CDH构建大数据平台-Kerberos高可用部署【完结篇】
CDH构建大数据平台-Kerberos高可用部署【完结篇】
作者:尹正杰
版权声明:原创作品,谢绝转载!否则将追究法律责任。
一.安装Kerberos相关的软件包并同步配置文件
1>.实验环境说明
[root@node101.yinzhengjie.org.cn ~]# cat /etc/redhat-release
CentOS Linux release 7.6. (Core)
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# free -h
total used free shared buff/cache available
Mem: .9G 265M .3G 9.5M 368M .4G
Swap: .0G 0B .0G
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# uname -r
3.10.-.el7.x86_64
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# uname -m
x86_64
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# cat /etc/hosts
#主KDC服务器
172.30.1.101 node101.yinzhengjie.org.cn node101
#备KDC服务器
172.30.1.102 node102.yinzhengjie.org.cn node102
#其他主机,即Kerberos客户端
172.30.1.103 node103.yinzhengjie.org.cn node103
172.30.1.110 node110.yinzhengjie.org.cn node110
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]#
2>.在主KDC服务器上安装所需的Kerberos软件包并修改相应的配置文件
[root@node101.yinzhengjie.org.cn ~]# yum -y install krb5-server krb5-auth-dialog krb5-workstation krb5-devel krb5-libs
Loaded plugins: fastestmirror
Determining fastest mirrors
* base: mirrors.aliyun.com
* extras: mirrors.aliyun.com
* updates: mirrors.aliyun.com
base | 3.6 kB ::
extras | 3.4 kB ::
mysql-connectors-community | 2.5 kB ::
mysql-tools-community | 2.5 kB ::
mysql56-community | 2.5 kB ::
updates | 3.4 kB ::
zabbix | 2.9 kB ::
zabbix-non-supported | B ::
(/): extras//x86_64/primary_db | kB ::
(/): mysql-connectors-community/x86_64/primary_db | kB ::
(/): mysql-tools-community/x86_64/primary_db | kB ::
(/): updates//x86_64/primary_db | 4.2 MB ::
No package krb5-auth-dialog available.
Resolving Dependencies
--> Running transaction check
---> Package krb5-devel.x86_64 :1.15.-.el7_6 will be installed
--> Processing Dependency: libkadm5(x86-) = 1.15.-.el7_6 for package: krb5-devel-1.15.-.el7_6.x86_64
--> Processing Dependency: libverto-devel for package: krb5-devel-1.15.-.el7_6.x86_64
--> Processing Dependency: libselinux-devel for package: krb5-devel-1.15.-.el7_6.x86_64
--> Processing Dependency: libcom_err-devel for package: krb5-devel-1.15.-.el7_6.x86_64
--> Processing Dependency: keyutils-libs-devel for package: krb5-devel-1.15.-.el7_6.x86_64
---> Package krb5-libs.x86_64 :1.15.-.el7 will be updated
---> Package krb5-libs.x86_64 :1.15.-.el7_6 will be an update
---> Package krb5-server.x86_64 :1.15.-.el7_6 will be installed
updates//x86_64/filelists_db | 3.4 MB ::
--> Processing Dependency: libverto-module-base for package: krb5-server-1.15.-.el7_6.x86_64
--> Processing Dependency: /usr/share/dict/words for package: krb5-server-1.15.-.el7_6.x86_64
extras//x86_64/filelists_db | kB ::
mysql-connectors-community/x86_64/filelists_db | kB ::
mysql-tools-community/x86_64/filelists_db | kB ::
mysql56-community/x86_64/filelists_db | kB ::
zabbix/x86_64/filelists_db | kB ::
zabbix-non-supported/x86_64/filelists | B ::
---> Package krb5-workstation.x86_64 :1.15.-.el7_6 will be installed
--> Running transaction check
---> Package keyutils-libs-devel.x86_64 :1.5.-.el7 will be installed
---> Package libcom_err-devel.x86_64 :1.42.-.el7 will be installed
---> Package libkadm5.x86_64 :1.15.-.el7_6 will be installed
---> Package libselinux-devel.x86_64 :2.5-14.1.el7 will be installed
--> Processing Dependency: libsepol-devel(x86-) >= 2.5- for package: libselinux-devel-2.5-14.1.el7.x86_64
--> Processing Dependency: pkgconfig(libsepol) for package: libselinux-devel-2.5-14.1.el7.x86_64
--> Processing Dependency: pkgconfig(libpcre) for package: libselinux-devel-2.5-14.1.el7.x86_64
---> Package libverto-devel.x86_64 :0.2.-.el7 will be installed
---> Package libverto-libevent.x86_64 :0.2.-.el7 will be installed
---> Package words.noarch :3.0-.el7 will be installed
--> Running transaction check
---> Package libsepol-devel.x86_64 :2.5-.el7 will be installed
---> Package pcre-devel.x86_64 :8.32-.el7 will be installed
--> Finished Dependency Resolution Dependencies Resolved ===================================================================================================================================================================================================================
Package Arch Version Repository Size
===================================================================================================================================================================================================================
Installing:
krb5-devel x86_64 1.15.-.el7_6 updates k
krb5-server x86_64 1.15.-.el7_6 updates 1.0 M
krb5-workstation x86_64 1.15.-.el7_6 updates k
Updating:
krb5-libs x86_64 1.15.-.el7_6 updates k
Installing for dependencies:
keyutils-libs-devel x86_64 1.5.-.el7 base k
libcom_err-devel x86_64 1.42.-.el7 base k
libkadm5 x86_64 1.15.-.el7_6 updates k
libselinux-devel x86_64 2.5-14.1.el7 base k
libsepol-devel x86_64 2.5-.el7 base k
libverto-devel x86_64 0.2.-.el7 base k
libverto-libevent x86_64 0.2.-.el7 base 8.9 k
pcre-devel x86_64 8.32-.el7 base k
words noarch 3.0-.el7 base 1.4 M Transaction Summary
===================================================================================================================================================================================================================
Install Packages (+ Dependent packages)
Upgrade Package Total download size: 5.2 M
Downloading packages:
Delta RPMs disabled because /usr/bin/applydeltarpm not installed.
(/): keyutils-libs-devel-1.5.-.el7.x86_64.rpm | kB ::
(/): krb5-devel-1.15.-.el7_6.x86_64.rpm | kB ::
(/): krb5-libs-1.15.-.el7_6.x86_64.rpm | kB ::
(/): libcom_err-devel-1.42.-.el7.x86_64.rpm | kB ::
(/): krb5-server-1.15.-.el7_6.x86_64.rpm | 1.0 MB ::
(/): krb5-workstation-1.15.-.el7_6.x86_64.rpm | kB ::
(/): libkadm5-1.15.-.el7_6.x86_64.rpm | kB ::
(/): libsepol-devel-2.5-.el7.x86_64.rpm | kB ::
(/): libselinux-devel-2.5-14.1.el7.x86_64.rpm | kB ::
(/): libverto-devel-0.2.-.el7.x86_64.rpm | kB ::
(/): libverto-libevent-0.2.-.el7.x86_64.rpm | 8.9 kB ::
(/): pcre-devel-8.32-.el7.x86_64.rpm | kB ::
(/): words-3.0-.el7.noarch.rpm | 1.4 MB ::
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Total 2.3 MB/s | 5.2 MB ::
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Updating : krb5-libs-1.15.-.el7_6.x86_64 /
Installing : libkadm5-1.15.-.el7_6.x86_64 /
Installing : words-3.0-.el7.noarch /
Installing : libcom_err-devel-1.42.-.el7.x86_64 /
Installing : libsepol-devel-2.5-.el7.x86_64 /
Installing : pcre-devel-8.32-.el7.x86_64 /
Installing : libselinux-devel-2.5-14.1.el7.x86_64 /
Installing : libverto-libevent-0.2.-.el7.x86_64 /
Installing : libverto-devel-0.2.-.el7.x86_64 /
Installing : keyutils-libs-devel-1.5.-.el7.x86_64 /
Installing : krb5-devel-1.15.-.el7_6.x86_64 /
Installing : krb5-server-1.15.-.el7_6.x86_64 /
Installing : krb5-workstation-1.15.-.el7_6.x86_64 /
Cleanup : krb5-libs-1.15.-.el7.x86_64 /
Verifying : keyutils-libs-devel-1.5.-.el7.x86_64 /
Verifying : libverto-devel-0.2.-.el7.x86_64 /
Verifying : krb5-workstation-1.15.-.el7_6.x86_64 /
Verifying : krb5-libs-1.15.-.el7_6.x86_64 /
Verifying : libkadm5-1.15.-.el7_6.x86_64 /
Verifying : libverto-libevent-0.2.-.el7.x86_64 /
Verifying : pcre-devel-8.32-.el7.x86_64 /
Verifying : libselinux-devel-2.5-14.1.el7.x86_64 /
Verifying : krb5-server-1.15.-.el7_6.x86_64 /
Verifying : libsepol-devel-2.5-.el7.x86_64 /
Verifying : libcom_err-devel-1.42.-.el7.x86_64 /
Verifying : krb5-devel-1.15.-.el7_6.x86_64 /
Verifying : words-3.0-.el7.noarch /
Verifying : krb5-libs-1.15.-.el7.x86_64 / Installed:
krb5-devel.x86_64 :1.15.-.el7_6 krb5-server.x86_64 :1.15.-.el7_6 krb5-workstation.x86_64 :1.15.-.el7_6 Dependency Installed:
keyutils-libs-devel.x86_64 :1.5.-.el7 libcom_err-devel.x86_64 :1.42.-.el7 libkadm5.x86_64 :1.15.-.el7_6 libselinux-devel.x86_64 :2.5-14.1.el7 libsepol-devel.x86_64 :2.5-.el7
libverto-devel.x86_64 :0.2.-.el7 libverto-libevent.x86_64 :0.2.-.el7 pcre-devel.x86_64 :8.32-.el7 words.noarch :3.0-.el7 Updated:
krb5-libs.x86_64 :1.15.-.el7_6 Complete!
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# yum -y install krb5-server krb5-auth-dialog krb5-workstation krb5-devel krb5-libs
[root@node101.yinzhengjie.org.cn ~]# cat /etc/krb5.conf
# Configuration snippets may be placed in this directory as well
includedir /etc/krb5.conf.d/ [logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log [libdefaults]
default_realm = YINZHENGJIE.COM
kdc_timeout =
max_retries =
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 10d
renew_lifetime = 10d
renewable = false
forwardable = false [realms]
YINZHENGJIE.COM = {
kdc = node101.yinzhengjie.org.cn:
kdc = node102.yinzhengjie.org.cn:
admin_server = node101.yinzhengjie.org.cn:
default_domain = YINZHENGJIE.COM
} [domain_realm]
.yinzhengjie.com = YINZHENGJIE.COM
yinzhengjie.com = YINZHENGJIE.COM [kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# cat /etc/krb5.conf
[root@node101.yinzhengjie.org.cn ~]# cat /var/kerberos/krb5kdc/kdc.conf
[kdcdefaults]
kdc_ports =
kdc_tcp_ports = [realms]
YINZHENGJIE.COM = {
master_key_type = aes256-cts
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
supported_enctypes = aes256-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
max_life = 10d
max_renewable_life = 10d
}
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# cat /var/kerberos/krb5kdc/kdc.conf
[root@node101.yinzhengjie.org.cn ~]# cat /var/kerberos/krb5kdc/kadm5.acl
*/admin@YINZHENGJIE.COM *
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# cat /var/kerberos/krb5kdc/kadm5.acl
3>.在备KDC服务器上安装所需的Kerberos软件包并修改相应的配置文件
[root@node102.yinzhengjie.org.cn ~]# yum install -y krb5-server openldap-clients krb5-workstation krb5-libs
Loaded plugins: fastestmirror
Determining fastest mirrors
* base: mirrors.aliyun.com
* extras: mirrors.aliyun.com
* updates: mirrors.aliyun.com
base | 3.6 kB ::
extras | 3.4 kB ::
updates | 3.4 kB ::
zabbix | 2.9 kB ::
zabbix-non-supported | B ::
(/): extras//x86_64/primary_db | kB ::
(/): updates//x86_64/primary_db | 4.2 MB ::
Resolving Dependencies
--> Running transaction check
---> Package krb5-libs.x86_64 :1.15.-.el7 will be updated
---> Package krb5-libs.x86_64 :1.15.-.el7_6 will be an update
---> Package krb5-server.x86_64 :1.15.-.el7_6 will be installed
updates//x86_64/filelists_db | 3.4 MB ::
--> Processing Dependency: libkadm5(x86-) = 1.15.-.el7_6 for package: krb5-server-1.15.-.el7_6.x86_64
--> Processing Dependency: libverto-module-base for package: krb5-server-1.15.-.el7_6.x86_64
--> Processing Dependency: libkadm5srv_mit.so.(kadm5srv_mit_11_MIT)(64bit) for package: krb5-server-1.15.-.el7_6.x86_64
--> Processing Dependency: libkadm5clnt_mit.so.(kadm5clnt_mit_11_MIT)(64bit) for package: krb5-server-1.15.-.el7_6.x86_64
--> Processing Dependency: /usr/share/dict/words for package: krb5-server-1.15.-.el7_6.x86_64
extras//x86_64/filelists_db | kB ::
zabbix/x86_64/filelists_db | kB ::
zabbix-non-supported/x86_64/filelists | B ::
--> Processing Dependency: libkadm5srv_mit.so.()(64bit) for package: krb5-server-1.15.-.el7_6.x86_64
--> Processing Dependency: libkadm5clnt_mit.so.()(64bit) for package: krb5-server-1.15.-.el7_6.x86_64
---> Package krb5-workstation.x86_64 :1.15.-.el7_6 will be installed
---> Package openldap-clients.x86_64 :2.4.-.el7_6 will be installed
--> Processing Dependency: openldap(x86-) = 2.4.-.el7_6 for package: openldap-clients-2.4.-.el7_6.x86_64
--> Running transaction check
---> Package libkadm5.x86_64 :1.15.-.el7_6 will be installed
---> Package libverto-libevent.x86_64 :0.2.-.el7 will be installed
--> Processing Dependency: libevent-2.0.so.()(64bit) for package: libverto-libevent-0.2.-.el7.x86_64
---> Package openldap.x86_64 :2.4.-.el7 will be updated
---> Package openldap.x86_64 :2.4.-.el7_6 will be an update
---> Package words.noarch :3.0-.el7 will be installed
--> Running transaction check
---> Package libevent.x86_64 :2.0.-.el7 will be installed
--> Finished Dependency Resolution Dependencies Resolved ===================================================================================================================================================================================================================
Package Arch Version Repository Size
===================================================================================================================================================================================================================
Installing:
krb5-server x86_64 1.15.-.el7_6 updates 1.0 M
krb5-workstation x86_64 1.15.-.el7_6 updates k
openldap-clients x86_64 2.4.-.el7_6 updates k
Updating:
krb5-libs x86_64 1.15.-.el7_6 updates k
Installing for dependencies:
libevent x86_64 2.0.-.el7 base k
libkadm5 x86_64 1.15.-.el7_6 updates k
libverto-libevent x86_64 0.2.-.el7 base 8.9 k
words noarch 3.0-.el7 base 1.4 M
Updating for dependencies:
openldap x86_64 2.4.-.el7_6 updates k Transaction Summary
===================================================================================================================================================================================================================
Install Packages (+ Dependent packages)
Upgrade Package (+ Dependent package) Total download size: 4.9 M
Downloading packages:
Delta RPMs disabled because /usr/bin/applydeltarpm not installed.
(/): krb5-libs-1.15.-.el7_6.x86_64.rpm | kB ::
(/): libevent-2.0.-.el7.x86_64.rpm | kB ::
(/): krb5-server-1.15.-.el7_6.x86_64.rpm | 1.0 MB ::
(/): libkadm5-1.15.-.el7_6.x86_64.rpm | kB ::
(/): krb5-workstation-1.15.-.el7_6.x86_64.rpm | kB ::
(/): openldap-clients-2.4.-.el7_6.x86_64.rpm | kB ::
(/): openldap-2.4.-.el7_6.x86_64.rpm | kB ::
(/): words-3.0-.el7.noarch.rpm | 1.4 MB ::
(/): libverto-libevent-0.2.-.el7.x86_64.rpm | 8.9 kB ::
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Total kB/s | 4.9 MB ::
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Updating : krb5-libs-1.15.-.el7_6.x86_64 /
Installing : libkadm5-1.15.-.el7_6.x86_64 /
Installing : words-3.0-.el7.noarch /
Updating : openldap-2.4.-.el7_6.x86_64 /
Installing : libevent-2.0.-.el7.x86_64 /
Installing : libverto-libevent-0.2.-.el7.x86_64 /
Installing : krb5-server-1.15.-.el7_6.x86_64 /
Installing : openldap-clients-2.4.-.el7_6.x86_64 /
Installing : krb5-workstation-1.15.-.el7_6.x86_64 /
Cleanup : openldap-2.4.-.el7.x86_64 /
Cleanup : krb5-libs-1.15.-.el7.x86_64 /
Verifying : krb5-workstation-1.15.-.el7_6.x86_64 /
Verifying : krb5-libs-1.15.-.el7_6.x86_64 /
Verifying : libkadm5-1.15.-.el7_6.x86_64 /
Verifying : libevent-2.0.-.el7.x86_64 /
Verifying : libverto-libevent-0.2.-.el7.x86_64 /
Verifying : krb5-server-1.15.-.el7_6.x86_64 /
Verifying : openldap-2.4.-.el7_6.x86_64 /
Verifying : openldap-clients-2.4.-.el7_6.x86_64 /
Verifying : words-3.0-.el7.noarch /
Verifying : krb5-libs-1.15.-.el7.x86_64 /
Verifying : openldap-2.4.-.el7.x86_64 / Installed:
krb5-server.x86_64 :1.15.-.el7_6 krb5-workstation.x86_64 :1.15.-.el7_6 openldap-clients.x86_64 :2.4.-.el7_6 Dependency Installed:
libevent.x86_64 :2.0.-.el7 libkadm5.x86_64 :1.15.-.el7_6 libverto-libevent.x86_64 :0.2.-.el7 words.noarch :3.0-.el7 Updated:
krb5-libs.x86_64 :1.15.-.el7_6 Dependency Updated:
openldap.x86_64 :2.4.-.el7_6 Complete!
[root@node102.yinzhengjie.org.cn ~]#
[root@node102.yinzhengjie.org.cn ~]# yum install -y krb5-server openldap-clients krb5-workstation krb5-libs
[root@node102.yinzhengjie.org.cn ~]# cat /var/kerberos/krb5kdc/kpropd.acl
host/node101.yinzhengjie.org.cn@YINZHENGJIE.COM
host/node102.yinzhengjie.org.cn@YINZHENGJIE.COM
[root@node102.yinzhengjie.org.cn ~]#
[root@node102.yinzhengjie.org.cn ~]# cat /var/kerberos/krb5kdc/kpropd.acl
4>.初始化主KDC数据库并生成凭证(principal),这步骤目的是为了生成“krb5.keytab”文件,下一步将其拷贝到备KDC上
[root@node101.yinzhengjie.org.cn ~]# kdb5_util create -r YINZHENGJIE.COM -s
Loading random data
Initializing database '/var/kerberos/krb5kdc/principal' for realm 'YINZHENGJIE.COM',
master key name 'K/M@YINZHENGJIE.COM'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key:
Re-enter KDC database master key to verify:
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# kdb5_util create -r YINZHENGJIE.COM -s
[root@node101.yinzhengjie.org.cn ~]# kadmin.local -q "ank -randkey host/node101.yinzhengjie.org.cn@YINZHENGJIE.COM"
Authenticating as principal root/admin@YINZHENGJIE.COM with password.
WARNING: no policy specified for host/node101.yinzhengjie.org.cn@YINZHENGJIE.COM; defaulting to no policy
Principal "host/node101.yinzhengjie.org.cn@YINZHENGJIE.COM" created.
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# kadmin.local -q "ank -randkey host/node101.yinzhengjie.org.cn@YINZHENGJIE.COM"
[root@node101.yinzhengjie.org.cn ~]# kadmin.local -q "ank -randkey host/node102.yinzhengjie.org.cn@YINZHENGJIE.COM"
Authenticating as principal root/admin@YINZHENGJIE.COM with password.
WARNING: no policy specified for host/node102.yinzhengjie.org.cn@YINZHENGJIE.COM; defaulting to no policy
Principal "host/node102.yinzhengjie.org.cn@YINZHENGJIE.COM" created.
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# kadmin.local -q "ank -randkey host/node102.yinzhengjie.org.cn@YINZHENGJIE.COM"
[root@node101.yinzhengjie.org.cn ~]# kadmin.local -q "xst host/node101.yinzhengjie.org.cn@YINZHENGJIE.COM"
Authenticating as principal root/admin@YINZHENGJIE.COM with password.
Entry for principal host/node101.yinzhengjie.org.cn@YINZHENGJIE.COM with kvno , encryption type aes256-cts-hmac-sha1- added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/node101.yinzhengjie.org.cn@YINZHENGJIE.COM with kvno , encryption type des3-cbc-sha1 added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/node101.yinzhengjie.org.cn@YINZHENGJIE.COM with kvno , encryption type arcfour-hmac added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/node101.yinzhengjie.org.cn@YINZHENGJIE.COM with kvno , encryption type des-hmac-sha1 added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/node101.yinzhengjie.org.cn@YINZHENGJIE.COM with kvno , encryption type des-cbc-md5 added to keytab FILE:/etc/krb5.keytab.
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# kadmin.local -q "xst host/node101.yinzhengjie.org.cn@YINZHENGJIE.COM"
[root@node101.yinzhengjie.org.cn ~]# kadmin.local -q "xst host/node102.yinzhengjie.org.cn@YINZHENGJIE.COM"
Authenticating as principal root/admin@YINZHENGJIE.COM with password.
Entry for principal host/node102.yinzhengjie.org.cn@YINZHENGJIE.COM with kvno , encryption type aes256-cts-hmac-sha1- added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/node102.yinzhengjie.org.cn@YINZHENGJIE.COM with kvno , encryption type des3-cbc-sha1 added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/node102.yinzhengjie.org.cn@YINZHENGJIE.COM with kvno , encryption type arcfour-hmac added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/node102.yinzhengjie.org.cn@YINZHENGJIE.COM with kvno , encryption type des-hmac-sha1 added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/node102.yinzhengjie.org.cn@YINZHENGJIE.COM with kvno , encryption type des-cbc-md5 added to keytab FILE:/etc/krb5.keytab.
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# kadmin.local -q "xst host/node102.yinzhengjie.org.cn@YINZHENGJIE.COM"
[root@node101.yinzhengjie.org.cn ~]# klist -ket /etc/krb5.keytab
Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp Principal
---- ------------------- ------------------------------------------------------
// :: host/node101.yinzhengjie.org.cn@YINZHENGJIE.COM (aes256-cts-hmac-sha1-)
// :: host/node101.yinzhengjie.org.cn@YINZHENGJIE.COM (des3-cbc-sha1)
// :: host/node101.yinzhengjie.org.cn@YINZHENGJIE.COM (arcfour-hmac)
// :: host/node101.yinzhengjie.org.cn@YINZHENGJIE.COM (des-hmac-sha1)
// :: host/node101.yinzhengjie.org.cn@YINZHENGJIE.COM (des-cbc-md5)
// :: host/node102.yinzhengjie.org.cn@YINZHENGJIE.COM (aes256-cts-hmac-sha1-)
// :: host/node102.yinzhengjie.org.cn@YINZHENGJIE.COM (des3-cbc-sha1)
// :: host/node102.yinzhengjie.org.cn@YINZHENGJIE.COM (arcfour-hmac)
// :: host/node102.yinzhengjie.org.cn@YINZHENGJIE.COM (des-hmac-sha1)
// :: host/node102.yinzhengjie.org.cn@YINZHENGJIE.COM (des-cbc-md5)
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# klist -ket /etc/krb5.keytab
5>.将master节点的数据到slava节点上
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# scp /etc/krb5.conf node102.yinzhengjie.org.cn:/etc/
krb5.conf % .6MB/s :
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# scp /var/kerberos/krb5kdc/kdc.conf node102.yinzhengjie.org.cn:/var/kerberos/krb5kdc/
kdc.conf % .7KB/s :
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# scp /var/kerberos/krb5kdc/kadm5.acl node102.yinzhengjie.org.cn:/var/kerberos/krb5kdc/
kadm5.acl % .0KB/s :
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# scp /var/kerberos/krb5kdc/.k5.YINZHENGJIE.COM node102.yinzhengjie.org.cn:/var/kerberos/krb5kdc/
.k5.YINZHENGJIE.COM % .2KB/s :
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# scp /etc/krb5.keytab node102.yinzhengjie.org.cn:/etc/krb5.keytab
krb5.keytab % .6MB/s :
[root@node101.yinzhengjie.org.cn ~]#
6>.其他主机安装相应的服务,并将主KDC的
[root@node103.yinzhengjie.org.cn ~]# yum install -y krb5-workstation krb5-devel
Loaded plugins: fastestmirror
Determining fastest mirrors
* base: mirrors.aliyun.com
* extras: mirrors.aliyun.com
* updates: mirrors.aliyun.com
base | 3.6 kB ::
extras | 3.4 kB ::
updates | 3.4 kB ::
zabbix | 2.9 kB ::
zabbix-non-supported | B ::
(/): extras//x86_64/primary_db | kB ::
(/): updates//x86_64/primary_db | 4.2 MB ::
Resolving Dependencies
--> Running transaction check
---> Package krb5-devel.x86_64 :1.15.-.el7_6 will be installed
--> Processing Dependency: libkadm5(x86-) = 1.15.-.el7_6 for package: krb5-devel-1.15.-.el7_6.x86_64
--> Processing Dependency: krb5-libs(x86-) = 1.15.-.el7_6 for package: krb5-devel-1.15.-.el7_6.x86_64
--> Processing Dependency: libverto-devel for package: krb5-devel-1.15.-.el7_6.x86_64
--> Processing Dependency: libselinux-devel for package: krb5-devel-1.15.-.el7_6.x86_64
--> Processing Dependency: libcom_err-devel for package: krb5-devel-1.15.-.el7_6.x86_64
--> Processing Dependency: keyutils-libs-devel for package: krb5-devel-1.15.-.el7_6.x86_64
---> Package krb5-workstation.x86_64 :1.15.-.el7_6 will be installed
--> Running transaction check
---> Package keyutils-libs-devel.x86_64 :1.5.-.el7 will be installed
---> Package krb5-libs.x86_64 :1.15.-.el7 will be updated
---> Package krb5-libs.x86_64 :1.15.-.el7_6 will be an update
---> Package libcom_err-devel.x86_64 :1.42.-.el7 will be installed
---> Package libkadm5.x86_64 :1.15.-.el7_6 will be installed
---> Package libselinux-devel.x86_64 :2.5-14.1.el7 will be installed
--> Processing Dependency: libsepol-devel(x86-) >= 2.5- for package: libselinux-devel-2.5-14.1.el7.x86_64
--> Processing Dependency: pkgconfig(libsepol) for package: libselinux-devel-2.5-14.1.el7.x86_64
--> Processing Dependency: pkgconfig(libpcre) for package: libselinux-devel-2.5-14.1.el7.x86_64
---> Package libverto-devel.x86_64 :0.2.-.el7 will be installed
--> Running transaction check
---> Package libsepol-devel.x86_64 :2.5-.el7 will be installed
---> Package pcre-devel.x86_64 :8.32-.el7 will be installed
--> Finished Dependency Resolution Dependencies Resolved ===================================================================================================================================================================================================================
Package Arch Version Repository Size
===================================================================================================================================================================================================================
Installing:
krb5-devel x86_64 1.15.-.el7_6 updates k
krb5-workstation x86_64 1.15.-.el7_6 updates k
Installing for dependencies:
keyutils-libs-devel x86_64 1.5.-.el7 base k
libcom_err-devel x86_64 1.42.-.el7 base k
libkadm5 x86_64 1.15.-.el7_6 updates k
libselinux-devel x86_64 2.5-14.1.el7 base k
libsepol-devel x86_64 2.5-.el7 base k
libverto-devel x86_64 0.2.-.el7 base k
pcre-devel x86_64 8.32-.el7 base k
Updating for dependencies:
krb5-libs x86_64 1.15.-.el7_6 updates k Transaction Summary
===================================================================================================================================================================================================================
Install Packages (+ Dependent packages)
Upgrade ( Dependent package) Total download size: 2.8 M
Downloading packages:
Delta RPMs disabled because /usr/bin/applydeltarpm not installed.
(/): krb5-devel-1.15.-.el7_6.x86_64.rpm | kB ::
(/): keyutils-libs-devel-1.5.-.el7.x86_64.rpm | kB ::
(/): krb5-libs-1.15.-.el7_6.x86_64.rpm | kB ::
(/): libkadm5-1.15.-.el7_6.x86_64.rpm | kB ::
(/): krb5-workstation-1.15.-.el7_6.x86_64.rpm | kB ::
(/): libselinux-devel-2.5-14.1.el7.x86_64.rpm | kB ::
(/): libsepol-devel-2.5-.el7.x86_64.rpm | kB ::
(/): libverto-devel-0.2.-.el7.x86_64.rpm | kB ::
(/): pcre-devel-8.32-.el7.x86_64.rpm | kB ::
(/): libcom_err-devel-1.42.-.el7.x86_64.rpm | kB ::
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Total kB/s | 2.8 MB ::
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Updating : krb5-libs-1.15.-.el7_6.x86_64 /
Installing : libkadm5-1.15.-.el7_6.x86_64 /
Installing : libcom_err-devel-1.42.-.el7.x86_64 /
Installing : libsepol-devel-2.5-.el7.x86_64 /
Installing : pcre-devel-8.32-.el7.x86_64 /
Installing : libselinux-devel-2.5-14.1.el7.x86_64 /
Installing : libverto-devel-0.2.-.el7.x86_64 /
Installing : keyutils-libs-devel-1.5.-.el7.x86_64 /
Installing : krb5-devel-1.15.-.el7_6.x86_64 /
Installing : krb5-workstation-1.15.-.el7_6.x86_64 /
Cleanup : krb5-libs-1.15.-.el7.x86_64 /
Verifying : keyutils-libs-devel-1.5.-.el7.x86_64 /
Verifying : libverto-devel-0.2.-.el7.x86_64 /
Verifying : krb5-workstation-1.15.-.el7_6.x86_64 /
Verifying : krb5-libs-1.15.-.el7_6.x86_64 /
Verifying : libkadm5-1.15.-.el7_6.x86_64 /
Verifying : pcre-devel-8.32-.el7.x86_64 /
Verifying : libselinux-devel-2.5-14.1.el7.x86_64 /
Verifying : libsepol-devel-2.5-.el7.x86_64 /
Verifying : libcom_err-devel-1.42.-.el7.x86_64 /
Verifying : krb5-devel-1.15.-.el7_6.x86_64 /
Verifying : krb5-libs-1.15.-.el7.x86_64 / Installed:
krb5-devel.x86_64 :1.15.-.el7_6 krb5-workstation.x86_64 :1.15.-.el7_6 Dependency Installed:
keyutils-libs-devel.x86_64 :1.5.-.el7 libcom_err-devel.x86_64 :1.42.-.el7 libkadm5.x86_64 :1.15.-.el7_6 libselinux-devel.x86_64 :2.5-14.1.el7 libsepol-devel.x86_64 :2.5-.el7
libverto-devel.x86_64 :0.2.-.el7 pcre-devel.x86_64 :8.32-.el7 Dependency Updated:
krb5-libs.x86_64 :1.15.-.el7_6 Complete!
[root@node103.yinzhengjie.org.cn ~]#
[root@node103.yinzhengjie.org.cn ~]# yum install -y krb5-workstation krb5-devel
[root@node101.yinzhengjie.org.cn ~]# scp /etc/krb5.conf node103.yinzhengjie.org.cn:/etc/krb5.conf
krb5.conf % .7MB/s :
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# scp /etc/krb5.conf node103.yinzhengjie.org.cn:/etc/krb5.conf
7>.备份配置文件(主备都需要)
待更新....
二.配置KDC的主从同步
1>.分别在主备KDC启动服务
[root@node101.yinzhengjie.org.cn ~]# systemctl start krb5kdc
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# systemctl status krb5kdc
● krb5kdc.service - Kerberos KDC
Loaded: loaded (/usr/lib/systemd/system/krb5kdc.service; disabled; vendor preset: disabled)
Active: active (running) since Fri -- :: CST; 4s ago
Process: ExecStart=/usr/sbin/krb5kdc -P /var/run/krb5kdc.pid $KRB5KDC_ARGS (code=exited, status=/SUCCESS)
Main PID: (krb5kdc)
CGroup: /system.slice/krb5kdc.service
└─ /usr/sbin/krb5kdc -P /var/run/krb5kdc.pid May :: node101.yinzhengjie.org.cn systemd[]: Starting Kerberos KDC...
May :: node101.yinzhengjie.org.cn systemd[]: Started Kerberos KDC.
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# systemctl enable krb5kdc
Created symlink from /etc/systemd/system/multi-user.target.wants/krb5kdc.service to /usr/lib/systemd/system/krb5kdc.service.
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# systemctl start krb5kdc #主KDC执行
[root@node101.yinzhengjie.org.cn ~]# systemctl start kadmin
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# systemctl status kadmin
● kadmin.service - Kerberos Password-changing and Administration
Loaded: loaded (/usr/lib/systemd/system/kadmin.service; disabled; vendor preset: disabled)
Active: active (running) since Fri -- :: CST; 1s ago
Process: ExecStart=/usr/sbin/_kadmind -P /var/run/kadmind.pid $KADMIND_ARGS (code=exited, status=/SUCCESS)
Main PID: (kadmind)
CGroup: /system.slice/kadmin.service
└─ /usr/sbin/kadmind -P /var/run/kadmind.pid May :: node101.yinzhengjie.org.cn systemd[]: Starting Kerberos Password-changing and Administration...
May :: node101.yinzhengjie.org.cn systemd[]: Started Kerberos Password-changing and Administration.
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# systemctl enable kadmin
Created symlink from /etc/systemd/system/multi-user.target.wants/kadmin.service to /usr/lib/systemd/system/kadmin.service.
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# systemctl start kadmin #主KDC执行
[root@node102.yinzhengjie.org.cn ~]# systemctl start kprop
[root@node102.yinzhengjie.org.cn ~]#
[root@node102.yinzhengjie.org.cn ~]# systemctl status kprop
● kprop.service - Kerberos Propagation
Loaded: loaded (/usr/lib/systemd/system/kprop.service; disabled; vendor preset: disabled)
Active: active (running) since Fri -- :: CST; 1s ago
Process: ExecStart=/usr/sbin/_kpropd $KPROPD_ARGS (code=exited, status=/SUCCESS)
Main PID: (kpropd)
CGroup: /system.slice/kprop.service
└─ /usr/sbin/kpropd May :: node102.yinzhengjie.org.cn systemd[]: Starting Kerberos Propagation...
May :: node102.yinzhengjie.org.cn systemd[]: Started Kerberos Propagation.
[root@node102.yinzhengjie.org.cn ~]#
[root@node102.yinzhengjie.org.cn ~]#
[root@node102.yinzhengjie.org.cn ~]# systemctl enable kprop
Created symlink from /etc/systemd/system/multi-user.target.wants/kprop.service to /usr/lib/systemd/system/kprop.service.
[root@node102.yinzhengjie.org.cn ~]#
[root@node102.yinzhengjie.org.cn ~]#
[root@node102.yinzhengjie.org.cn ~]# systemctl start kprop #备KDC执行
2>.将主KDC数据库同步到备KDC数据库中
[root@node101.yinzhengjie.org.cn ~]# kdb5_util dump /var/kerberos/krb5kdc/slave_datatrans
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# kprop -f /var/kerberos/krb5kdc/slave_datatrans node102.yinzhengjie.org.cn #如果该步骤出现问题(比如:“kprop: Key table entry not found while getting initial credentials”),请排查第一部分的第3,4步是否有出入,比如:主机名称是否对应?
Database propagation to node102.yinzhengjie.org.cn: SUCCEEDED
[root@node101.yinzhengjie.org.cn ~]# 温馨提示:
上面的操作是咱们手动将主KDC的凭据配置信息同步到备KDC中的,我们可以编写个脚本定期执行上述两天命令。
[root@node101.yinzhengjie.org.cn ~]# mkdir /var/kerberos/{shell,log}
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# vi /var/kerberos/shell/dump_principal.sh
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# chmod +x /var/kerberos/shell/dump_principal.sh
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# which kdb5_util
/usr/sbin/kdb5_util
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# which kprop
/usr/sbin/kprop
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# cat /var/kerberos/shell/dump_principal.sh
#!/bin/bash
#@author :yinzhengjie
#blog:http://www.cnblogs.com/yinzhengjie
#EMAIL:y1053419035@qq.com
#Data:Thu Oct :: CST
/usr/sbin/kdb5_util dump /var/kerberos/krb5kdc/slave_datatrans
/usr/sbin/kprop -f /var/kerberos/krb5kdc/slave_datatrans node102.yinzhengjie.org.cn
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# crontab -e
no crontab for root - using an empty one
crontab: installing new crontab
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# crontab -l
* * * * * /bin/date >> /var/kerberos/log/dump.log >&;/var/kerberos/shell/dump_principal.sh >> /var/kerberos/log/dump.log >&
* * * * * sleep ; /bin/date >> /var/kerberos/log/dump.log >&; /var/kerberos/shell/dump_principal.sh >> /var/kerberos/log/dump.log >&
* * * * * sleep ; /bin/date >> /var/kerberos/log/dump.log >&; /var/kerberos/shell/dump_principal.sh >> /var/kerberos/log/dump.log >&
* * * * * sleep ; /bin/date >> /var/kerberos/log/dump.log >&; /var/kerberos/shell/dump_principal.sh >> /var/kerberos/log/dump.log >&
* * * * * sleep ; /bin/date >> /var/kerberos/log/dump.log >&; /var/kerberos/shell/dump_principal.sh >> /var/kerberos/log/dump.log >&
* * * * * sleep ; /bin/date >> /var/kerberos/log/dump.log >&; /var/kerberos/shell/dump_principal.sh >> /var/kerberos/log/dump.log >&
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# cat /var/kerberos/shell/dump_principal.sh #编写脚本定期同步主KDC数据到从KDC中
[root@node101.yinzhengjie.org.cn ~]# tail -100f /var/kerberos/log/dump.log
Fri May :: CST
Database propagation to node102.yinzhengjie.org.cn: SUCCEEDED
Fri May :: CST
Database propagation to node102.yinzhengjie.org.cn: SUCCEEDED
Fri May :: CST
Database propagation to node102.yinzhengjie.org.cn: SUCCEEDED
Fri May :: CST
Database propagation to node102.yinzhengjie.org.cn: SUCCEEDED
Fri May :: CST
Database propagation to node102.yinzhengjie.org.cn: SUCCEEDED
Fri May :: CST
Database propagation to node102.yinzhengjie.org.cn: SUCCEEDED
Fri May :: CST
Database propagation to node102.yinzhengjie.org.cn: SUCCEEDED
Fri May :: CST
Database propagation to node102.yinzhengjie.org.cn: SUCCEEDED
Fri May :: CST
Database propagation to node102.yinzhengjie.org.cn: SUCCEEDED
Fri May :: CST
Database propagation to node102.yinzhengjie.org.cn: SUCCEEDED
^C
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# tail -100f /var/kerberos/log/dump.log #可以查看日志的记录信息
3>.启动备KDC服务
[root@node102.yinzhengjie.org.cn ~]# systemctl start krb5kdc
[root@node102.yinzhengjie.org.cn ~]#
[root@node102.yinzhengjie.org.cn ~]# systemctl status krb5kdc
● krb5kdc.service - Kerberos KDC
Loaded: loaded (/usr/lib/systemd/system/krb5kdc.service; disabled; vendor preset: disabled)
Active: active (running) since Fri -- :: CST; 1s ago
Process: ExecStart=/usr/sbin/krb5kdc -P /var/run/krb5kdc.pid $KRB5KDC_ARGS (code=exited, status=/SUCCESS)
Main PID: (krb5kdc)
CGroup: /system.slice/krb5kdc.service
└─ /usr/sbin/krb5kdc -P /var/run/krb5kdc.pid May :: node102.yinzhengjie.org.cn systemd[]: Starting Kerberos KDC...
May :: node102.yinzhengjie.org.cn systemd[]: Started Kerberos KDC.
[root@node102.yinzhengjie.org.cn ~]#
[root@node102.yinzhengjie.org.cn ~]# systemctl enable krb5kdc
Created symlink from /etc/systemd/system/multi-user.target.wants/krb5kdc.service to /usr/lib/systemd/system/krb5kdc.service.
[root@node102.yinzhengjie.org.cn ~]#
[root@node102.yinzhengjie.org.cn ~]# systemctl start krb5kdc
4>.登陆kadmin.local命令行
root使用kadmin.local命令,kadmin.local可以直接进入并管理Kerberos数据库,无需通过Kerberos认证。
[root@node101.yinzhengjie.org.cn ~]# klist
klist: No credentials cache found (filename: /tmp/krb5cc_0)
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# kadmin.local
Authenticating as principal root/admin@YINZHENGJIE.COM with password.
kadmin.local:
kadmin.local: listprincs
K/M@YINZHENGJIE.COM
host/node101.yinzhengjie.org.cn@YINZHENGJIE.COM
host/node102.yinzhengjie.org.cn@YINZHENGJIE.COM
kadmin/admin@YINZHENGJIE.COM
kadmin/changepw@YINZHENGJIE.COM
kadmin/node101.yinzhengjie.org.cn@YINZHENGJIE.COM
kiprop/node101.yinzhengjie.org.cn@YINZHENGJIE.COM
krbtgt/YINZHENGJIE.COM@YINZHENGJIE.COM
kadmin.local:
kadmin.local: quit
[root@node101.yinzhengjie.org.cn ~]#
5>.使用kadmin.local添加管理员用户
可以直接使用“kadmin.local” 进入kadmin.local命令行,也可以直接使用“kadmin.local -q”指定要执行的语句。
[root@node101.yinzhengjie.org.cn ~]# kadmin.local -q "addprinc admin"
Authenticating as principal root/admin@YINZHENGJIE.COM with password.
WARNING: no policy specified for admin@YINZHENGJIE.COM; defaulting to no policy
Enter password for principal "admin@YINZHENGJIE.COM":
Re-enter password for principal "admin@YINZHENGJIE.COM":
Principal "admin@YINZHENGJIE.COM" created.
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# kadmin.local -q "listprincs"
Authenticating as principal root/admin@YINZHENGJIE.COM with password.
K/M@YINZHENGJIE.COM
admin@YINZHENGJIE.COM #这就是咱们添加的管理员用户,很明显,添加成功啦!
host/node101.yinzhengjie.org.cn@YINZHENGJIE.COM
host/node102.yinzhengjie.org.cn@YINZHENGJIE.COM
kadmin/admin@YINZHENGJIE.COM
kadmin/changepw@YINZHENGJIE.COM
kadmin/node101.yinzhengjie.org.cn@YINZHENGJIE.COM
kiprop/node101.yinzhengjie.org.cn@YINZHENGJIE.COM
krbtgt/YINZHENGJIE.COM@YINZHENGJIE.COM
[root@node101.yinzhengjie.org.cn ~]#
三.验证Kerberos集群的可用性
1>.在kerberos客户端的进行登陆操作
[root@node103.yinzhengjie.org.cn ~]# klist
klist: No credentials cache found (filename: /tmp/krb5cc_0)
[root@node103.yinzhengjie.org.cn ~]#
[root@node103.yinzhengjie.org.cn ~]# kinit admin
Password for admin@YINZHENGJIE.COM: #输入密码后回车,若无任何提示表示认证成功
[root@node103.yinzhengjie.org.cn ~]#
[root@node103.yinzhengjie.org.cn ~]# klist -e
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin@YINZHENGJIE.COM Valid starting Expires Service principal
// :: // :: krbtgt/YINZHENGJIE.COM@YINZHENGJIE.COM
Etype (skey, tkt): aes256-cts-hmac-sha1-, aes256-cts-hmac-sha1-
[root@node103.yinzhengjie.org.cn ~]#
[root@node103.yinzhengjie.org.cn ~]# 上述参数说明
Tichet cache:
ticket缓存存到了/tmp/krb5cc_0 Default principal:
认证的用户 valid starting:
认证开始时间 Expires:
ticket生命节日日期 Service principal:
服务对应的principal renew until:
ticket可以通过kinit -R进行延期的截止日期。 Etype:
session key的编码类型
2>.查看主KDC的允许状态
[root@node101.yinzhengjie.org.cn ~]# systemctl status krb5kdc
● krb5kdc.service - Kerberos KDC
Loaded: loaded (/usr/lib/systemd/system/krb5kdc.service; enabled; vendor preset: disabled)
Active: active (running) since Fri -- :: CST; 40min ago
Main PID: (krb5kdc)
CGroup: /system.slice/krb5kdc.service
└─ /usr/sbin/krb5kdc -P /var/run/krb5kdc.pid May :: node101.yinzhengjie.org.cn systemd[]: Starting Kerberos KDC...
May :: node101.yinzhengjie.org.cn systemd[]: Started Kerberos KDC.
[root@node101.yinzhengjie.org.cn ~]#
3>.查看备KDC的运行状态
[root@node102.yinzhengjie.org.cn ~]# systemctl status krb5kdc
● krb5kdc.service - Kerberos KDC
Loaded: loaded (/usr/lib/systemd/system/krb5kdc.service; enabled; vendor preset: disabled)
Active: active (running) since Fri -- :: CST; 16min ago
Main PID: (krb5kdc)
CGroup: /system.slice/krb5kdc.service
└─ /usr/sbin/krb5kdc -P /var/run/krb5kdc.pid May :: node102.yinzhengjie.org.cn systemd[]: Starting Kerberos KDC...
May :: node102.yinzhengjie.org.cn systemd[]: Started Kerberos KDC.
[root@node102.yinzhengjie.org.cn ~]#
[root@node102.yinzhengjie.org.cn ~]#
4>.停掉主KDC的进程,观察Kerberos客户端是否可用
[root@node101.yinzhengjie.org.cn ~]# systemctl status krb5kdc
● krb5kdc.service - Kerberos KDC
Loaded: loaded (/usr/lib/systemd/system/krb5kdc.service; enabled; vendor preset: disabled)
Active: active (running) since Fri -- :: CST; 2s ago
Process: ExecStart=/usr/sbin/krb5kdc -P /var/run/krb5kdc.pid $KRB5KDC_ARGS (code=exited, status=/SUCCESS)
Main PID: (krb5kdc)
CGroup: /system.slice/krb5kdc.service
└─ /usr/sbin/krb5kdc -P /var/run/krb5kdc.pid May :: node101.yinzhengjie.org.cn systemd[]: Starting Kerberos KDC...
May :: node101.yinzhengjie.org.cn systemd[]: Started Kerberos KDC.
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# systemctl stop krb5kdc
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# systemctl status krb5kdc
● krb5kdc.service - Kerberos KDC
Loaded: loaded (/usr/lib/systemd/system/krb5kdc.service; enabled; vendor preset: disabled)
Active: inactive (dead) since Fri -- :: CST; 1s ago
Process: ExecStart=/usr/sbin/krb5kdc -P /var/run/krb5kdc.pid $KRB5KDC_ARGS (code=exited, status=/SUCCESS)
Main PID: (code=exited, status=/SUCCESS) May :: node101.yinzhengjie.org.cn systemd[]: Starting Kerberos KDC...
May :: node101.yinzhengjie.org.cn systemd[]: Started Kerberos KDC.
May :: node101.yinzhengjie.org.cn systemd[]: Stopping Kerberos KDC...
May :: node101.yinzhengjie.org.cn systemd[]: Stopped Kerberos KDC.
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# systemctl stop krb5kdc #停掉主KDC服务执行以下操作
[root@node103.yinzhengjie.org.cn ~]# klist -e
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin@YINZHENGJIE.COM Valid starting Expires Service principal
// :: // :: krbtgt/YINZHENGJIE.COM@YINZHENGJIE.COM
Etype (skey, tkt): aes256-cts-hmac-sha1-, aes256-cts-hmac-sha1-
[root@node103.yinzhengjie.org.cn ~]#
[root@node103.yinzhengjie.org.cn ~]#
[root@node103.yinzhengjie.org.cn ~]# kdestroy
[root@node103.yinzhengjie.org.cn ~]#
[root@node103.yinzhengjie.org.cn ~]# klist
klist: No credentials cache found (filename: /tmp/krb5cc_0)
[root@node103.yinzhengjie.org.cn ~]#
[root@node103.yinzhengjie.org.cn ~]# kinit admin #当我们停掉主KDC后,发现服务依旧是可用的,这个时候他去链接从KDC服务器啦!
Password for admin@YINZHENGJIE.COM:
[root@node103.yinzhengjie.org.cn ~]#
[root@node103.yinzhengjie.org.cn ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin@YINZHENGJIE.COM Valid starting Expires Service principal
// :: // :: krbtgt/YINZHENGJIE.COM@YINZHENGJIE.COM
[root@node103.yinzhengjie.org.cn ~]#
[root@node102.yinzhengjie.org.cn ~]# systemctl status krb5kdc
● krb5kdc.service - Kerberos KDC
Loaded: loaded (/usr/lib/systemd/system/krb5kdc.service; enabled; vendor preset: disabled)
Active: active (running) since Fri -- :: CST; 2h 25min ago
Main PID: (krb5kdc)
CGroup: /system.slice/krb5kdc.service
└─ /usr/sbin/krb5kdc -P /var/run/krb5kdc.pid May :: node102.yinzhengjie.org.cn systemd[]: Starting Kerberos KDC...
May :: node102.yinzhengjie.org.cn systemd[]: Started Kerberos KDC.
[root@node102.yinzhengjie.org.cn ~]#
[root@node102.yinzhengjie.org.cn ~]#
[root@node102.yinzhengjie.org.cn ~]# systemctl stop krb5kdc
[root@node102.yinzhengjie.org.cn ~]#
[root@node102.yinzhengjie.org.cn ~]# systemctl status krb5kdc
● krb5kdc.service - Kerberos KDC
Loaded: loaded (/usr/lib/systemd/system/krb5kdc.service; enabled; vendor preset: disabled)
Active: inactive (dead) since Fri -- :: CST; 1s ago
Main PID: (code=exited, status=/SUCCESS) May :: node102.yinzhengjie.org.cn systemd[]: Starting Kerberos KDC...
May :: node102.yinzhengjie.org.cn systemd[]: Started Kerberos KDC.
May :: node102.yinzhengjie.org.cn systemd[]: Stopping Kerberos KDC...
May :: node102.yinzhengjie.org.cn systemd[]: Stopped Kerberos KDC.
[root@node102.yinzhengjie.org.cn ~]#
[root@node102.yinzhengjie.org.cn ~]# systemctl stop krb5kdc #停掉主KDC后,发现服务还是可用的,那么我们在停掉备KDC
[root@node101.yinzhengjie.org.cn ~]# tail -100f /var/kerberos/log/dump.log
Database propagation to node102.yinzhengjie.org.cn: SUCCEEDED
Fri May :: CST
Database propagation to node102.yinzhengjie.org.cn: SUCCEEDED
Fri May :: CST
Database propagation to node102.yinzhengjie.org.cn: SUCCEEDED
Fri May :: CST
Database propagation to node102.yinzhengjie.org.cn: SUCCEEDED
Fri May :: CST
Database propagation to node102.yinzhengjie.org.cn: SUCCEEDED
Fri May :: CST
Database propagation to node102.yinzhengjie.org.cn: SUCCEEDED
Fri May :: CST
Database propagation to node102.yinzhengjie.org.cn: SUCCEEDED
Fri May :: CST
Database propagation to node102.yinzhengjie.org.cn: SUCCEEDED
Fri May :: CST
Database propagation to node102.yinzhengjie.org.cn: SUCCEEDED
Fri May :: CST
Database propagation to node102.yinzhengjie.org.cn: SUCCEEDED
Fri May :: CST
Database propagation to node102.yinzhengjie.org.cn: SUCCEEDED
Fri May :: CST
Database propagation to node102.yinzhengjie.org.cn: SUCCEEDED
Fri May :: CST
Database propagation to node102.yinzhengjie.org.cn: SUCCEEDED
Fri May :: CST
Database propagation to node102.yinzhengjie.org.cn: SUCCEEDED
Fri May :: CST
Database propagation to node102.yinzhengjie.org.cn: SUCCEEDED
Fri May :: CST
Database propagation to node102.yinzhengjie.org.cn: SUCCEEDED
Fri May :: CST
Database propagation to node102.yinzhengjie.org.cn: SUCCEEDED
Fri May :: CST
Database propagation to node102.yinzhengjie.org.cn: SUCCEEDED
Fri May :: CST
Database propagation to node102.yinzhengjie.org.cn: SUCCEEDED
Fri May :: CST
/usr/sbin/kprop: Cannot contact any KDC for requested realm while getting initial credentials Fri May :: CST
/usr/sbin/kprop: Cannot contact any KDC for requested realm while getting initial credentials Fri May :: CST
/usr/sbin/kprop: Cannot contact any KDC for requested realm while getting initial credentials Fri May :: CST
/usr/sbin/kprop: Cannot contact any KDC for requested realm while getting initial credentials Fri May :: CST
/usr/sbin/kprop: Cannot contact any KDC for requested realm while getting initial credentials Fri May :: CST
/usr/sbin/kprop: Cannot contact any KDC for requested realm while getting initial credentials Fri May :: CST
/usr/sbin/kprop: Cannot contact any KDC for requested realm while getting initial credentials Fri May :: CST
/usr/sbin/kprop: Cannot contact any KDC for requested realm while getting initial credentials Fri May :: CST
/usr/sbin/kprop: Cannot contact any KDC for requested realm while getting initial credentials Fri May :: CST
/usr/sbin/kprop: Cannot contact any KDC for requested realm while getting initial credentials Fri May :: CST
/usr/sbin/kprop: Cannot contact any KDC for requested realm while getting initial credentials Fri May :: CST
/usr/sbin/kprop: Cannot contact any KDC for requested realm while getting initial credentials Fri May :: CST
/usr/sbin/kprop: Cannot contact any KDC for requested realm while getting initial credentials Fri May :: CST
/usr/sbin/kprop: Cannot contact any KDC for requested realm while getting initial credentials Fri May :: CST
/usr/sbin/kprop: Cannot contact any KDC for requested realm while getting initial credentials Fri May :: CST
/usr/sbin/kprop: Cannot contact any KDC for requested realm while getting initial credentials Fri May :: CST
/usr/sbin/kprop: Cannot contact any KDC for requested realm while getting initial credentials Fri May :: CST
/usr/sbin/kprop: Cannot contact any KDC for requested realm while getting initial credentials Fri May :: CST
/usr/sbin/kprop: Cannot contact any KDC for requested realm while getting initial credentials Fri May :: CST
/usr/sbin/kprop: Cannot contact any KDC for requested realm while getting initial credentials Fri May :: CST
/usr/sbin/kprop: Cannot contact any KDC for requested realm while getting initial credentials Fri May :: CST
/usr/sbin/kprop: Cannot contact any KDC for requested realm while getting initial credentials ^C
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# tail -100f /var/kerberos/log/dump.log #停掉主KDC后,我们发现同步时数据库的日志文件也出现了报错信息
[root@node103.yinzhengjie.org.cn ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin@YINZHENGJIE.COM Valid starting Expires Service principal
// :: // :: krbtgt/YINZHENGJIE.COM@YINZHENGJIE.COM
[root@node103.yinzhengjie.org.cn ~]#
[root@node103.yinzhengjie.org.cn ~]#
[root@node103.yinzhengjie.org.cn ~]# kdestroy
[root@node103.yinzhengjie.org.cn ~]#
[root@node103.yinzhengjie.org.cn ~]# klist
klist: No credentials cache found (filename: /tmp/krb5cc_0)
[root@node103.yinzhengjie.org.cn ~]#
[root@node103.yinzhengjie.org.cn ~]# kinit admin #由于我们停掉了主KDC服务,也停掉了备KDC服务,因此它找不到可用的KDC啦!
kinit: Cannot contact any KDC for realm 'YINZHENGJIE.COM' while getting initial credentials
[root@node103.yinzhengjie.org.cn ~]#
参考链接:
https://blog.csdn.net/w1331808514/article/details/83474345#_msocom_9
https://www.cnblogs.com/xiaodf/p/5968178.html
博主推荐阅读:
https://www.cnblogs.com/yinzhengjie/p/10765503.html
https://docs.oracle.com/cd/E24847_01/html/819-7061/trouble-2.html
https://blog.csdn.net/wk022/article/details/50541699
CDH构建大数据平台-Kerberos高可用部署【完结篇】的更多相关文章
- CDH构建大数据平台-配置集群的Kerberos认证安全
CDH构建大数据平台-配置集群的Kerberos认证安全 作者:尹正杰 版权声明:原创作品,谢绝转载!否则将追究法律责任. 当平台用户使用量少的时候我们可能不会在一集群安全功能的缺失,因为用户少,团 ...
- 大数据 -- Cloudera Manager(简称CM)+CDH构建大数据平台
一.Cloudera Manager介绍 Cloudera Manager(简称CM)是Cloudera公司开发的一款大数据集群安装部署利器,这款利器具有集群自动化安装.中心化管理.集群监控.报警等功 ...
- CDH构建大数据平台-使用自建的镜像地址安装Cloudera Manager
CDH构建大数据平台-使用自建的镜像地址安装Cloudera Manager 作者:尹正杰 版权声明:原创作品,谢绝转载!否则将追究法律责任. 一.搭建CM私有仓库 详情请参考我的笔记: http ...
- Net Core SignalR 测试,可以用于unity、Layair、白鹭引擎、大数据分析平台等高可用消息实时通信器。
SignalR介绍 SignalR介绍来源于微软文档,不过多解释.https://docs.microsoft.com/zh-cn/aspnet/core/signalr/introduction?v ...
- Ambari——大数据平台的搭建利器之进阶篇
前言 本文适合已经初步了解 Ambari 的读者.对 Ambari 的基础知识,以及 Ambari 的安装步骤还不清楚的读者,可以先阅读基础篇文章<Ambari——大数据平台的搭建利器>. ...
- Docker容器管理平台Rancher高可用部署——看这篇就够了
记得刚接触Rancher时,看了官方文档云里雾里,跟着官网文档部署了高可用Rancher,发现不管怎么折腾都无法部署成功(相信已尝试的朋友也有类似的感觉),今天腾出空来写个总结,给看到的朋友留个参考( ...
- HDP 企业级大数据平台
一 前言 阅读本文前需要掌握的知识: Linux基本原理和命令 Hadoop生态系统(包括HDFS,Spark的原理和安装命令) 由于Hadoop生态系统组件众多,导致大数据平台多节点的部署,监控极其 ...
- 基于Ambari构建自己的大数据平台产品
目前市场上常见的企业级大数据平台型的产品主流的有两个,一个是Cloudera公司推出的CDH,一个是Hortonworks公司推出的一套HDP,其中HDP是以开源的Ambari作为一个管理监控工具,C ...
- CM记录-CDH大数据平台实施经验总结2016(转载)
CDH大数据平台实施经验总结2016(转载) 2016年负责实施了一个生产环境的大数据平台,用的CDH平台+docker容器的方式,过了快半年了,现在把总结发出来. 1. 平台规划注意事项 1.1 业 ...
随机推荐
- 如何搭建一个基于nuxt.js的项目
介绍 nuxt.js(中文官方文档)是vue.js的一个通用型应用框架,有了之前搭建vue项目的过程之后,搭建一个nuxt项目就会十分简单. 搭建步骤 1.打开命令提示符,进入到相关文件夹下: 2.使 ...
- Redis 学习-Redis Sentinel
一.启动服务 1. 配置文件 sentinel.conf daemonize yes # 是否守护进程启动 pidfile "/var/run/redis-sentinel-26379.pi ...
- 更优雅地关闭资源 - try-with-resource及其异常抑制--转载
原文地址:https://www.cnblogs.com/itZhy/p/7636615.html 一.背景 我们知道,在Java编程过程中,如果打开了外部资源(文件.数据库连接.网络连接等),我们必 ...
- 【2017-07-03】CSS实现父级div透明,子集不透明。
父级背景色 background: rgba(0, 0, 0, 0.5);
- Spark(三)角色和搭建
目录 Spark(三)角色和搭建 一.Spark集群角色介绍 二.集群的搭建 三.history服务 四.使用spark-submit进行计算Pi 五.Spark On Yarn 六.shell脚本 ...
- 用js刷剑指offer(二维数组中的查找)
题目描述 在一个二维数组中(每个一维数组的长度相同),每一行都按照从左到右递增的顺序排序,每一列都按照从上到下递增的顺序排序.请完成一个函数,输入这样的一个二维数组和一个整数,判断数组中是否含有该整数 ...
- C#当中的BeginInvoke和EndInvoke
我们已经知道 C#当中 存在async/await .BackGroudWorker类以及TPL(任务并行库).当然C#还有一些旧的模式来支持异步编程.参考<C#图解教程> 1. Beg ...
- Display Tag Lib Table进行分页
Display Tag Lib是一个标签库,用来处理jsp网页上的Table,功能非常强,可以对的Table进行分页.数据导出.分组.对列排序等等,反正我在做项目时需要的功能它都给我提供了,而且使用起 ...
- 遥想大肠包小肠----python装饰器乱弹
说起装饰器就tm蛋疼,在老男孩学习python装饰器,结果第二天默写,全错了,一道题抄十遍,共计二十遍. 要是装饰器是一人,我非要约他在必图拳馆来一场...... 下面容我展示一下默写二十遍的成果 语 ...
- springboot2.0入门(七)-- 自定义配置文件+xml配置文件引入
一.加载自定义配置文件: 1.新建一个family.yam文件,将上application.yml对象复制进入family family: family-name: dad: name: levi a ...