmin.local -q "addprinc admin"
Authenticating as principal root/admin@YINZHENGJIE.COM with password.
WARNING: no policy specified for admin@YINZHENGJIE.COM; defaulting to no policy
Enter password for principal "admin@YINZHENGJIE.COM":
Re-enter password for principal "admin@YINZHENGJIE.COM":
Principal "admin@YINZHENGJIE.COM" created.
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# kadmin.local -q "listprincs"
Authenticating as principal root/admin@YINZHENGJIE.COM with password.
K/M@YINZHENGJIE.COM
admin@YINZHENGJIE.COM #这就是咱们添加的管理员用户,很明显,添加成功啦!
host/node101.yinzhengjie.org.cn@YINZHENGJIE.COM
host/node102.yinzhengjie.org.cn@YINZHENGJIE.COM
kadmin/admin@YINZHENGJIE.COM
kadmin/changepw@YINZHENGJIE.COM
kadmin/node101.yinzhengjie.org.cn@YINZHENGJIE.COM
kiprop/node101.yinzhengjie.org.cn@YINZHENGJIE.COM
krbtgt/YINZHENGJIE.COM@YINZHENGJIE.COM
[root@node101.yinzhengjie.org.cn ~]#
三.验证Kerberos集群的可用性
1>.在kerberos客户端的进行登陆操作
[root@node103.yinzhengjie.org.cn ~]# klist
klist: No credentials cache found (filename: /tmp/krb5cc_0)
[root@node103.yinzhengjie.org.cn ~]#
[root@node103.yinzhengjie.org.cn ~]# kinit admin
Password for admin@YINZHENGJIE.COM: #输入密码后回车,若无任何提示表示认证成功
[root@node103.yinzhengjie.org.cn ~]#
[root@node103.yinzhengjie.org.cn ~]# klist -e
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin@YINZHENGJIE.COMValid starting Expires Service principal
// :: // :: krbtgt/YINZHENGJIE.COM@YINZHENGJIE.COM
Etype (skey, tkt): aes256-cts-hmac-sha1-, aes256-cts-hmac-sha1-
[root@node103.yinzhengjie.org.cn ~]#
[root@node103.yinzhengjie.org.cn ~]# 上述参数说明
Tichet cache:
ticket缓存存到了/tmp/krb5cc_0Default principal:
认证的用户valid starting:
认证开始时间Expires:
ticket生命节日日期Service principal:
服务对应的principalrenew until:
ticket可以通过kinit -R进行延期的截止日期。Etype:
session key的编码类型
2>.查看主KDC的允许状态
[root@node101.yinzhengjie.org.cn ~]# systemctl status krb5kdc
● krb5kdc.service - Kerberos KDC
Loaded: loaded (/usr/lib/systemd/system/krb5kdc.service; enabled; vendor preset: disabled)
Active: active (running) since Fri -- :: CST; 40min ago
Main PID: (krb5kdc)
CGroup: /system.slice/krb5kdc.service
└─ /usr/sbin/krb5kdc -P /var/run/krb5kdc.pidMay :: node101.yinzhengjie.org.cn systemd[]: Starting Kerberos KDC...
May :: node101.yinzhengjie.org.cn systemd[]: Started Kerberos KDC.
[root@node101.yinzhengjie.org.cn ~]#
3>.查看备KDC的运行状态
[root@node102.yinzhengjie.org.cn ~]# systemctl status krb5kdc
● krb5kdc.service - Kerberos KDC
Loaded: loaded (/usr/lib/systemd/system/krb5kdc.service; enabled; vendor preset: disabled)
Active: active (running) since Fri -- :: CST; 16min ago
Main PID: (krb5kdc)
CGroup: /system.slice/krb5kdc.service
└─ /usr/sbin/krb5kdc -P /var/run/krb5kdc.pidMay :: node102.yinzhengjie.org.cn systemd[]: Starting Kerberos KDC...
May :: node102.yinzhengjie.org.cn systemd[]: Started Kerberos KDC.
[root@node102.yinzhengjie.org.cn ~]#
[root@node102.yinzhengjie.org.cn ~]#
4>.停掉主KDC的进程,观察Kerberos客户端是否可用
[root@node101.yinzhengjie.org.cn ~]# systemctl status krb5kdc
● krb5kdc.service - Kerberos KDC
Loaded: loaded (/usr/lib/systemd/system/krb5kdc.service; enabled; vendor preset: disabled)
Active: active (running) since Fri -- :: CST; 2s ago
Process: ExecStart=/usr/sbin/krb5kdc -P /var/run/krb5kdc.pid $KRB5KDC_ARGS (code=exited, status=/SUCCESS)
Main PID: (krb5kdc)
CGroup: /system.slice/krb5kdc.service
└─ /usr/sbin/krb5kdc -P /var/run/krb5kdc.pidMay :: node101.yinzhengjie.org.cn systemd[]: Starting Kerberos KDC...
May :: node101.yinzhengjie.org.cn systemd[]: Started Kerberos KDC.
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# systemctl stop krb5kdc
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# systemctl status krb5kdc
● krb5kdc.service - Kerberos KDC
Loaded: loaded (/usr/lib/systemd/system/krb5kdc.service; enabled; vendor preset: disabled)
Active: inactive (dead) since Fri -- :: CST; 1s ago
Process: ExecStart=/usr/sbin/krb5kdc -P /var/run/krb5kdc.pid $KRB5KDC_ARGS (code=exited, status=/SUCCESS)
Main PID: (code=exited, status=/SUCCESS)May :: node101.yinzhengjie.org.cn systemd[]: Starting Kerberos KDC...
May :: node101.yinzhengjie.org.cn systemd[]: Started Kerberos KDC.
May :: node101.yinzhengjie.org.cn systemd[]: Stopping Kerberos KDC...
May :: node101.yinzhengjie.org.cn systemd[]: Stopped Kerberos KDC.
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# systemctl stop krb5kdc #停掉主KDC服务执行以下操作
[root@node103.yinzhengjie.org.cn ~]# klist -e
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin@YINZHENGJIE.COMValid starting Expires Service principal
// :: // :: krbtgt/YINZHENGJIE.COM@YINZHENGJIE.COM
Etype (skey, tkt): aes256-cts-hmac-sha1-, aes256-cts-hmac-sha1-
[root@node103.yinzhengjie.org.cn ~]#
[root@node103.yinzhengjie.org.cn ~]#
[root@node103.yinzhengjie.org.cn ~]# kdestroy
[root@node103.yinzhengjie.org.cn ~]#
[root@node103.yinzhengjie.org.cn ~]# klist
klist: No credentials cache found (filename: /tmp/krb5cc_0)
[root@node103.yinzhengjie.org.cn ~]#
[root@node103.yinzhengjie.org.cn ~]# kinit admin #当我们停掉主KDC后,发现服务依旧是可用的,这个时候他去链接从KDC服务器啦!
Password for admin@YINZHENGJIE.COM:
[root@node103.yinzhengjie.org.cn ~]#
[root@node103.yinzhengjie.org.cn ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin@YINZHENGJIE.COMValid starting Expires Service principal
// :: // :: krbtgt/YINZHENGJIE.COM@YINZHENGJIE.COM
[root@node103.yinzhengjie.org.cn ~]#
[root@node102.yinzhengjie.org.cn ~]# systemctl status krb5kdc
● krb5kdc.service - Kerberos KDC
Loaded: loaded (/usr/lib/systemd/system/krb5kdc.service; enabled; vendor preset: disabled)
Active: active (running) since Fri -- :: CST; 2h 25min ago
Main PID: (krb5kdc)
CGroup: /system.slice/krb5kdc.service
└─ /usr/sbin/krb5kdc -P /var/run/krb5kdc.pidMay :: node102.yinzhengjie.org.cn systemd[]: Starting Kerberos KDC...
May :: node102.yinzhengjie.org.cn systemd[]: Started Kerberos KDC.
[root@node102.yinzhengjie.org.cn ~]#
[root@node102.yinzhengjie.org.cn ~]#
[root@node102.yinzhengjie.org.cn ~]# systemctl stop krb5kdc
[root@node102.yinzhengjie.org.cn ~]#
[root@node102.yinzhengjie.org.cn ~]# systemctl status krb5kdc
● krb5kdc.service - Kerberos KDC
Loaded: loaded (/usr/lib/systemd/system/krb5kdc.service; enabled; vendor preset: disabled)
Active: inactive (dead) since Fri -- :: CST; 1s ago
Main PID: (code=exited, status=/SUCCESS)May :: node102.yinzhengjie.org.cn systemd[]: Starting Kerberos KDC...
May :: node102.yinzhengjie.org.cn systemd[]: Started Kerberos KDC.
May :: node102.yinzhengjie.org.cn systemd[]: Stopping Kerberos KDC...
May :: node102.yinzhengjie.org.cn systemd[]: Stopped Kerberos KDC.
[root@node102.yinzhengjie.org.cn ~]#
[root@node102.yinzhengjie.org.cn ~]# systemctl stop krb5kdc #停掉主KDC后,发现服务还是可用的,那么我们在停掉备KDC
[root@node101.yinzhengjie.org.cn ~]# tail -100f /var/kerberos/log/dump.log
Database propagation to node102.yinzhengjie.org.cn: SUCCEEDED
Fri May :: CST
Database propagation to node102.yinzhengjie.org.cn: SUCCEEDED
Fri May :: CST
Database propagation to node102.yinzhengjie.org.cn: SUCCEEDED
Fri May :: CST
Database propagation to node102.yinzhengjie.org.cn: SUCCEEDED
Fri May :: CST
Database propagation to node102.yinzhengjie.org.cn: SUCCEEDED
Fri May :: CST
Database propagation to node102.yinzhengjie.org.cn: SUCCEEDED
Fri May :: CST
Database propagation to node102.yinzhengjie.org.cn: SUCCEEDED
Fri May :: CST
Database propagation to node102.yinzhengjie.org.cn: SUCCEEDED
Fri May :: CST
Database propagation to node102.yinzhengjie.org.cn: SUCCEEDED
Fri May :: CST
Database propagation to node102.yinzhengjie.org.cn: SUCCEEDED
Fri May :: CST
Database propagation to node102.yinzhengjie.org.cn: SUCCEEDED
Fri May :: CST
Database propagation to node102.yinzhengjie.org.cn: SUCCEEDED
Fri May :: CST
Database propagation to node102.yinzhengjie.org.cn: SUCCEEDED
Fri May :: CST
Database propagation to node102.yinzhengjie.org.cn: SUCCEEDED
Fri May :: CST
Database propagation to node102.yinzhengjie.org.cn: SUCCEEDED
Fri May :: CST
Database propagation to node102.yinzhengjie.org.cn: SUCCEEDED
Fri May :: CST
Database propagation to node102.yinzhengjie.org.cn: SUCCEEDED
Fri May :: CST
Database propagation to node102.yinzhengjie.org.cn: SUCCEEDED
Fri May :: CST
Database propagation to node102.yinzhengjie.org.cn: SUCCEEDED
Fri May :: CST
/usr/sbin/kprop: Cannot contact any KDC for requested realm while getting initial credentialsFri May :: CST
/usr/sbin/kprop: Cannot contact any KDC for requested realm while getting initial credentialsFri May :: CST
/usr/sbin/kprop: Cannot contact any KDC for requested realm while getting initial credentialsFri May :: CST
/usr/sbin/kprop: Cannot contact any KDC for requested realm while getting initial credentialsFri May :: CST
/usr/sbin/kprop: Cannot contact any KDC for requested realm while getting initial credentialsFri May :: CST
/usr/sbin/kprop: Cannot contact any KDC for requested realm while getting initial credentialsFri May :: CST
/usr/sbin/kprop: Cannot contact any KDC for requested realm while getting initial credentialsFri May :: CST
/usr/sbin/kprop: Cannot contact any KDC for requested realm while getting initial credentialsFri May :: CST
/usr/sbin/kprop: Cannot contact any KDC for requested realm while getting initial credentialsFri May :: CST
/usr/sbin/kprop: Cannot contact any KDC for requested realm while getting initial credentialsFri May :: CST
/usr/sbin/kprop: Cannot contact any KDC for requested realm while getting initial credentialsFri May :: CST
/usr/sbin/kprop: Cannot contact any KDC for requested realm while getting initial credentialsFri May :: CST
/usr/sbin/kprop: Cannot contact any KDC for requested realm while getting initial credentialsFri May :: CST
/usr/sbin/kprop: Cannot contact any KDC for requested realm while getting initial credentialsFri May :: CST
/usr/sbin/kprop: Cannot contact any KDC for requested realm while getting initial credentialsFri May :: CST
/usr/sbin/kprop: Cannot contact any KDC for requested realm while getting initial credentialsFri May :: CST
/usr/sbin/kprop: Cannot contact any KDC for requested realm while getting initial credentialsFri May :: CST
/usr/sbin/kprop: Cannot contact any KDC for requested realm while getting initial credentialsFri May :: CST
/usr/sbin/kprop: Cannot contact any KDC for requested realm while getting initial credentialsFri May :: CST
/usr/sbin/kprop: Cannot contact any KDC for requested realm while getting initial credentialsFri May :: CST
/usr/sbin/kprop: Cannot contact any KDC for requested realm while getting initial credentialsFri May :: CST
/usr/sbin/kprop: Cannot contact any KDC for requested realm while getting initial credentials^C
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# tail -100f /var/kerberos/log/dump.log #停掉主KDC后,我们发现同步时数据库的日志文件也出现了报错信息
[root@node103.yinzhengjie.org.cn ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin@YINZHENGJIE.COMValid starting Expires Service principal
// :: // :: krbtgt/YINZHENGJIE.COM@YINZHENGJIE.COM
[root@node103.yinzhengjie.org.cn ~]#
[root@node103.yinzhengjie.org.cn ~]#
[root@node103.yinzhengjie.org.cn ~]# kdestroy
[root@node103.yinzhengjie.org.cn ~]#
[root@node103.yinzhengjie.org.cn ~]# klist
klist: No credentials cache found (filename: /tmp/krb5cc_0)
[root@node103.yinzhengjie.org.cn ~]#
[root@node103.yinzhengjie.org.cn ~]# kinit admin #由于我们停掉了主KDC服务,也停掉了备KDC服务,因此它找不到可用的KDC啦!
kinit: Cannot contact any KDC for realm 'YINZHENGJIE.COM' while getting initial credentials
[root@node103.yinzhengjie.org.cn ~]#
参考链接:
https://blog.csdn.net/w1331808514/article/details/83474345#_msocom_9
https://www.cnblogs.com/xiaodf/p/5968178.html
博主推荐阅读:
https://www.cnblogs.com/yinzhengjie/p/10765503.html
https://docs.oracle.com/cd/E24847_01/html/819-7061/trouble-2.html
https://blog.csdn.net/wk022/article/details/50541699
