host | ip |
---|---|
kdcmaster | 172.16.242.108 |
kdcslave | 172.16.16.82 |
在kdcmaster上快速安装kerberos,可参考https://blog.csdn.net/woloqun/article/details/76560173
yum -y install krb5-libs krb5-devel krb5-server krb5-workstation
修改配置文件如下
cat /etc/krb5.conf
# Configuration snippets may be placed in this directory as well
includedir /etc/krb5.conf.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
pkinit_anchors = /etc/pki/tls/certs/ca-bundle.crt
default_realm = HAOHAOZHU.COM
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
HAOHAOZHU.COM = {
kdc = kdcmaster
admin_server = kdcmaster
}
[domain_realm]
.haohaozhu.com = HAOHAOZHU.COM
haohaozhu.com = HAOHAOZHU.COM
vi /var/kerberos/krb5kdc/kdc.conf
[kdcdefaults]
kdc_ports = 88
kdc_tcp_ports = 88
[realms]
HAOHAOZHU.COM = {
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
supported_enctypes = des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
}
初始化数据库
[root@kdcmaster ~]# kdb5_util create -s -r HAOHAOZHU.COM
Loading random data
Initializing database '/var/kerberos/krb5kdc/principal' for realm 'HAOHAOZHU.COM',
master key name 'K/[email protected]'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key:
Re-enter KDC database master key to verify:
添加管理员账号
[root@kdcmaster ~]# kadmin.local -q "addprinc admin/admin"
Authenticating as principal root/[email protected] with password.
WARNING: no policy specified for admin/[email protected]; defaulting to no policy
Enter password for principal "admin/[email protected]":
Re-enter password for principal "admin/[email protected]":
Principal "admin/[email protected]" created.
修改kadm5.acl
vi /var/kerberos/krb5kdc/kadm5.acl
*/[email protected] *
在kdcmaster上启动kdc和kadmin
[root@kdcmaster ~]# service krb5kdc start
Redirecting to /bin/systemctl start krb5kdc.service
[root@kdcmaster ~]# service kadmin start
Redirecting to /bin/systemctl start kadmin.service
kdcslave上安装kerberos
yum -y install krb5-libs krb5-devel krb5-server krb5-workstation
在kdcmaster上添加host key
[root@kdcmaster ~]# kadmin
Authenticating as principal admin/[email protected] with password.
Password for admin/[email protected]:
kadmin: addprinc -randkey host/kdcmaster
WARNING: no policy specified for host/[email protected]; defaulting to no policy
Principal "host/[email protected]" created.
kadmin: addprinc -randkey host/kdcslave
WARNING: no policy specified for host/[email protected]; defaulting to no policy
Principal "host/[email protected]" created.
生成host keytab
kadmin: ktadd host/kdcmaster
Entry for principal host/kdcmaster with kvno 2, encryption type des3-cbc-sha1 added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/kdcmaster with kvno 2, encryption type arcfour-hmac added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/kdcmaster with kvno 2, encryption type camellia256-cts-cmac added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/kdcmaster with kvno 2, encryption type camellia128-cts-cmac added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/kdcmaster with kvno 2, encryption type des-hmac-sha1 added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/kdcmaster with kvno 2, encryption type des-cbc-md5 added to keytab FILE:/etc/krb5.keytab.
kadmin: ktadd -k /tmp/kerberos-1.keytab host/kdcslave
Entry for principal host/kdcslave with kvno 2, encryption type des3-cbc-sha1 added to keytab WRFILE:/tmp/kerberos-1.keytab.
Entry for principal host/kdcslave with kvno 2, encryption type arcfour-hmac added to keytab WRFILE:/tmp/kerberos-1.keytab.
Entry for principal host/kdcslave with kvno 2, encryption type camellia256-cts-cmac added to keytab WRFILE:/tmp/kerberos-1.keytab.
Entry for principal host/kdcslave with kvno 2, encryption type camellia128-cts-cmac added to keytab WRFILE:/tmp/kerberos-1.keytab.
Entry for principal host/kdcslave with kvno 2, encryption type des-hmac-sha1 added to keytab WRFILE:/tmp/kerberos-1.keytab.
Entry for principal host/kdcslave with kvno 2, encryption type des-cbc-md5 added to keytab WRFILE:/tmp/kerberos-1.keytab.
将/tmp/kerberos-1.keytab复制到kdcslave的/etc目录下,并命名为krb5.keytab
[root@kdcmaster ~]# scp /tmp/kerberos-1.keytab root@kdcslave:/etc/krb5.keytab
The authenticity of host 'kdcslave (172.16.16.82)' can't be established.
ECDSA key fingerprint is SHA256:mXyA1uwn8huNuzL3LPZMl1YU0lpoqKP093F88zWRONI.
ECDSA key fingerprint is MD5:f5:01:60:29:98:bb:b7:18:1b:a1:f2:4b:b5:20:37:4e.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'kdcslave,172.16.16.82' (ECDSA) to the list of known hosts.
root@kdcslave's password:
kerberos-1.keytab
修改kmaster上的/etc/krb5.conf,添加kdc条目
HAOHAOZHU.COM = {
kdc = kdcmaster
kdc = kdcslave
admin_server = kdcmaster
}
将kdcmaster的如下文件复制到kdcslave对应目录下
scp /etc/krb5.conf root@kdcslave:/etc/
scp /var/kerberos/krb5kdc/kdc.conf root@kdcslave:/var/kerberos/krb5kdc/
scp /var/kerberos/krb5kdc/kadm5.acl root@kdcslave:/var/kerberos/krb5kdc/
scp /var/kerberos/krb5kdc/.k5.HAOHAOZHU.COM root@kdcslave:/var/kerberos/krb5kdc/
在所有节点上创建
vi /var/kerberos/krb5kdc/kpropd.acl
host/[email protected]
host/[email protected]
在kdcslave上启动kpropd
[root@kdcslave ~]# kpropd -dS
ready
waiting for a kprop connection
在kdcmaster上导出数据库,并同步到kdcslave
[root@kdcmaster ~]# kdb5_util dump /var/kerberos/krb5kdc/slave_datatrans
[root@kdcmaster ~]# kprop -f /var/kerberos/krb5kdc/slave_datatrans kdcslave
Database propagation to kdcslave: SUCCEEDED
kdcslave 上日志
[root@kdcslave ~]# kpropd -dS
ready
waiting for a kprop connection
Connection from kdcmaster
krb5_recvauth(4, kprop5_01, host/[email protected], ...)
authenticated client: host/[email protected] (etype == Triple DES cbc mode with HMAC/sha1)
Full propagation transfer started.
Full propagation transfer finished.
calling kdb5_util to load database
Load PID is 3565
Database load process for full propagation completed.
waiting for a kprop connection
此时启动kdcslave节点上的kdc,看看数据是否同步过来了
[root@kdcslave krb5kdc]# kadmin.local
Authenticating as principal root/[email protected] with password.
kadmin.local: list_principals
K/[email protected]
admin/[email protected]
host/[email protected]
host/[email protected]
kadmin/[email protected]
kadmin/[email protected]
kadmin/[email protected]
kiprop/[email protected]
krbtgt/[email protected]
可以看见数据已经同步了,现在要做就是写个脚本定时同步数据库
vi /root/sync_db.sh
#!/bin/sh
kdclist="kdcslave"
echo `date`"start to sync!"
sudo kdb5_util dump /var/kerberos/krb5kdc/slave_datatrans
for kdc in $kdclist;
do
sudo kprop -f /var/kerberos/krb5kdc/slave_datatrans $kdc
done
echo `date`"end to sync!"
添加执行权限
chmod +x sync_db.sh
添加定时任务
crontab -e
*/1 * * * * /root/sync_db.sh >> /root/sync.log
测试,在kdcmaster添加用户usertest1
[root@kdcmaster ~]# kadmin.local
Authenticating as principal admin/[email protected] with password.
kadmin.local: add
addpol add_policy addprinc add_principal
kadmin.local: addprinc usertest1
WARNING: no policy specified for [email protected]; defaulting to no policy
Enter password for principal "[email protected]":
Re-enter password for principal "[email protected]":
Principal "[email protected]" created.
在kdcslave上查看,是否同步
[root@kdcslave krb5kdc]# kadmin.local
Authenticating as principal root/[email protected] with password.
kadmin.local: list_principals
K/[email protected]
admin/[email protected]
host/[email protected]
host/[email protected]
kadmin/[email protected]
kadmin/[email protected]
kadmin/[email protected]
kiprop/[email protected]
krbtgt/[email protected]
[email protected]
数据同步已经完成
参考