centos7.5 kerberos 主从配置

主机规划：

192.168.2.132 master
192.168.2.131 slave

环境：
名称 版本

CentOS CentOS release 7.5

下载jce_policy-8.zip

cp jce_policy-8.zip /usr/java/jdk1.8.0_152/jre/lib/security
unzip jce_policy-8.zip

2、安装kdc server 和client

yum -y install krb5-libs krb5-server krb5-workstation

客户端：yum -y install krb5-libs krb5-workstation
软件包 krb5-libs-1.15.1-18.el7.x86_64 已安装并且是最新版本
软件包 krb5-server-1.15.1-18.el7.x86_64 已安装并且是最新版本
软件包 krb5-workstation-1.15.1-18.el7.x86_64 已安装并且是最新版本

配置主机名称配置
vi /etc/hosts
192.168.2.132 bigdata003
192.168.2.131 bigdata002

vi /etc/krb5.conf
******************************************************************
# Configuration snippets may be placed in this directory as well
includedir /etc/krb5.conf.d/

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]

dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
default_realm = STARYEA.COM
udp_preference_limit = 1
clockskew = 300
renewable = true
#default_ccache_name = KEYRING:persistent:%{uid}

[realms]
STARYEA.COM = {
admin_server = bigdata003:749
kdc = bigdata003:88
kdc = bigdata002:88
}

[domain_realm]
.staryea.com = STARYEA.COM
staryea.com = STARYEA.COM

*******************************************************************************
配置
vi /var/kerberos/krb5kdc/kdc.conf

*******************************************************************************
[kdcdefaults]
kdc_ports = 88
kdc_tcp_ports = 88

[realms]
STARYEA.COM = {
master_key_type = aes256-cts
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
max_life = 24h
max_renewable_life = 10d
default_principal_flags= +renewable,+forwardable
supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
}

******************************************************************************

3 )创建数据库 添加管理员

生成master服务器上的kdc database
kdb5_util create -r STARYEA.COM -s
Loading random data
Initializing database '/var/kerberos/krb5kdc/principal' for realm 'STARYEA.COM',
master key name 'K/M@STARYEA.COM'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key: 
Re-enter KDC database master key to verify: 

添加database administrator

kadmin.local -q "addprinc admin/admin"
Authenticating as principal root/admin@STARYEA.COM with password.
WARNING: no policy specified for admin/admin@STARYEA.COM; defaulting to no policy
Enter password for principal "admin/admin@STARYEA.COM": 
Re-enter password for principal "admin/admin@STARYEA.COM": 
Principal "admin/admin@STARYEA.COM" created.

修改 /var/kerberos/krb5kdc/kadm5.acl

*/admin@STARYEA.COM *

4）启动服务
/bin/systemctl start krb5kdc.service
/bin/systemctl start kadmin.service

添加开机启动： chkconfig krb5kdc on
chkconfig kadmin on

5)查看运行日志
/var/log/krb5kdc.log 和 /var/log/kadmind.log

使用kinit 命令，测试admin账户是否生成成功
kinit admin/admin@STARYEA.COM
Password for admin/admin@STARYEA.COM:

[root@bigdata003 ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin/admin@STARYEA.COM

Valid starting Expires Service principal
2018-08-19T19:16:37 2018-08-20T19:16:37 krbtgt/STARYEA.COM@STARYEA.COM

6 )安装slave KDC的相关配置
创建host keytab 文件 在master服务器上

[root@kerberos ~]# kadmin.local

kadmin: addprinc -randkey host/bigdata003 #添加principal

kadmin：ktadd host/bigdata003 #生成keytab文件

kadmin: addprinc -randkey host/bigdata002 #添加principal

kadmin：ktadd host/bigdata002 #生成keytab文件

将master上的几个文件拷贝到从服务器，
文件: krb5.conf、kdc.conf、kadmin5.acl、master key stash file

[root@kerberos ~]# scp /etc/krb5.conf root@192.168.2.131:/etc
[root@kerberos ~]# scp /var/kerberos/krb5kdc/kdc.conf root@192.168.2.131:/var/kerberos/krb5kdc/
[root@kerberos ~]# scp /var/kerberos/krb5kdc/kadm5.acl root@192.168.2.131:/var/kerberos/krb5kdc/
[root@kerberos ~]# scp /var/kerberos/krb5kdc/.k5.STARYEA.COM root@192.168.2.131:/var/kerberos/krb5kdc/.k5.STARYEA.COM

7) Slave上创建数据库 bigdata002 上
kdb5_util create -r STARYEA.COM -s
Loading random data
Initializing database '/var/kerberos/krb5kdc/principal' for realm 'STARYEA.COM',
master key name 'K/M@STARYEA.COM'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key: 
Re-enter KDC database master key to verify:

#创建host keytab 文件 在slave服务器上 添加规则：

kadmin.local

kadmin: addprinc -randkey host/bigdata002 #添加principal
kadmin: ktadd host/bigdata002 #生成keytab文件

#在slave服务器上创建kpropd.acl文件
vi /var/kerberos/krb5kdc/kpropd.acl

添加如下内容：
host/bigdata003@STARYEA.COM
host/bigdata002@STARYEA.COM

#在slave上启动kpropd服务
[root@bigdata002 krb5kdc]# kpropd -S
[root@bigdata002 krb5kdc]# ps -ef|grep kprop
root 32709 1 0 21:19 ? 00:00:00 kpropd -S

#在slave上导出host/bigdata002 到/etc/krb5.keytab
[root@bigdata002 krb5kdc]# kadmin
Authenticating as principal admin/admin@STARYEA.COM with password.
Password for admin/admin@STARYEA.COM:
kadmin: ktadd host/bigdata002

新开一个窗口
数据同步 在master上将相关数据同步到slave上
[root@bigdata003 ~]# kdb5_util dump /var/kerberos/krb5kdc/kdc.dump
[root@kerberos~]#kprop -f /var/kerberos/krb5kdc/kdc.dump bigdata002

是因为 slave 上未有host/bigdata002 在/etc/krb5.key 中
需要 在slave 上导出 信息
执行：（在同步之前执行这个 应该）
[root@bigdata002 krb5kdc]# kadmin
Authenticating as principal admin/admin@STARYEA.COM with password.
Password for admin/admin@STARYEA.COM:
kadmin: ktadd host/bigdata002

[root@bigdata003 log]# kprop -f /var/kerberos/krb5kdc/kdc.dump bigdata002
Database propagation to bigdata002: SUCCEEDED
[root@bigdata003 log]#

在slave上/var/kerberos/krb5kdc/会多出一些文件，如：

8)至此，可以启动slave上的kdc服务
启动服务
/bin/systemctl start krb5kdc.service

当有多台slave时，定时更新脚本可以这样：

#!/bin/sh

kdclist = "bigdata002 bigdata001"

kdb5_util dump /var/kerberos/krb5kdc/slave_datatrans

for kdc in $kdclist

do

kprop -f /var/kerberos/krb5kdc/slave_datatrans $kdc

done

9）测试，在bigdata001上，kinit 测试
创建host/bigdata001的凭证
导出 xst -kt /etc/bigdata001.keytab host/bigdata001
scp /etc/bigdata001.keytab bigdata001:/etc
[root@bigdata003 etc]# kdb5_util dump /var/kerberos/krb5kdc/kdc.dump
[root@bigdata003 etc]# kprop -f /var/kerberos/krb5kdc/kdc.dump bigdata002
Database propagation to bigdata002: SUCCEEDED

关闭主kdc
/bin/systemctl stop krb5kdc.service

[root@bigdata001 etc]# kinit -kt /etc/bigdata001.keytab host/bigdata001
[root@bigdata001 etc]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: host/bigdata001@STARYEA.COM

Valid starting Expires Service principal
2018-08-20T08:03:50 2018-08-21T08:03:50 krbtgt/STARYEA.COM@STARYEA.COM
renew until 2018-08-27T08:03:50