Kerberos主从配置

前言

本篇文档衔接上一篇 Kerberos 的安装配置；详见：http://blog.51cto.com/784687488/2332072

配置指定Kerberos配置文件的系统环境变量

# 以下配置是 Kerberos 默认配置，也可以不配。如果需要改变 Kerberos 默认的配置文件路径则必须配置
echo "export KRB5_COnFIG=/etc/krb5.conf" >>/etc/profile
echo "export KRB5_KDC_PROFILE=/var/kerberos/krb5kdc/kdc.conf" >>/etc/profile

Slave 端安装

[root@agent02 ~]$ yum install krb5-server krb5-libs krb5-workstation -y

在 /etc/krb5.conf 中添加从机 kdc 配置（M端操作）

# 原配置如下：
[libdefaults]
renew_lifetime = 7d
forwardable = true
default_realm = TEST.COM
ticket_lifetime = 24h
dns_lookup_realm = false
dns_lookup_kdc = false
default_ccache_name = /tmp/krb5cc_%{uid}
#default_tgs_enctypes = aes des3-cbc-sha1 rc4 des-cbc-md5
#default_tkt_enctypes = aes des3-cbc-sha1 rc4 des-cbc-md5
[logging]
default = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
kdc = FILE:/var/log/krb5kdc.log
[realms]
TEST.COM = {
admin_server = agent01.ambari.com
kdc = agent01.ambari.com
}
# 修改后的配置如下：
[libdefaults]
renew_lifetime = 7d
forwardable = true
default_realm = TEST.COM
ticket_lifetime = 24h
dns_lookup_realm = false
dns_lookup_kdc = false
default_ccache_name = /tmp/krb5cc_%{uid}
#default_tgs_enctypes = aes des3-cbc-sha1 rc4 des-cbc-md5
#default_tkt_enctypes = aes des3-cbc-sha1 rc4 des-cbc-md5
[logging]
default = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
kdc = FILE:/var/log/krb5kdc.log
[realms]
TEST.COM = {
admin_server = agent01.ambari.com
kdc = agent01.ambari.com
*kdc = agent02.ambari.com* # 此处为新添加配置项
}

分别为 Master/Slave 端创建 Principal（M端操作）

[root@agent01 ~]$ kadmin.local
kadmin.local: addprinc -randkey host/agent01.ambari.com
WARNING: no policy specified for host/agent01.ambari.com@TEST.COM; defaulting to no policy
Principal "host/agent01.ambari.com@TEST.COM" created.
kadmin.local: addprinc -randkey host/agent02.ambari.com
WARNING: no policy specified for host/agent02.ambari.com@TEST.COM; defaulting to no policy
Principal "host/agent02.ambari.com@TEST.COM" created.
kadmin.local: quit

分别为 Master/Slave 端提取 Principal 的认证 Keytab（M端操作）

[root@agent01 ~]$ kadmin.local -q "ktadd host/agent01.ambari.com@TEST.COM"
Authenticating as principal root/admin@TEST.COM with password.
Entry for principal host/agent01.ambari.com@TEST.COM with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/agent01.ambari.com@TEST.COM with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/agent01.ambari.com@TEST.COM with kvno 2, encryption type des3-cbc-sha1 added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/agent01.ambari.com@TEST.COM with kvno 2, encryption type arcfour-hmac added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/agent01.ambari.com@TEST.COM with kvno 2, encryption type camellia256-cts-cmac added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/agent01.ambari.com@TEST.COM with kvno 2, encryption type camellia128-cts-cmac added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/agent01.ambari.com@TEST.COM with kvno 2, encryption type des-hmac-sha1 added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/agent01.ambari.com@TEST.COM with kvno 2, encryption type des-cbc-md5 added to keytab FILE:/etc/krb5.keytab.
[root@agent01 ~]$ kadmin.local -q "ktadd -k /etc/agent02.keytab host/agent02.ambari.com@TEST.COM"
Authenticating as principal root/admin@TEST.COM with password.
Entry for principal host/agent02.ambari.com@TEST.COM with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/etc/agent02.keytab.
Entry for principal host/agent02.ambari.com@TEST.COM with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/etc/agent02.keytab.
Entry for principal host/agent02.ambari.com@TEST.COM with kvno 2, encryption type des3-cbc-sha1 added to keytab WRFILE:/etc/agent02.keytab.
Entry for principal host/agent02.ambari.com@TEST.COM with kvno 2, encryption type arcfour-hmac added to keytab WRFILE:/etc/agent02.keytab.
Entry for principal host/agent02.ambari.com@TEST.COM with kvno 2, encryption type camellia256-cts-cmac added to keytab WRFILE:/etc/agent02.keytab.
Entry for principal host/agent02.ambari.com@TEST.COM with kvno 2, encryption type camellia128-cts-cmac added to keytab WRFILE:/etc/agent02.keytab.
Entry for principal host/agent02.ambari.com@TEST.COM with kvno 2, encryption type des-hmac-sha1 added to keytab WRFILE:/etc/agent02.keytab.
Entry for principal host/agent02.ambari.com@TEST.COM with kvno 2, encryption type des-cbc-md5 added to keytab WRFILE:/etc/agent02.keytab.
[root@agent01 ~]$ scp /etc/agent02.keytab agent02.ambari.com:/etc/krb5.keytab

将 Master 端相关文件分发至 Slave 端（M端操作）

[root@agent01 ~]$ scp /etc/krb5.conf agent02.ambari.com:/etc/
[root@agent01 ~]$ scp /var/kerberos/krb5kdc/kdc.conf /var/kerberos/krb5kdc/kadm5.acl /var/kerberos/krb5kdc/.k5.TEST.COM agent02.ambari.com:/var/kerberos/krb5kdc/

创建 Slave 端数据库

[root@agent02 ~]$ kdb5_util create -r TEST.COM -s

创建 Principal

[root@agent02 ~]$ kadmin.local
kadmin.local: addprinc -randkey host/agent02.ambari.com@TEST.COM
WARNING: no policy specified for host/agent02.ambari.com@TEST.COM; defaulting to no policy
Principal "host/agent02.ambari.com@TEST.COM" created.
kadmin.local: addprinc -randkey host/agent01.ambari.com@TEST.COM
WARNING: no policy specified for host/agent01.ambari.com@TEST.COM; defaulting to no policy
Principal "host/agent01.ambari.com@TEST.COM" created.
kadmin.local: quit

Master 端数据库数据通过 kpropd 进程传输，创建 kpropd.acl 文件明确可进行数据 dump & update & transfer 的 principal

[root@agent02 ~]$ cat >>/var/kerberos/krb5kdc/kpropd.acl<> host/agent01.ambari.com@TEST.COM
> host/agent02.ambari.com@TEST.COM
> EOF
[root@agent02 ~]$ scp /var/kerberos/krb5kdc/kpropd.acl agent01.ambari.com:/var/kerberos/krb5kdc/

创建 /etc/inetd.conf

[root@agent02 ~]$ cat >>/etc/inetd.conf<krb5_prop stream tcp nowait root /usr/sbin/kpropd kpropd
EOF

定义 kpropd daemon 名称及端口

[root@agent02 ~]$ echo "krb5_prop 754/tcp # Kerberos slave propagation" >>/etc/services

启动 kpropd daemon

[root@agent02 ~]$ systemctl start kprop.service

备份 kerberos-master 数据（M 端执行）

[root@agent01 ~]$ for n in 21 22;do ssh 10.0.2.$n "mkdir /var/kerberos/data_trans";done
[root@agent01 ~]$ kdb5_util dump /var/kerberos/data_trans/slave_datatrans

传输 Master 数据至 Slave（M 端执行）

[root@agent01 ~]$ kprop -f /var/kerberos/data_trans/slave_datatrans agent02.ambari.com
Database propagation to agent02.ambari.com: SUCCEEDED

创建数据传输脚本（M端操作）

[root@agent01 ~]$ cat >/var/kerberos/data_trans/data_transfor.sh<#!/bin/sh
set -e
datetime=$(date +%Y%m%d%H%M%S)
kdclist="agent02.ambari.com"
kdb5_util dump /var/kerberos/data_trans/slave_datatrans
for kdc in $kdclist
do
echo $datetime >>/var/kerberos/data_trans/data_transfor.log
kprop -f /var/kerberos/data_trans/slave_datatrans $kdc 2>&1 >>/var/kerberos/data_trans/data_transfor.log
done
EOF
[root@agent01 ~]$ scp /var/kerberos/data_trans/data_transfor.sh agent02.ambari.com:/var/kerberos/data_trans/

添加定时任务

# M 端操作
[root@agent01 ~]$ echo "0 * * * * /bin/sh /var/kerberos/data_trans/data_transfor.sh" >>/var/spool/cron/root
# S 端操作
[root@agent02 ~]$ echo "#0 * * * * /bin/sh /var/kerberos/data_trans/data_transfor.sh" >>/var/spool/cron/root

启动 Slave 端kdc进程

[root@agent02 ~]$ systemctl start krb5kdc.service
主从切换需要手动操作，手动启动从机kadmin daemon