• centos7.5 kerberos 主从配置

    主机规划:

    192.168.2.132 master
    192.168.2.131 slave

    环境:
    名称 版本

    CentOS CentOS release 7.5


    下载jce_policy-8.zip

    cp jce_policy-8.zip /usr/java/jdk1.8.0_152/jre/lib/security
    unzip jce_policy-8.zip


    2、安装kdc server 和client

    yum -y install krb5-libs krb5-server krb5-workstation

    客户端:yum -y install krb5-libs krb5-workstation
    软件包 krb5-libs-1.15.1-18.el7.x86_64 已安装并且是最新版本
    软件包 krb5-server-1.15.1-18.el7.x86_64 已安装并且是最新版本
    软件包 krb5-workstation-1.15.1-18.el7.x86_64 已安装并且是最新版本

    配置主机名称配置
    vi /etc/hosts
    192.168.2.132 bigdata003
    192.168.2.131 bigdata002

    vi /etc/krb5.conf
    ******************************************************************
    # Configuration snippets may be placed in this directory as well
    includedir /etc/krb5.conf.d/

    [logging]
    default = FILE:/var/log/krb5libs.log
    kdc = FILE:/var/log/krb5kdc.log
    admin_server = FILE:/var/log/kadmind.log

    [libdefaults]

    dns_lookup_realm = false
    ticket_lifetime = 24h
    renew_lifetime = 7d
    forwardable = true
    rdns = false
    default_realm = STARYEA.COM
    udp_preference_limit = 1
    clockskew = 300
    renewable = true
    #default_ccache_name = KEYRING:persistent:%{uid}


    [realms]
    STARYEA.COM = {
    admin_server = bigdata003:749
    kdc = bigdata003:88
    kdc = bigdata002:88
    }

    [domain_realm]
    .staryea.com = STARYEA.COM
    staryea.com = STARYEA.COM

    *******************************************************************************
    配置
    vi /var/kerberos/krb5kdc/kdc.conf

    *******************************************************************************
    [kdcdefaults]
    kdc_ports = 88
    kdc_tcp_ports = 88

    [realms]
    STARYEA.COM = {
    master_key_type = aes256-cts
    acl_file = /var/kerberos/krb5kdc/kadm5.acl
    dict_file = /usr/share/dict/words
    admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
    max_life = 24h
    max_renewable_life = 10d
    default_principal_flags= +renewable,+forwardable
    supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
    }


    ******************************************************************************

    3 )创建数据库 添加管理员

    生成master服务器上的kdc database
    kdb5_util create -r STARYEA.COM -s
    Loading random data
    Initializing database '/var/kerberos/krb5kdc/principal' for realm 'STARYEA.COM',
    master key name 'K/M@STARYEA.COM'
    You will be prompted for the database Master Password.
    It is important that you NOT FORGET this password.
    Enter KDC database master key: 
    Re-enter KDC database master key to verify: 

    添加database administrator


    kadmin.local -q "addprinc admin/admin"
    Authenticating as principal root/admin@STARYEA.COM with password.
    WARNING: no policy specified for admin/admin@STARYEA.COM; defaulting to no policy
    Enter password for principal "admin/admin@STARYEA.COM": 
    Re-enter password for principal "admin/admin@STARYEA.COM": 
    Principal "admin/admin@STARYEA.COM" created.

    修改 /var/kerberos/krb5kdc/kadm5.acl

    */admin@STARYEA.COM *

    4)启动服务
    /bin/systemctl start krb5kdc.service
    /bin/systemctl start kadmin.service

    添加开机启动: chkconfig krb5kdc on
    chkconfig kadmin on

    5)查看运行日志
    /var/log/krb5kdc.log 和 /var/log/kadmind.log

    使用kinit 命令,测试admin账户是否生成成功
    kinit admin/admin@STARYEA.COM
    Password for admin/admin@STARYEA.COM:

    [root@bigdata003 ~]# klist
    Ticket cache: FILE:/tmp/krb5cc_0
    Default principal: admin/admin@STARYEA.COM

    Valid starting Expires Service principal
    2018-08-19T19:16:37 2018-08-20T19:16:37 krbtgt/STARYEA.COM@STARYEA.COM


    6 )安装slave KDC的相关配置
    创建host keytab 文件 在master服务器上

    [root@kerberos ~]# kadmin.local

    kadmin: addprinc -randkey host/bigdata003 #添加principal

    kadmin:ktadd host/bigdata003 #生成keytab文件

    kadmin: addprinc -randkey host/bigdata002 #添加principal

    kadmin:ktadd host/bigdata002 #生成keytab文件

    将master上的几个文件拷贝到从服务器,
    文件: krb5.conf、kdc.conf、kadmin5.acl、master key stash file

    [root@kerberos ~]# scp /etc/krb5.conf root@192.168.2.131:/etc
    [root@kerberos ~]# scp /var/kerberos/krb5kdc/kdc.conf root@192.168.2.131:/var/kerberos/krb5kdc/
    [root@kerberos ~]# scp /var/kerberos/krb5kdc/kadm5.acl root@192.168.2.131:/var/kerberos/krb5kdc/
    [root@kerberos ~]# scp /var/kerberos/krb5kdc/.k5.STARYEA.COM root@192.168.2.131:/var/kerberos/krb5kdc/.k5.STARYEA.COM


    7) Slave上创建数据库 bigdata002 上
    kdb5_util create -r STARYEA.COM -s
    Loading random data
    Initializing database '/var/kerberos/krb5kdc/principal' for realm 'STARYEA.COM',
    master key name 'K/M@STARYEA.COM'
    You will be prompted for the database Master Password.
    It is important that you NOT FORGET this password.
    Enter KDC database master key: 
    Re-enter KDC database master key to verify:

    #创建host keytab 文件 在slave服务器上 添加规则:

    kadmin.local

    kadmin: addprinc -randkey host/bigdata002 #添加principal
    kadmin: ktadd host/bigdata002 #生成keytab文件

    #在slave服务器上创建kpropd.acl文件
    vi /var/kerberos/krb5kdc/kpropd.acl

    添加如下内容:
    host/bigdata003@STARYEA.COM
    host/bigdata002@STARYEA.COM

    #在slave上启动kpropd服务
    [root@bigdata002 krb5kdc]# kpropd -S
    [root@bigdata002 krb5kdc]# ps -ef|grep kprop
    root 32709 1 0 21:19 ? 00:00:00 kpropd -S

    #在slave上导出host/bigdata002 到/etc/krb5.keytab
    [root@bigdata002 krb5kdc]# kadmin
    Authenticating as principal admin/admin@STARYEA.COM with password.
    Password for admin/admin@STARYEA.COM:
    kadmin: ktadd host/bigdata002

    新开一个窗口
    数据同步 在master上将相关数据同步到slave上
    [root@bigdata003 ~]# kdb5_util dump /var/kerberos/krb5kdc/kdc.dump
    [root@kerberos~]#kprop -f /var/kerberos/krb5kdc/kdc.dump bigdata002

    是因为 slave 上未有host/bigdata002 在/etc/krb5.key 中
    需要 在slave 上导出 信息
    执行:(在同步之前执行这个 应该)
    [root@bigdata002 krb5kdc]# kadmin
    Authenticating as principal admin/admin@STARYEA.COM with password.
    Password for admin/admin@STARYEA.COM:
    kadmin: ktadd host/bigdata002

    [root@bigdata003 log]# kprop -f /var/kerberos/krb5kdc/kdc.dump bigdata002
    Database propagation to bigdata002: SUCCEEDED
    [root@bigdata003 log]#

    在slave上/var/kerberos/krb5kdc/会多出一些文件,如:


    8)至此,可以启动slave上的kdc服务
    启动服务
    /bin/systemctl start krb5kdc.service


    当有多台slave时,定时更新脚本可以这样:

    #!/bin/sh

    kdclist = "bigdata002 bigdata001"

    kdb5_util dump /var/kerberos/krb5kdc/slave_datatrans

    for kdc in $kdclist

    do

    kprop -f /var/kerberos/krb5kdc/slave_datatrans $kdc

    done


    9)测试,在bigdata001上,kinit 测试
    创建host/bigdata001的凭证
    导出 xst -kt /etc/bigdata001.keytab host/bigdata001
    scp /etc/bigdata001.keytab bigdata001:/etc
    [root@bigdata003 etc]# kdb5_util dump /var/kerberos/krb5kdc/kdc.dump
    [root@bigdata003 etc]# kprop -f /var/kerberos/krb5kdc/kdc.dump bigdata002
    Database propagation to bigdata002: SUCCEEDED


    关闭主kdc
    /bin/systemctl stop krb5kdc.service

    [root@bigdata001 etc]# kinit -kt /etc/bigdata001.keytab host/bigdata001
    [root@bigdata001 etc]# klist
    Ticket cache: FILE:/tmp/krb5cc_0
    Default principal: host/bigdata001@STARYEA.COM

    Valid starting Expires Service principal
    2018-08-20T08:03:50 2018-08-21T08:03:50 krbtgt/STARYEA.COM@STARYEA.COM
    renew until 2018-08-27T08:03:50
  • 相关阅读:
    python+selenium(环境的安装)
    Eclipse安装和配置
    Java JDK装配置
    Eclipse工具使用技巧总结
    POJ3461 Oulipo
    洛谷P3370 【模板】字符串哈希
    CH1401 兔子与兔子
    洛谷P2347 砝码称重
    洛谷P1038 神经网络
    洛谷P1807 最长路_NOI导刊2010提高(07)
  • 原文地址:https://www.cnblogs.com/staryea/p/9503602.html
Copyright © 2020-2023  润新知