CDH构建大数据平台-Kerberos高可用部署【完结篇】

　　　　　　　　　　　　CDH构建大数据平台-Kerberos高可用部署【完结篇】

　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　作者：尹正杰

 

版权声明：原创作品，谢绝转载！否则将追究法律责任。

 

 

 一.安装Kerberos相关的软件包并同步配置文件

1>.实验环境说明

[root@node101.yinzhengjie.org.cn ~]# cat /etc/redhat-release 
CentOS Linux release 7.6.1810 (Core) 
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# free -h
              total        used        free      shared  buff/cache   available
Mem:           3.9G        265M        3.3G        9.5M        368M        3.4G
Swap:          2.0G          0B        2.0G
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# uname -r
3.10.0-957.el7.x86_64
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# uname -m
x86_64
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# cat  /etc/hosts          
#主KDC服务器
172.30.1.101 node101.yinzhengjie.org.cn node101
#备KDC服务器
172.30.1.102 node102.yinzhengjie.org.cn node102
#其他主机，即Kerberos客户端
172.30.1.103 node103.yinzhengjie.org.cn node103
172.30.1.110 node110.yinzhengjie.org.cn node110
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# 

2>.在主KDC服务器上安装所需的Kerberos软件包并修改相应的配置文件

[root@node101.yinzhengjie.org.cn ~]# yum -y install  krb5-server krb5-auth-dialog krb5-workstation krb5-devel krb5-libs  
Loaded plugins: fastestmirror
Determining fastest mirrors
 * base: mirrors.aliyun.com
 * extras: mirrors.aliyun.com
 * updates: mirrors.aliyun.com
base                                                                                                                                                                                        | 3.6 kB  00:00:00     
extras                                                                                                                                                                                      | 3.4 kB  00:00:00     
mysql-connectors-community                                                                                                                                                                  | 2.5 kB  00:00:00     
mysql-tools-community                                                                                                                                                                       | 2.5 kB  00:00:00     
mysql56-community                                                                                                                                                                           | 2.5 kB  00:00:00     
updates                                                                                                                                                                                     | 3.4 kB  00:00:00     
zabbix                                                                                                                                                                                      | 2.9 kB  00:00:00     
zabbix-non-supported                                                                                                                                                                        |  951 B  00:00:00     
(1/4): extras/7/x86_64/primary_db                                                                                                                                                           | 201 kB  00:00:00     
(2/4): mysql-connectors-community/x86_64/primary_db                                                                                                                                         |  41 kB  00:00:00     
(3/4): mysql-tools-community/x86_64/primary_db                                                                                                                                              |  58 kB  00:00:00     
(4/4): updates/7/x86_64/primary_db                                                                                                                                                          | 4.2 MB  00:00:02     
No package krb5-auth-dialog available.
Resolving Dependencies
--> Running transaction check
---> Package krb5-devel.x86_64 0:1.15.1-37.el7_6 will be installed
--> Processing Dependency: libkadm5(x86-64) = 1.15.1-37.el7_6 for package: krb5-devel-1.15.1-37.el7_6.x86_64
--> Processing Dependency: libverto-devel for package: krb5-devel-1.15.1-37.el7_6.x86_64
--> Processing Dependency: libselinux-devel for package: krb5-devel-1.15.1-37.el7_6.x86_64
--> Processing Dependency: libcom_err-devel for package: krb5-devel-1.15.1-37.el7_6.x86_64
--> Processing Dependency: keyutils-libs-devel for package: krb5-devel-1.15.1-37.el7_6.x86_64
---> Package krb5-libs.x86_64 0:1.15.1-34.el7 will be updated
---> Package krb5-libs.x86_64 0:1.15.1-37.el7_6 will be an update
---> Package krb5-server.x86_64 0:1.15.1-37.el7_6 will be installed
updates/7/x86_64/filelists_db                                                                                                                                                               | 3.4 MB  00:00:01     
--> Processing Dependency: libverto-module-base for package: krb5-server-1.15.1-37.el7_6.x86_64
--> Processing Dependency: /usr/share/dict/words for package: krb5-server-1.15.1-37.el7_6.x86_64
extras/7/x86_64/filelists_db                                                                                                                                                                | 243 kB  00:00:00     
mysql-connectors-community/x86_64/filelists_db                                                                                                                                              |  54 kB  00:00:00     
mysql-tools-community/x86_64/filelists_db                                                                                                                                                   | 158 kB  00:00:00     
mysql56-community/x86_64/filelists_db                                                                                                                                                       | 732 kB  00:00:36     
zabbix/x86_64/filelists_db                                                                                                                                                                  |  46 kB  00:00:00     
zabbix-non-supported/x86_64/filelists                                                                                                                                                       |  660 B  00:00:00     
---> Package krb5-workstation.x86_64 0:1.15.1-37.el7_6 will be installed
--> Running transaction check
---> Package keyutils-libs-devel.x86_64 0:1.5.8-3.el7 will be installed
---> Package libcom_err-devel.x86_64 0:1.42.9-13.el7 will be installed
---> Package libkadm5.x86_64 0:1.15.1-37.el7_6 will be installed
---> Package libselinux-devel.x86_64 0:2.5-14.1.el7 will be installed
--> Processing Dependency: libsepol-devel(x86-64) >= 2.5-10 for package: libselinux-devel-2.5-14.1.el7.x86_64
--> Processing Dependency: pkgconfig(libsepol) for package: libselinux-devel-2.5-14.1.el7.x86_64
--> Processing Dependency: pkgconfig(libpcre) for package: libselinux-devel-2.5-14.1.el7.x86_64
---> Package libverto-devel.x86_64 0:0.2.5-4.el7 will be installed
---> Package libverto-libevent.x86_64 0:0.2.5-4.el7 will be installed
---> Package words.noarch 0:3.0-22.el7 will be installed
--> Running transaction check
---> Package libsepol-devel.x86_64 0:2.5-10.el7 will be installed
---> Package pcre-devel.x86_64 0:8.32-17.el7 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

===================================================================================================================================================================================================================
 Package                                                   Arch                                         Version                                                Repository                                     Size
===================================================================================================================================================================================================================
Installing:
 krb5-devel                                                x86_64                                       1.15.1-37.el7_6                                        updates                                       271 k
 krb5-server                                               x86_64                                       1.15.1-37.el7_6                                        updates                                       1.0 M
 krb5-workstation                                          x86_64                                       1.15.1-37.el7_6                                        updates                                       816 k
Updating:
 krb5-libs                                                 x86_64                                       1.15.1-37.el7_6                                        updates                                       803 k
Installing for dependencies:
 keyutils-libs-devel                                       x86_64                                       1.5.8-3.el7                                            base                                           37 k
 libcom_err-devel                                          x86_64                                       1.42.9-13.el7                                          base                                           31 k
 libkadm5                                                  x86_64                                       1.15.1-37.el7_6                                        updates                                       178 k
 libselinux-devel                                          x86_64                                       2.5-14.1.el7                                           base                                          187 k
 libsepol-devel                                            x86_64                                       2.5-10.el7                                             base                                           77 k
 libverto-devel                                            x86_64                                       0.2.5-4.el7                                            base                                           12 k
 libverto-libevent                                         x86_64                                       0.2.5-4.el7                                            base                                          8.9 k
 pcre-devel                                                x86_64                                       8.32-17.el7                                            base                                          480 k
 words                                                     noarch                                       3.0-22.el7                                             base                                          1.4 M

Transaction Summary
===================================================================================================================================================================================================================
Install  3 Packages (+9 Dependent packages)
Upgrade  1 Package

Total download size: 5.2 M
Downloading packages:
Delta RPMs disabled because /usr/bin/applydeltarpm not installed.
(1/13): keyutils-libs-devel-1.5.8-3.el7.x86_64.rpm                                                                                                                                          |  37 kB  00:00:00     
(2/13): krb5-devel-1.15.1-37.el7_6.x86_64.rpm                                                                                                                                               | 271 kB  00:00:00     
(3/13): krb5-libs-1.15.1-37.el7_6.x86_64.rpm                                                                                                                                                | 803 kB  00:00:00     
(4/13): libcom_err-devel-1.42.9-13.el7.x86_64.rpm                                                                                                                                           |  31 kB  00:00:00     
(5/13): krb5-server-1.15.1-37.el7_6.x86_64.rpm                                                                                                                                              | 1.0 MB  00:00:01     
(6/13): krb5-workstation-1.15.1-37.el7_6.x86_64.rpm                                                                                                                                         | 816 kB  00:00:00     
(7/13): libkadm5-1.15.1-37.el7_6.x86_64.rpm                                                                                                                                                 | 178 kB  00:00:00     
(8/13): libsepol-devel-2.5-10.el7.x86_64.rpm                                                                                                                                                |  77 kB  00:00:00     
(9/13): libselinux-devel-2.5-14.1.el7.x86_64.rpm                                                                                                                                            | 187 kB  00:00:00     
(10/13): libverto-devel-0.2.5-4.el7.x86_64.rpm                                                                                                                                              |  12 kB  00:00:00     
(11/13): libverto-libevent-0.2.5-4.el7.x86_64.rpm                                                                                                                                           | 8.9 kB  00:00:00     
(12/13): pcre-devel-8.32-17.el7.x86_64.rpm                                                                                                                                                  | 480 kB  00:00:00     
(13/13): words-3.0-22.el7.noarch.rpm                                                                                                                                                        | 1.4 MB  00:00:00     
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Total                                                                                                                                                                              2.3 MB/s | 5.2 MB  00:00:02     
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Updating   : krb5-libs-1.15.1-37.el7_6.x86_64                                                                                                                                                               1/14 
  Installing : libkadm5-1.15.1-37.el7_6.x86_64                                                                                                                                                                2/14 
  Installing : words-3.0-22.el7.noarch                                                                                                                                                                        3/14 
  Installing : libcom_err-devel-1.42.9-13.el7.x86_64                                                                                                                                                          4/14 
  Installing : libsepol-devel-2.5-10.el7.x86_64                                                                                                                                                               5/14 
  Installing : pcre-devel-8.32-17.el7.x86_64                                                                                                                                                                  6/14 
  Installing : libselinux-devel-2.5-14.1.el7.x86_64                                                                                                                                                           7/14 
  Installing : libverto-libevent-0.2.5-4.el7.x86_64                                                                                                                                                           8/14 
  Installing : libverto-devel-0.2.5-4.el7.x86_64                                                                                                                                                              9/14 
  Installing : keyutils-libs-devel-1.5.8-3.el7.x86_64                                                                                                                                                        10/14 
  Installing : krb5-devel-1.15.1-37.el7_6.x86_64                                                                                                                                                             11/14 
  Installing : krb5-server-1.15.1-37.el7_6.x86_64                                                                                                                                                            12/14 
  Installing : krb5-workstation-1.15.1-37.el7_6.x86_64                                                                                                                                                       13/14 
  Cleanup    : krb5-libs-1.15.1-34.el7.x86_64                                                                                                                                                                14/14 
  Verifying  : keyutils-libs-devel-1.5.8-3.el7.x86_64                                                                                                                                                         1/14 
  Verifying  : libverto-devel-0.2.5-4.el7.x86_64                                                                                                                                                              2/14 
  Verifying  : krb5-workstation-1.15.1-37.el7_6.x86_64                                                                                                                                                        3/14 
  Verifying  : krb5-libs-1.15.1-37.el7_6.x86_64                                                                                                                                                               4/14 
  Verifying  : libkadm5-1.15.1-37.el7_6.x86_64                                                                                                                                                                5/14 
  Verifying  : libverto-libevent-0.2.5-4.el7.x86_64                                                                                                                                                           6/14 
  Verifying  : pcre-devel-8.32-17.el7.x86_64                                                                                                                                                                  7/14 
  Verifying  : libselinux-devel-2.5-14.1.el7.x86_64                                                                                                                                                           8/14 
  Verifying  : krb5-server-1.15.1-37.el7_6.x86_64                                                                                                                                                             9/14 
  Verifying  : libsepol-devel-2.5-10.el7.x86_64                                                                                                                                                              10/14 
  Verifying  : libcom_err-devel-1.42.9-13.el7.x86_64                                                                                                                                                         11/14 
  Verifying  : krb5-devel-1.15.1-37.el7_6.x86_64                                                                                                                                                             12/14 
  Verifying  : words-3.0-22.el7.noarch                                                                                                                                                                       13/14 
  Verifying  : krb5-libs-1.15.1-34.el7.x86_64                                                                                                                                                                14/14 

Installed:
  krb5-devel.x86_64 0:1.15.1-37.el7_6                                krb5-server.x86_64 0:1.15.1-37.el7_6                                krb5-workstation.x86_64 0:1.15.1-37.el7_6                               

Dependency Installed:
  keyutils-libs-devel.x86_64 0:1.5.8-3.el7     libcom_err-devel.x86_64 0:1.42.9-13.el7     libkadm5.x86_64 0:1.15.1-37.el7_6     libselinux-devel.x86_64 0:2.5-14.1.el7     libsepol-devel.x86_64 0:2.5-10.el7    
  libverto-devel.x86_64 0:0.2.5-4.el7          libverto-libevent.x86_64 0:0.2.5-4.el7      pcre-devel.x86_64 0:8.32-17.el7       words.noarch 0:3.0-22.el7                 

Updated:
  krb5-libs.x86_64 0:1.15.1-37.el7_6                                                                                                                                                                               

Complete!
[root@node101.yinzhengjie.org.cn ~]# 

[root@node101.yinzhengjie.org.cn ~]# cat /etc/krb5.conf
# Configuration snippets may be placed in this directory as well
includedir /etc/krb5.conf.d/

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = YINZHENGJIE.COM
 kdc_timeout = 2500
 max_retries = 3
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 10d
 renew_lifetime = 10d
 renewable = false
 forwardable = false

[realms]
 YINZHENGJIE.COM = {
  kdc = node101.yinzhengjie.org.cn:88
  kdc = node102.yinzhengjie.org.cn:88
  admin_server = node101.yinzhengjie.org.cn:749
  default_domain = YINZHENGJIE.COM
 }

[domain_realm]
.yinzhengjie.com = YINZHENGJIE.COM
yinzhengjie.com = YINZHENGJIE.COM

[kdc]
 profile = /var/kerberos/krb5kdc/kdc.conf
[root@node101.yinzhengjie.org.cn ~]# 

[root@node101.yinzhengjie.org.cn ~]# cat /var/kerberos/krb5kdc/kdc.conf   
[kdcdefaults]
kdc_ports = 88
kdc_tcp_ports = 88

[realms]
YINZHENGJIE.COM = {
  master_key_type = aes256-cts
  acl_file = /var/kerberos/krb5kdc/kadm5.acl
  dict_file = /usr/share/dict/words
  admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
  supported_enctypes = aes256-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
  max_life = 10d
  max_renewable_life = 10d
}
[root@node101.yinzhengjie.org.cn ~]# 

[root@node101.yinzhengjie.org.cn ~]# cat /var/kerberos/krb5kdc/kadm5.acl 
*/admin@YINZHENGJIE.COM *
[root@node101.yinzhengjie.org.cn ~]# 

3>.在备KDC服务器上安装所需的Kerberos软件包并修改相应的配置文件

[root@node102.yinzhengjie.org.cn ~]# yum install -y krb5-server openldap-clients krb5-workstation krb5-libs
Loaded plugins: fastestmirror
Determining fastest mirrors
 * base: mirrors.aliyun.com
 * extras: mirrors.aliyun.com
 * updates: mirrors.aliyun.com
base                                                                                                                                                                                        | 3.6 kB  00:00:00     
extras                                                                                                                                                                                      | 3.4 kB  00:00:00     
updates                                                                                                                                                                                     | 3.4 kB  00:00:00     
zabbix                                                                                                                                                                                      | 2.9 kB  00:00:00     
zabbix-non-supported                                                                                                                                                                        |  951 B  00:00:00     
(1/2): extras/7/x86_64/primary_db                                                                                                                                                           | 201 kB  00:00:00     
(2/2): updates/7/x86_64/primary_db                                                                                                                                                          | 4.2 MB  00:00:02     
Resolving Dependencies
--> Running transaction check
---> Package krb5-libs.x86_64 0:1.15.1-34.el7 will be updated
---> Package krb5-libs.x86_64 0:1.15.1-37.el7_6 will be an update
---> Package krb5-server.x86_64 0:1.15.1-37.el7_6 will be installed
updates/7/x86_64/filelists_db                                                                                                                                                               | 3.4 MB  00:00:01     
--> Processing Dependency: libkadm5(x86-64) = 1.15.1-37.el7_6 for package: krb5-server-1.15.1-37.el7_6.x86_64
--> Processing Dependency: libverto-module-base for package: krb5-server-1.15.1-37.el7_6.x86_64
--> Processing Dependency: libkadm5srv_mit.so.11(kadm5srv_mit_11_MIT)(64bit) for package: krb5-server-1.15.1-37.el7_6.x86_64
--> Processing Dependency: libkadm5clnt_mit.so.11(kadm5clnt_mit_11_MIT)(64bit) for package: krb5-server-1.15.1-37.el7_6.x86_64
--> Processing Dependency: /usr/share/dict/words for package: krb5-server-1.15.1-37.el7_6.x86_64
extras/7/x86_64/filelists_db                                                                                                                                                                | 243 kB  00:00:00     
zabbix/x86_64/filelists_db                                                                                                                                                                  |  46 kB  00:00:00     
zabbix-non-supported/x86_64/filelists                                                                                                                                                       |  660 B  00:00:00     
--> Processing Dependency: libkadm5srv_mit.so.11()(64bit) for package: krb5-server-1.15.1-37.el7_6.x86_64
--> Processing Dependency: libkadm5clnt_mit.so.11()(64bit) for package: krb5-server-1.15.1-37.el7_6.x86_64
---> Package krb5-workstation.x86_64 0:1.15.1-37.el7_6 will be installed
---> Package openldap-clients.x86_64 0:2.4.44-21.el7_6 will be installed
--> Processing Dependency: openldap(x86-64) = 2.4.44-21.el7_6 for package: openldap-clients-2.4.44-21.el7_6.x86_64
--> Running transaction check
---> Package libkadm5.x86_64 0:1.15.1-37.el7_6 will be installed
---> Package libverto-libevent.x86_64 0:0.2.5-4.el7 will be installed
--> Processing Dependency: libevent-2.0.so.5()(64bit) for package: libverto-libevent-0.2.5-4.el7.x86_64
---> Package openldap.x86_64 0:2.4.44-20.el7 will be updated
---> Package openldap.x86_64 0:2.4.44-21.el7_6 will be an update
---> Package words.noarch 0:3.0-22.el7 will be installed
--> Running transaction check
---> Package libevent.x86_64 0:2.0.21-4.el7 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

===================================================================================================================================================================================================================
 Package                                                 Arch                                         Version                                                  Repository                                     Size
===================================================================================================================================================================================================================
Installing:
 krb5-server                                             x86_64                                       1.15.1-37.el7_6                                          updates                                       1.0 M
 krb5-workstation                                        x86_64                                       1.15.1-37.el7_6                                          updates                                       816 k
 openldap-clients                                        x86_64                                       2.4.44-21.el7_6                                          updates                                       190 k
Updating:
 krb5-libs                                               x86_64                                       1.15.1-37.el7_6                                          updates                                       803 k
Installing for dependencies:
 libevent                                                x86_64                                       2.0.21-4.el7                                             base                                          214 k
 libkadm5                                                x86_64                                       1.15.1-37.el7_6                                          updates                                       178 k
 libverto-libevent                                       x86_64                                       0.2.5-4.el7                                              base                                          8.9 k
 words                                                   noarch                                       3.0-22.el7                                               base                                          1.4 M
Updating for dependencies:
 openldap                                                x86_64                                       2.4.44-21.el7_6                                          updates                                       356 k

Transaction Summary
===================================================================================================================================================================================================================
Install  3 Packages (+4 Dependent packages)
Upgrade  1 Package  (+1 Dependent package)

Total download size: 4.9 M
Downloading packages:
Delta RPMs disabled because /usr/bin/applydeltarpm not installed.
(1/9): krb5-libs-1.15.1-37.el7_6.x86_64.rpm                                                                                                                                                 | 803 kB  00:00:00     
(2/9): libevent-2.0.21-4.el7.x86_64.rpm                                                                                                                                                     | 214 kB  00:00:00     
(3/9): krb5-server-1.15.1-37.el7_6.x86_64.rpm                                                                                                                                               | 1.0 MB  00:00:00     
(4/9): libkadm5-1.15.1-37.el7_6.x86_64.rpm                                                                                                                                                  | 178 kB  00:00:00     
(5/9): krb5-workstation-1.15.1-37.el7_6.x86_64.rpm                                                                                                                                          | 816 kB  00:00:01     
(6/9): openldap-clients-2.4.44-21.el7_6.x86_64.rpm                                                                                                                                          | 190 kB  00:00:00     
(7/9): openldap-2.4.44-21.el7_6.x86_64.rpm                                                                                                                                                  | 356 kB  00:00:00     
(8/9): words-3.0-22.el7.noarch.rpm                                                                                                                                                          | 1.4 MB  00:00:00     
(9/9): libverto-libevent-0.2.5-4.el7.x86_64.rpm                                                                                                                                             | 8.9 kB  00:00:05     
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Total                                                                                                                                                                              769 kB/s | 4.9 MB  00:00:06     
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Updating   : krb5-libs-1.15.1-37.el7_6.x86_64                                                                                                                                                               1/11 
  Installing : libkadm5-1.15.1-37.el7_6.x86_64                                                                                                                                                                2/11 
  Installing : words-3.0-22.el7.noarch                                                                                                                                                                        3/11 
  Updating   : openldap-2.4.44-21.el7_6.x86_64                                                                                                                                                                4/11 
  Installing : libevent-2.0.21-4.el7.x86_64                                                                                                                                                                   5/11 
  Installing : libverto-libevent-0.2.5-4.el7.x86_64                                                                                                                                                           6/11 
  Installing : krb5-server-1.15.1-37.el7_6.x86_64                                                                                                                                                             7/11 
  Installing : openldap-clients-2.4.44-21.el7_6.x86_64                                                                                                                                                        8/11 
  Installing : krb5-workstation-1.15.1-37.el7_6.x86_64                                                                                                                                                        9/11 
  Cleanup    : openldap-2.4.44-20.el7.x86_64                                                                                                                                                                 10/11 
  Cleanup    : krb5-libs-1.15.1-34.el7.x86_64                                                                                                                                                                11/11 
  Verifying  : krb5-workstation-1.15.1-37.el7_6.x86_64                                                                                                                                                        1/11 
  Verifying  : krb5-libs-1.15.1-37.el7_6.x86_64                                                                                                                                                               2/11 
  Verifying  : libkadm5-1.15.1-37.el7_6.x86_64                                                                                                                                                                3/11 
  Verifying  : libevent-2.0.21-4.el7.x86_64                                                                                                                                                                   4/11 
  Verifying  : libverto-libevent-0.2.5-4.el7.x86_64                                                                                                                                                           5/11 
  Verifying  : krb5-server-1.15.1-37.el7_6.x86_64                                                                                                                                                             6/11 
  Verifying  : openldap-2.4.44-21.el7_6.x86_64                                                                                                                                                                7/11 
  Verifying  : openldap-clients-2.4.44-21.el7_6.x86_64                                                                                                                                                        8/11 
  Verifying  : words-3.0-22.el7.noarch                                                                                                                                                                        9/11 
  Verifying  : krb5-libs-1.15.1-34.el7.x86_64                                                                                                                                                                10/11 
  Verifying  : openldap-2.4.44-20.el7.x86_64                                                                                                                                                                 11/11 

Installed:
  krb5-server.x86_64 0:1.15.1-37.el7_6                              krb5-workstation.x86_64 0:1.15.1-37.el7_6                              openldap-clients.x86_64 0:2.4.44-21.el7_6                             

Dependency Installed:
  libevent.x86_64 0:2.0.21-4.el7                     libkadm5.x86_64 0:1.15.1-37.el7_6                     libverto-libevent.x86_64 0:0.2.5-4.el7                     words.noarch 0:3.0-22.el7                    

Updated:
  krb5-libs.x86_64 0:1.15.1-37.el7_6                                                                                                                                                                               

Dependency Updated:
  openldap.x86_64 0:2.4.44-21.el7_6                                                                                                                                                                                

Complete!
[root@node102.yinzhengjie.org.cn ~]# 

[root@node102.yinzhengjie.org.cn ~]# cat /var/kerberos/krb5kdc/kpropd.acl
host/node101.yinzhengjie.org.cn@YINZHENGJIE.COM
host/node102.yinzhengjie.org.cn@YINZHENGJIE.COM
[root@node102.yinzhengjie.org.cn ~]# 

4>.初始化主KDC数据库并生成凭证（principal）,这步骤目的是为了生成“krb5.keytab”文件，下一步将其拷贝到备KDC上

[root@node101.yinzhengjie.org.cn ~]# kdb5_util create -r YINZHENGJIE.COM -s     
Loading random data
Initializing database '/var/kerberos/krb5kdc/principal' for realm 'YINZHENGJIE.COM',
master key name 'K/M@YINZHENGJIE.COM'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key: 
Re-enter KDC database master key to verify: 
[root@node101.yinzhengjie.org.cn ~]# 

[root@node101.yinzhengjie.org.cn ~]# kadmin.local -q "ank -randkey host/node101.yinzhengjie.org.cn@YINZHENGJIE.COM"
Authenticating as principal root/admin@YINZHENGJIE.COM with password.
WARNING: no policy specified for host/node101.yinzhengjie.org.cn@YINZHENGJIE.COM; defaulting to no policy
Principal "host/node101.yinzhengjie.org.cn@YINZHENGJIE.COM" created.
[root@node101.yinzhengjie.org.cn ~]# 

[root@node101.yinzhengjie.org.cn ~]# kadmin.local -q "ank -randkey host/node102.yinzhengjie.org.cn@YINZHENGJIE.COM"
Authenticating as principal root/admin@YINZHENGJIE.COM with password.
WARNING: no policy specified for host/node102.yinzhengjie.org.cn@YINZHENGJIE.COM; defaulting to no policy
Principal "host/node102.yinzhengjie.org.cn@YINZHENGJIE.COM" created.
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# 

[root@node101.yinzhengjie.org.cn ~]# kadmin.local -q "xst host/node101.yinzhengjie.org.cn@YINZHENGJIE.COM"
Authenticating as principal root/admin@YINZHENGJIE.COM with password.
Entry for principal host/node101.yinzhengjie.org.cn@YINZHENGJIE.COM with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/node101.yinzhengjie.org.cn@YINZHENGJIE.COM with kvno 2, encryption type des3-cbc-sha1 added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/node101.yinzhengjie.org.cn@YINZHENGJIE.COM with kvno 2, encryption type arcfour-hmac added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/node101.yinzhengjie.org.cn@YINZHENGJIE.COM with kvno 2, encryption type des-hmac-sha1 added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/node101.yinzhengjie.org.cn@YINZHENGJIE.COM with kvno 2, encryption type des-cbc-md5 added to keytab FILE:/etc/krb5.keytab.
[root@node101.yinzhengjie.org.cn ~]# 

[root@node101.yinzhengjie.org.cn ~]# kadmin.local -q "xst host/node102.yinzhengjie.org.cn@YINZHENGJIE.COM"
Authenticating as principal root/admin@YINZHENGJIE.COM with password.
Entry for principal host/node102.yinzhengjie.org.cn@YINZHENGJIE.COM with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/node102.yinzhengjie.org.cn@YINZHENGJIE.COM with kvno 2, encryption type des3-cbc-sha1 added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/node102.yinzhengjie.org.cn@YINZHENGJIE.COM with kvno 2, encryption type arcfour-hmac added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/node102.yinzhengjie.org.cn@YINZHENGJIE.COM with kvno 2, encryption type des-hmac-sha1 added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/node102.yinzhengjie.org.cn@YINZHENGJIE.COM with kvno 2, encryption type des-cbc-md5 added to keytab FILE:/etc/krb5.keytab.
[root@node101.yinzhengjie.org.cn ~]# 

[root@node101.yinzhengjie.org.cn ~]# klist  -ket /etc/krb5.keytab
Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp           Principal
---- ------------------- ------------------------------------------------------
   2 05/10/2019 11:35:33 host/node101.yinzhengjie.org.cn@YINZHENGJIE.COM (aes256-cts-hmac-sha1-96) 
   2 05/10/2019 11:35:33 host/node101.yinzhengjie.org.cn@YINZHENGJIE.COM (des3-cbc-sha1) 
   2 05/10/2019 11:35:33 host/node101.yinzhengjie.org.cn@YINZHENGJIE.COM (arcfour-hmac) 
   2 05/10/2019 11:35:33 host/node101.yinzhengjie.org.cn@YINZHENGJIE.COM (des-hmac-sha1) 
   2 05/10/2019 11:35:33 host/node101.yinzhengjie.org.cn@YINZHENGJIE.COM (des-cbc-md5) 
   2 05/10/2019 11:35:43 host/node102.yinzhengjie.org.cn@YINZHENGJIE.COM (aes256-cts-hmac-sha1-96) 
   2 05/10/2019 11:35:43 host/node102.yinzhengjie.org.cn@YINZHENGJIE.COM (des3-cbc-sha1) 
   2 05/10/2019 11:35:43 host/node102.yinzhengjie.org.cn@YINZHENGJIE.COM (arcfour-hmac) 
   2 05/10/2019 11:35:43 host/node102.yinzhengjie.org.cn@YINZHENGJIE.COM (des-hmac-sha1) 
   2 05/10/2019 11:35:43 host/node102.yinzhengjie.org.cn@YINZHENGJIE.COM (des-cbc-md5) 
[root@node101.yinzhengjie.org.cn ~]# 

5>.将master节点的数据到slava节点上

[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# scp /etc/krb5.conf node102.yinzhengjie.org.cn:/etc/
krb5.conf                                                                                                                                                         100%  647     1.6MB/s   00:00    
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# scp /var/kerberos/krb5kdc/kdc.conf node102.yinzhengjie.org.cn:/var/kerberos/krb5kdc/
kdc.conf                                                                                                                                                          100%  386   783.7KB/s   00:00    
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# scp /var/kerberos/krb5kdc/kadm5.acl node102.yinzhengjie.org.cn:/var/kerberos/krb5kdc/
kadm5.acl                                                                                                                                                         100%   26    72.0KB/s   00:00    
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# scp /var/kerberos/krb5kdc/.k5.YINZHENGJIE.COM  node102.yinzhengjie.org.cn:/var/kerberos/krb5kdc/ 
.k5.YINZHENGJIE.COM                                                                                                                                               100%   80   181.2KB/s   00:00    
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# scp /etc/krb5.keytab node102.yinzhengjie.org.cn:/etc/krb5.keytab 
krb5.keytab 　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　100% 　918 　　2.6MB/s 　00:00 
[root@node101.yinzhengjie.org.cn ~]# 

6>.其他主机安装相应的服务，并将主KDC的

[root@node103.yinzhengjie.org.cn ~]# yum install -y krb5-workstation krb5-devel
Loaded plugins: fastestmirror
Determining fastest mirrors
 * base: mirrors.aliyun.com
 * extras: mirrors.aliyun.com
 * updates: mirrors.aliyun.com
base                                                                                                                                                                                        | 3.6 kB  00:00:00     
extras                                                                                                                                                                                      | 3.4 kB  00:00:00     
updates                                                                                                                                                                                     | 3.4 kB  00:00:00     
zabbix                                                                                                                                                                                      | 2.9 kB  00:00:00     
zabbix-non-supported                                                                                                                                                                        |  951 B  00:00:00     
(1/2): extras/7/x86_64/primary_db                                                                                                                                                           | 201 kB  00:00:00     
(2/2): updates/7/x86_64/primary_db                                                                                                                                                          | 4.2 MB  00:00:02     
Resolving Dependencies
--> Running transaction check
---> Package krb5-devel.x86_64 0:1.15.1-37.el7_6 will be installed
--> Processing Dependency: libkadm5(x86-64) = 1.15.1-37.el7_6 for package: krb5-devel-1.15.1-37.el7_6.x86_64
--> Processing Dependency: krb5-libs(x86-64) = 1.15.1-37.el7_6 for package: krb5-devel-1.15.1-37.el7_6.x86_64
--> Processing Dependency: libverto-devel for package: krb5-devel-1.15.1-37.el7_6.x86_64
--> Processing Dependency: libselinux-devel for package: krb5-devel-1.15.1-37.el7_6.x86_64
--> Processing Dependency: libcom_err-devel for package: krb5-devel-1.15.1-37.el7_6.x86_64
--> Processing Dependency: keyutils-libs-devel for package: krb5-devel-1.15.1-37.el7_6.x86_64
---> Package krb5-workstation.x86_64 0:1.15.1-37.el7_6 will be installed
--> Running transaction check
---> Package keyutils-libs-devel.x86_64 0:1.5.8-3.el7 will be installed
---> Package krb5-libs.x86_64 0:1.15.1-34.el7 will be updated
---> Package krb5-libs.x86_64 0:1.15.1-37.el7_6 will be an update
---> Package libcom_err-devel.x86_64 0:1.42.9-13.el7 will be installed
---> Package libkadm5.x86_64 0:1.15.1-37.el7_6 will be installed
---> Package libselinux-devel.x86_64 0:2.5-14.1.el7 will be installed
--> Processing Dependency: libsepol-devel(x86-64) >= 2.5-10 for package: libselinux-devel-2.5-14.1.el7.x86_64
--> Processing Dependency: pkgconfig(libsepol) for package: libselinux-devel-2.5-14.1.el7.x86_64
--> Processing Dependency: pkgconfig(libpcre) for package: libselinux-devel-2.5-14.1.el7.x86_64
---> Package libverto-devel.x86_64 0:0.2.5-4.el7 will be installed
--> Running transaction check
---> Package libsepol-devel.x86_64 0:2.5-10.el7 will be installed
---> Package pcre-devel.x86_64 0:8.32-17.el7 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

===================================================================================================================================================================================================================
 Package                                                   Arch                                         Version                                                Repository                                     Size
===================================================================================================================================================================================================================
Installing:
 krb5-devel                                                x86_64                                       1.15.1-37.el7_6                                        updates                                       271 k
 krb5-workstation                                          x86_64                                       1.15.1-37.el7_6                                        updates                                       816 k
Installing for dependencies:
 keyutils-libs-devel                                       x86_64                                       1.5.8-3.el7                                            base                                           37 k
 libcom_err-devel                                          x86_64                                       1.42.9-13.el7                                          base                                           31 k
 libkadm5                                                  x86_64                                       1.15.1-37.el7_6                                        updates                                       178 k
 libselinux-devel                                          x86_64                                       2.5-14.1.el7                                           base                                          187 k
 libsepol-devel                                            x86_64                                       2.5-10.el7                                             base                                           77 k
 libverto-devel                                            x86_64                                       0.2.5-4.el7                                            base                                           12 k
 pcre-devel                                                x86_64                                       8.32-17.el7                                            base                                          480 k
Updating for dependencies:
 krb5-libs                                                 x86_64                                       1.15.1-37.el7_6                                        updates                                       803 k

Transaction Summary
===================================================================================================================================================================================================================
Install  2 Packages (+7 Dependent packages)
Upgrade             ( 1 Dependent package)

Total download size: 2.8 M
Downloading packages:
Delta RPMs disabled because /usr/bin/applydeltarpm not installed.
(1/10): krb5-devel-1.15.1-37.el7_6.x86_64.rpm                                                                                                                                               | 271 kB  00:00:00     
(2/10): keyutils-libs-devel-1.5.8-3.el7.x86_64.rpm                                                                                                                                          |  37 kB  00:00:00     
(3/10): krb5-libs-1.15.1-37.el7_6.x86_64.rpm                                                                                                                                                | 803 kB  00:00:00     
(4/10): libkadm5-1.15.1-37.el7_6.x86_64.rpm                                                                                                                                                 | 178 kB  00:00:00     
(5/10): krb5-workstation-1.15.1-37.el7_6.x86_64.rpm                                                                                                                                         | 816 kB  00:00:00     
(6/10): libselinux-devel-2.5-14.1.el7.x86_64.rpm                                                                                                                                            | 187 kB  00:00:00     
(7/10): libsepol-devel-2.5-10.el7.x86_64.rpm                                                                                                                                                |  77 kB  00:00:00     
(8/10): libverto-devel-0.2.5-4.el7.x86_64.rpm                                                                                                                                               |  12 kB  00:00:00     
(9/10): pcre-devel-8.32-17.el7.x86_64.rpm                                                                                                                                                   | 480 kB  00:00:00     
(10/10): libcom_err-devel-1.42.9-13.el7.x86_64.rpm                                                                                                                                          |  31 kB  00:00:05     
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Total                                                                                                                                                                              487 kB/s | 2.8 MB  00:00:05     
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Updating   : krb5-libs-1.15.1-37.el7_6.x86_64                                                                                                                                                               1/11 
  Installing : libkadm5-1.15.1-37.el7_6.x86_64                                                                                                                                                                2/11 
  Installing : libcom_err-devel-1.42.9-13.el7.x86_64                                                                                                                                                          3/11 
  Installing : libsepol-devel-2.5-10.el7.x86_64                                                                                                                                                               4/11 
  Installing : pcre-devel-8.32-17.el7.x86_64                                                                                                                                                                  5/11 
  Installing : libselinux-devel-2.5-14.1.el7.x86_64                                                                                                                                                           6/11 
  Installing : libverto-devel-0.2.5-4.el7.x86_64                                                                                                                                                              7/11 
  Installing : keyutils-libs-devel-1.5.8-3.el7.x86_64                                                                                                                                                         8/11 
  Installing : krb5-devel-1.15.1-37.el7_6.x86_64                                                                                                                                                              9/11 
  Installing : krb5-workstation-1.15.1-37.el7_6.x86_64                                                                                                                                                       10/11 
  Cleanup    : krb5-libs-1.15.1-34.el7.x86_64                                                                                                                                                                11/11 
  Verifying  : keyutils-libs-devel-1.5.8-3.el7.x86_64                                                                                                                                                         1/11 
  Verifying  : libverto-devel-0.2.5-4.el7.x86_64                                                                                                                                                              2/11 
  Verifying  : krb5-workstation-1.15.1-37.el7_6.x86_64                                                                                                                                                        3/11 
  Verifying  : krb5-libs-1.15.1-37.el7_6.x86_64                                                                                                                                                               4/11 
  Verifying  : libkadm5-1.15.1-37.el7_6.x86_64                                                                                                                                                                5/11 
  Verifying  : pcre-devel-8.32-17.el7.x86_64                                                                                                                                                                  6/11 
  Verifying  : libselinux-devel-2.5-14.1.el7.x86_64                                                                                                                                                           7/11 
  Verifying  : libsepol-devel-2.5-10.el7.x86_64                                                                                                                                                               8/11 
  Verifying  : libcom_err-devel-1.42.9-13.el7.x86_64                                                                                                                                                          9/11 
  Verifying  : krb5-devel-1.15.1-37.el7_6.x86_64                                                                                                                                                             10/11 
  Verifying  : krb5-libs-1.15.1-34.el7.x86_64                                                                                                                                                                11/11 

Installed:
  krb5-devel.x86_64 0:1.15.1-37.el7_6                                                                   krb5-workstation.x86_64 0:1.15.1-37.el7_6                                                                  

Dependency Installed:
  keyutils-libs-devel.x86_64 0:1.5.8-3.el7     libcom_err-devel.x86_64 0:1.42.9-13.el7     libkadm5.x86_64 0:1.15.1-37.el7_6     libselinux-devel.x86_64 0:2.5-14.1.el7     libsepol-devel.x86_64 0:2.5-10.el7    
  libverto-devel.x86_64 0:0.2.5-4.el7          pcre-devel.x86_64 0:8.32-17.el7            

Dependency Updated:
  krb5-libs.x86_64 0:1.15.1-37.el7_6                                                                                                                                                                               

Complete!
[root@node103.yinzhengjie.org.cn ~]# 

[root@node101.yinzhengjie.org.cn ~]# scp /etc/krb5.conf node103.yinzhengjie.org.cn:/etc/krb5.conf
krb5.conf                                                                                                                                                                        100%  765     1.7MB/s   00:00    
[root@node101.yinzhengjie.org.cn ~]# 

7>.备份配置文件（主备都需要）

　　待更新....

 

二.配置KDC的主从同步

1>.分别在主备KDC启动服务

[root@node101.yinzhengjie.org.cn ~]# systemctl start krb5kdc
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# systemctl status krb5kdc
● krb5kdc.service - Kerberos 5 KDC
   Loaded: loaded (/usr/lib/systemd/system/krb5kdc.service; disabled; vendor preset: disabled)
   Active: active (running) since Fri 2019-05-10 11:50:38 CST; 4s ago
  Process: 5609 ExecStart=/usr/sbin/krb5kdc -P /var/run/krb5kdc.pid $KRB5KDC_ARGS (code=exited, status=0/SUCCESS)
 Main PID: 5610 (krb5kdc)
   CGroup: /system.slice/krb5kdc.service
           └─5610 /usr/sbin/krb5kdc -P /var/run/krb5kdc.pid

May 10 11:50:38 node101.yinzhengjie.org.cn systemd[1]: Starting Kerberos 5 KDC...
May 10 11:50:38 node101.yinzhengjie.org.cn systemd[1]: Started Kerberos 5 KDC.
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# systemctl enable krb5kdc
Created symlink from /etc/systemd/system/multi-user.target.wants/krb5kdc.service to /usr/lib/systemd/system/krb5kdc.service.
[root@node101.yinzhengjie.org.cn ~]# 

[root@node101.yinzhengjie.org.cn ~]# systemctl start kadmin 
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# systemctl status kadmin
● kadmin.service - Kerberos 5 Password-changing and Administration
   Loaded: loaded (/usr/lib/systemd/system/kadmin.service; disabled; vendor preset: disabled)
   Active: active (running) since Fri 2019-05-10 11:51:38 CST; 1s ago
  Process: 5652 ExecStart=/usr/sbin/_kadmind -P /var/run/kadmind.pid $KADMIND_ARGS (code=exited, status=0/SUCCESS)
 Main PID: 5653 (kadmind)
   CGroup: /system.slice/kadmin.service
           └─5653 /usr/sbin/kadmind -P /var/run/kadmind.pid

May 10 11:51:38 node101.yinzhengjie.org.cn systemd[1]: Starting Kerberos 5 Password-changing and Administration...
May 10 11:51:38 node101.yinzhengjie.org.cn systemd[1]: Started Kerberos 5 Password-changing and Administration.
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# systemctl enable kadmin
Created symlink from /etc/systemd/system/multi-user.target.wants/kadmin.service to /usr/lib/systemd/system/kadmin.service.
[root@node101.yinzhengjie.org.cn ~]# 

[root@node102.yinzhengjie.org.cn ~]# systemctl start kprop 
[root@node102.yinzhengjie.org.cn ~]# 
[root@node102.yinzhengjie.org.cn ~]# systemctl status kprop
● kprop.service - Kerberos 5 Propagation
   Loaded: loaded (/usr/lib/systemd/system/kprop.service; disabled; vendor preset: disabled)
   Active: active (running) since Fri 2019-05-10 11:52:35 CST; 1s ago
  Process: 4889 ExecStart=/usr/sbin/_kpropd $KPROPD_ARGS (code=exited, status=0/SUCCESS)
 Main PID: 4890 (kpropd)
   CGroup: /system.slice/kprop.service
           └─4890 /usr/sbin/kpropd

May 10 11:52:35 node102.yinzhengjie.org.cn systemd[1]: Starting Kerberos 5 Propagation...
May 10 11:52:35 node102.yinzhengjie.org.cn systemd[1]: Started Kerberos 5 Propagation.
[root@node102.yinzhengjie.org.cn ~]# 
[root@node102.yinzhengjie.org.cn ~]# 
[root@node102.yinzhengjie.org.cn ~]# systemctl enable kprop
Created symlink from /etc/systemd/system/multi-user.target.wants/kprop.service to /usr/lib/systemd/system/kprop.service.
[root@node102.yinzhengjie.org.cn ~]# 
[root@node102.yinzhengjie.org.cn ~]# 

2>.将主KDC数据库同步到备KDC数据库中

[root@node101.yinzhengjie.org.cn ~]# kdb5_util dump /var/kerberos/krb5kdc/slave_datatrans
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# kprop -f /var/kerberos/krb5kdc/slave_datatrans node102.yinzhengjie.org.cn　　　　　　　　#如果该步骤出现问题（比如:“kprop: Key table entry not found while getting initial credentials”），请排查第一部分的第3，4步是否有出入，比如：主机名称是否对应？
Database propagation to node102.yinzhengjie.org.cn: SUCCEEDED
[root@node101.yinzhengjie.org.cn ~]# 


温馨提示:
　　上面的操作是咱们手动将主KDC的凭据配置信息同步到备KDC中的，我们可以编写个脚本定期执行上述两天命令。

[root@node101.yinzhengjie.org.cn ~]# mkdir /var/kerberos/{shell,log}
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# vi /var/kerberos/shell/dump_principal.sh
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# chmod +x /var/kerberos/shell/dump_principal.sh
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# which kdb5_util
/usr/sbin/kdb5_util
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# which kprop
/usr/sbin/kprop
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# cat /var/kerberos/shell/dump_principal.sh 
#!/bin/bash
#@author :yinzhengjie
#blog:http://www.cnblogs.com/yinzhengjie
#EMAIL:y1053419035@qq.com
#Data:Thu Oct 18 11:26:06 CST 2018

/usr/sbin/kdb5_util dump /var/kerberos/krb5kdc/slave_datatrans
/usr/sbin/kprop -f /var/kerberos/krb5kdc/slave_datatrans node102.yinzhengjie.org.cn
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# crontab -e
no crontab for root - using an empty one
crontab: installing new crontab
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# crontab -l
* * * * *  /bin/date  >> /var/kerberos/log/dump.log 2>&1;/var/kerberos/shell/dump_principal.sh >> /var/kerberos/log/dump.log 2>&1
* * * * * sleep 10; /bin/date  >> /var/kerberos/log/dump.log 2>&1; /var/kerberos/shell/dump_principal.sh >> /var/kerberos/log/dump.log 2>&1
* * * * * sleep 20; /bin/date  >> /var/kerberos/log/dump.log 2>&1; /var/kerberos/shell/dump_principal.sh >> /var/kerberos/log/dump.log 2>&1
* * * * * sleep 30; /bin/date  >> /var/kerberos/log/dump.log 2>&1; /var/kerberos/shell/dump_principal.sh >> /var/kerberos/log/dump.log 2>&1
* * * * * sleep 40; /bin/date  >> /var/kerberos/log/dump.log 2>&1; /var/kerberos/shell/dump_principal.sh >> /var/kerberos/log/dump.log 2>&1
* * * * * sleep 50; /bin/date  >> /var/kerberos/log/dump.log 2>&1; /var/kerberos/shell/dump_principal.sh >> /var/kerberos/log/dump.log 2>&1
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# 

[root@node101.yinzhengjie.org.cn ~]# tail -100f /var/kerberos/log/dump.log  
Fri May 10 14:35:21 CST 2019
Database propagation to node102.yinzhengjie.org.cn: SUCCEEDED
Fri May 10 14:35:31 CST 2019
Database propagation to node102.yinzhengjie.org.cn: SUCCEEDED
Fri May 10 14:35:41 CST 2019
Database propagation to node102.yinzhengjie.org.cn: SUCCEEDED
Fri May 10 14:35:51 CST 2019
Database propagation to node102.yinzhengjie.org.cn: SUCCEEDED
Fri May 10 14:36:01 CST 2019
Database propagation to node102.yinzhengjie.org.cn: SUCCEEDED
Fri May 10 14:36:11 CST 2019
Database propagation to node102.yinzhengjie.org.cn: SUCCEEDED
Fri May 10 14:36:21 CST 2019
Database propagation to node102.yinzhengjie.org.cn: SUCCEEDED
Fri May 10 14:36:31 CST 2019
Database propagation to node102.yinzhengjie.org.cn: SUCCEEDED
Fri May 10 14:36:41 CST 2019
Database propagation to node102.yinzhengjie.org.cn: SUCCEEDED
Fri May 10 14:36:51 CST 2019
Database propagation to node102.yinzhengjie.org.cn: SUCCEEDED
^C
[root@node101.yinzhengjie.org.cn ~]# 

 

3>.启动备KDC服务

[root@node102.yinzhengjie.org.cn ~]# systemctl start krb5kdc 
[root@node102.yinzhengjie.org.cn ~]# 
[root@node102.yinzhengjie.org.cn ~]# systemctl status krb5kdc
● krb5kdc.service - Kerberos 5 KDC
   Loaded: loaded (/usr/lib/systemd/system/krb5kdc.service; disabled; vendor preset: disabled)
   Active: active (running) since Fri 2019-05-10 12:14:52 CST; 1s ago
  Process: 5201 ExecStart=/usr/sbin/krb5kdc -P /var/run/krb5kdc.pid $KRB5KDC_ARGS (code=exited, status=0/SUCCESS)
 Main PID: 5202 (krb5kdc)
   CGroup: /system.slice/krb5kdc.service
           └─5202 /usr/sbin/krb5kdc -P /var/run/krb5kdc.pid

May 10 12:14:52 node102.yinzhengjie.org.cn systemd[1]: Starting Kerberos 5 KDC...
May 10 12:14:52 node102.yinzhengjie.org.cn systemd[1]: Started Kerberos 5 KDC.
[root@node102.yinzhengjie.org.cn ~]# 
[root@node102.yinzhengjie.org.cn ~]# systemctl enable krb5kdc
Created symlink from /etc/systemd/system/multi-user.target.wants/krb5kdc.service to /usr/lib/systemd/system/krb5kdc.service.
[root@node102.yinzhengjie.org.cn ~]# 

4>.登陆kadmin.local命令行

　　root使用kadmin.local命令，kadmin.local可以直接进入并管理Kerberos数据库，无需通过Kerberos认证。

[root@node101.yinzhengjie.org.cn ~]# klist 
klist: No credentials cache found (filename: /tmp/krb5cc_0)
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# kadmin.local 
Authenticating as principal root/admin@YINZHENGJIE.COM with password.
kadmin.local:  
kadmin.local:  listprincs 
K/M@YINZHENGJIE.COM
host/node101.yinzhengjie.org.cn@YINZHENGJIE.COM
host/node102.yinzhengjie.org.cn@YINZHENGJIE.COM
kadmin/admin@YINZHENGJIE.COM
kadmin/changepw@YINZHENGJIE.COM
kadmin/node101.yinzhengjie.org.cn@YINZHENGJIE.COM
kiprop/node101.yinzhengjie.org.cn@YINZHENGJIE.COM
krbtgt/YINZHENGJIE.COM@YINZHENGJIE.COM
kadmin.local:  
kadmin.local:  quit
[root@node101.yinzhengjie.org.cn ~]# 

5>.使用kadmin.local添加管理员用户

　　 可以直接使用“kadmin.local” 进入kadmin.local命令行，也可以直接使用“kadmin.local -q”指定要执行的语句。

[root@node101.yinzhengjie.org.cn ~]# kadmin.local -q "addprinc admin"
Authenticating as principal root/admin@YINZHENGJIE.COM with password.
WARNING: no policy specified for admin@YINZHENGJIE.COM; defaulting to no policy
Enter password for principal "admin@YINZHENGJIE.COM": 
Re-enter password for principal "admin@YINZHENGJIE.COM": 
Principal "admin@YINZHENGJIE.COM" created.
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# kadmin.local -q "listprincs"
Authenticating as principal root/admin@YINZHENGJIE.COM with password.
K/M@YINZHENGJIE.COM
admin@YINZHENGJIE.COM　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　#这就是咱们添加的管理员用户，很明显，添加成功啦！
host/node101.yinzhengjie.org.cn@YINZHENGJIE.COM
host/node102.yinzhengjie.org.cn@YINZHENGJIE.COM
kadmin/admin@YINZHENGJIE.COM
kadmin/changepw@YINZHENGJIE.COM
kadmin/node101.yinzhengjie.org.cn@YINZHENGJIE.COM
kiprop/node101.yinzhengjie.org.cn@YINZHENGJIE.COM
krbtgt/YINZHENGJIE.COM@YINZHENGJIE.COM
[root@node101.yinzhengjie.org.cn ~]# 

 

 

三.验证Kerberos集群的可用性

1>.在kerberos客户端的进行登陆操作

[root@node103.yinzhengjie.org.cn ~]# klist 
klist: No credentials cache found (filename: /tmp/krb5cc_0)
[root@node103.yinzhengjie.org.cn ~]# 
[root@node103.yinzhengjie.org.cn ~]# kinit admin　　　　
Password for admin@YINZHENGJIE.COM: 　　　　　　　　　　　　　　　　　　　　　　#输入密码后回车，若无任何提示表示认证成功
[root@node103.yinzhengjie.org.cn ~]# 
[root@node103.yinzhengjie.org.cn ~]# klist -e
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin@YINZHENGJIE.COM

Valid starting Expires Service principal
05/10/2019 12:23:19 05/20/2019 12:23:19 krbtgt/YINZHENGJIE.COM@YINZHENGJIE.COM
　　Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96 
[root@node103.yinzhengjie.org.cn ~]#
[root@node103.yinzhengjie.org.cn ~]# 


上述参数说明
Tichet cache：
　　ticket缓存存到了/tmp/krb5cc_0

Default principal：
　　认证的用户

valid starting：
　　认证开始时间

Expires：
　　ticket生命节日日期

Service principal：
　　服务对应的principal

renew until：
　　ticket可以通过kinit -R进行延期的截止日期。

Etype：
　　session key的编码类型

2>.查看主KDC的允许状态

[root@node101.yinzhengjie.org.cn ~]# systemctl status krb5kdc
● krb5kdc.service - Kerberos 5 KDC
   Loaded: loaded (/usr/lib/systemd/system/krb5kdc.service; enabled; vendor preset: disabled)
   Active: active (running) since Fri 2019-05-10 11:50:38 CST; 40min ago
 Main PID: 5610 (krb5kdc)
   CGroup: /system.slice/krb5kdc.service
           └─5610 /usr/sbin/krb5kdc -P /var/run/krb5kdc.pid

May 10 11:50:38 node101.yinzhengjie.org.cn systemd[1]: Starting Kerberos 5 KDC...
May 10 11:50:38 node101.yinzhengjie.org.cn systemd[1]: Started Kerberos 5 KDC.
[root@node101.yinzhengjie.org.cn ~]# 

3>.查看备KDC的运行状态

[root@node102.yinzhengjie.org.cn ~]# systemctl status krb5kdc
● krb5kdc.service - Kerberos 5 KDC
   Loaded: loaded (/usr/lib/systemd/system/krb5kdc.service; enabled; vendor preset: disabled)
   Active: active (running) since Fri 2019-05-10 12:14:52 CST; 16min ago
 Main PID: 5202 (krb5kdc)
   CGroup: /system.slice/krb5kdc.service
           └─5202 /usr/sbin/krb5kdc -P /var/run/krb5kdc.pid

May 10 12:14:52 node102.yinzhengjie.org.cn systemd[1]: Starting Kerberos 5 KDC...
May 10 12:14:52 node102.yinzhengjie.org.cn systemd[1]: Started Kerberos 5 KDC.
[root@node102.yinzhengjie.org.cn ~]# 
[root@node102.yinzhengjie.org.cn ~]# 

4>.停掉主KDC的进程，观察Kerberos客户端是否可用

[root@node101.yinzhengjie.org.cn ~]# systemctl status krb5kdc
● krb5kdc.service - Kerberos 5 KDC
   Loaded: loaded (/usr/lib/systemd/system/krb5kdc.service; enabled; vendor preset: disabled)
   Active: active (running) since Fri 2019-05-10 12:35:22 CST; 2s ago
  Process: 7857 ExecStart=/usr/sbin/krb5kdc -P /var/run/krb5kdc.pid $KRB5KDC_ARGS (code=exited, status=0/SUCCESS)
 Main PID: 7858 (krb5kdc)
   CGroup: /system.slice/krb5kdc.service
           └─7858 /usr/sbin/krb5kdc -P /var/run/krb5kdc.pid

May 10 12:35:22 node101.yinzhengjie.org.cn systemd[1]: Starting Kerberos 5 KDC...
May 10 12:35:22 node101.yinzhengjie.org.cn systemd[1]: Started Kerberos 5 KDC.
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# systemctl stop krb5kdc  
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# systemctl status krb5kdc
● krb5kdc.service - Kerberos 5 KDC
   Loaded: loaded (/usr/lib/systemd/system/krb5kdc.service; enabled; vendor preset: disabled)
   Active: inactive (dead) since Fri 2019-05-10 12:35:30 CST; 1s ago
  Process: 7857 ExecStart=/usr/sbin/krb5kdc -P /var/run/krb5kdc.pid $KRB5KDC_ARGS (code=exited, status=0/SUCCESS)
 Main PID: 7858 (code=exited, status=0/SUCCESS)

May 10 12:35:22 node101.yinzhengjie.org.cn systemd[1]: Starting Kerberos 5 KDC...
May 10 12:35:22 node101.yinzhengjie.org.cn systemd[1]: Started Kerberos 5 KDC.
May 10 12:35:30 node101.yinzhengjie.org.cn systemd[1]: Stopping Kerberos 5 KDC...
May 10 12:35:30 node101.yinzhengjie.org.cn systemd[1]: Stopped Kerberos 5 KDC.
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# 

[root@node103.yinzhengjie.org.cn ~]# klist -e  
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin@YINZHENGJIE.COM

Valid starting       Expires              Service principal
05/10/2019 12:23:19  05/20/2019 12:23:19  krbtgt/YINZHENGJIE.COM@YINZHENGJIE.COM
        Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96 
[root@node103.yinzhengjie.org.cn ~]# 
[root@node103.yinzhengjie.org.cn ~]# 
[root@node103.yinzhengjie.org.cn ~]# kdestroy 
[root@node103.yinzhengjie.org.cn ~]#
[root@node103.yinzhengjie.org.cn ~]# klist 
klist: No credentials cache found (filename: /tmp/krb5cc_0)
[root@node103.yinzhengjie.org.cn ~]#
[root@node103.yinzhengjie.org.cn ~]# kinit admin　　　　　　　　　　　　　　　　　　　　　　　　　　#当我们停掉主KDC后，发现服务依旧是可用的，这个时候他去链接从KDC服务器啦！
Password for admin@YINZHENGJIE.COM: 
[root@node103.yinzhengjie.org.cn ~]# 
[root@node103.yinzhengjie.org.cn ~]# klist 
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin@YINZHENGJIE.COM

Valid starting Expires Service principal
05/10/2019 14:39:58 05/20/2019 14:39:58 krbtgt/YINZHENGJIE.COM@YINZHENGJIE.COM
[root@node103.yinzhengjie.org.cn ~]#

[root@node102.yinzhengjie.org.cn ~]# systemctl status krb5kdc
● krb5kdc.service - Kerberos 5 KDC
   Loaded: loaded (/usr/lib/systemd/system/krb5kdc.service; enabled; vendor preset: disabled)
   Active: active (running) since Fri 2019-05-10 12:14:52 CST; 2h 25min ago
 Main PID: 5202 (krb5kdc)
   CGroup: /system.slice/krb5kdc.service
           └─5202 /usr/sbin/krb5kdc -P /var/run/krb5kdc.pid

May 10 12:14:52 node102.yinzhengjie.org.cn systemd[1]: Starting Kerberos 5 KDC...
May 10 12:14:52 node102.yinzhengjie.org.cn systemd[1]: Started Kerberos 5 KDC.
[root@node102.yinzhengjie.org.cn ~]# 
[root@node102.yinzhengjie.org.cn ~]# 
[root@node102.yinzhengjie.org.cn ~]# systemctl stop krb5kdc  
[root@node102.yinzhengjie.org.cn ~]# 
[root@node102.yinzhengjie.org.cn ~]# systemctl status krb5kdc
● krb5kdc.service - Kerberos 5 KDC
   Loaded: loaded (/usr/lib/systemd/system/krb5kdc.service; enabled; vendor preset: disabled)
   Active: inactive (dead) since Fri 2019-05-10 14:40:24 CST; 1s ago
 Main PID: 5202 (code=exited, status=0/SUCCESS)

May 10 12:14:52 node102.yinzhengjie.org.cn systemd[1]: Starting Kerberos 5 KDC...
May 10 12:14:52 node102.yinzhengjie.org.cn systemd[1]: Started Kerberos 5 KDC.
May 10 14:40:24 node102.yinzhengjie.org.cn systemd[1]: Stopping Kerberos 5 KDC...
May 10 14:40:24 node102.yinzhengjie.org.cn systemd[1]: Stopped Kerberos 5 KDC.
[root@node102.yinzhengjie.org.cn ~]# 

[root@node101.yinzhengjie.org.cn ~]# tail -100f /var/kerberos/log/dump.log 
Database propagation to node102.yinzhengjie.org.cn: SUCCEEDED
Fri May 10 14:37:31 CST 2019
Database propagation to node102.yinzhengjie.org.cn: SUCCEEDED
Fri May 10 14:37:41 CST 2019
Database propagation to node102.yinzhengjie.org.cn: SUCCEEDED
Fri May 10 14:37:51 CST 2019
Database propagation to node102.yinzhengjie.org.cn: SUCCEEDED
Fri May 10 14:38:01 CST 2019
Database propagation to node102.yinzhengjie.org.cn: SUCCEEDED
Fri May 10 14:38:11 CST 2019
Database propagation to node102.yinzhengjie.org.cn: SUCCEEDED
Fri May 10 14:38:21 CST 2019
Database propagation to node102.yinzhengjie.org.cn: SUCCEEDED
Fri May 10 14:38:31 CST 2019
Database propagation to node102.yinzhengjie.org.cn: SUCCEEDED
Fri May 10 14:38:41 CST 2019
Database propagation to node102.yinzhengjie.org.cn: SUCCEEDED
Fri May 10 14:38:51 CST 2019
Database propagation to node102.yinzhengjie.org.cn: SUCCEEDED
Fri May 10 14:39:01 CST 2019
Database propagation to node102.yinzhengjie.org.cn: SUCCEEDED
Fri May 10 14:39:11 CST 2019
Database propagation to node102.yinzhengjie.org.cn: SUCCEEDED
Fri May 10 14:39:21 CST 2019
Database propagation to node102.yinzhengjie.org.cn: SUCCEEDED
Fri May 10 14:39:31 CST 2019
Database propagation to node102.yinzhengjie.org.cn: SUCCEEDED
Fri May 10 14:39:41 CST 2019
Database propagation to node102.yinzhengjie.org.cn: SUCCEEDED
Fri May 10 14:39:51 CST 2019
Database propagation to node102.yinzhengjie.org.cn: SUCCEEDED
Fri May 10 14:40:01 CST 2019
Database propagation to node102.yinzhengjie.org.cn: SUCCEEDED
Fri May 10 14:40:11 CST 2019
Database propagation to node102.yinzhengjie.org.cn: SUCCEEDED
Fri May 10 14:40:21 CST 2019
Database propagation to node102.yinzhengjie.org.cn: SUCCEEDED
Fri May 10 14:40:31 CST 2019
/usr/sbin/kprop: Cannot contact any KDC for requested realm while getting initial credentials

Fri May 10 14:40:41 CST 2019
/usr/sbin/kprop: Cannot contact any KDC for requested realm while getting initial credentials

Fri May 10 14:40:51 CST 2019
/usr/sbin/kprop: Cannot contact any KDC for requested realm while getting initial credentials

Fri May 10 14:41:01 CST 2019
/usr/sbin/kprop: Cannot contact any KDC for requested realm while getting initial credentials

Fri May 10 14:41:11 CST 2019
/usr/sbin/kprop: Cannot contact any KDC for requested realm while getting initial credentials

Fri May 10 14:41:21 CST 2019
/usr/sbin/kprop: Cannot contact any KDC for requested realm while getting initial credentials

Fri May 10 14:41:31 CST 2019
/usr/sbin/kprop: Cannot contact any KDC for requested realm while getting initial credentials

Fri May 10 14:41:41 CST 2019
/usr/sbin/kprop: Cannot contact any KDC for requested realm while getting initial credentials

Fri May 10 14:41:51 CST 2019
/usr/sbin/kprop: Cannot contact any KDC for requested realm while getting initial credentials

Fri May 10 14:42:01 CST 2019
/usr/sbin/kprop: Cannot contact any KDC for requested realm while getting initial credentials

Fri May 10 14:42:11 CST 2019
/usr/sbin/kprop: Cannot contact any KDC for requested realm while getting initial credentials

Fri May 10 14:42:21 CST 2019
/usr/sbin/kprop: Cannot contact any KDC for requested realm while getting initial credentials

Fri May 10 14:42:31 CST 2019
/usr/sbin/kprop: Cannot contact any KDC for requested realm while getting initial credentials

Fri May 10 14:42:41 CST 2019
/usr/sbin/kprop: Cannot contact any KDC for requested realm while getting initial credentials

Fri May 10 14:42:51 CST 2019
/usr/sbin/kprop: Cannot contact any KDC for requested realm while getting initial credentials

Fri May 10 14:43:01 CST 2019
/usr/sbin/kprop: Cannot contact any KDC for requested realm while getting initial credentials

Fri May 10 14:43:11 CST 2019
/usr/sbin/kprop: Cannot contact any KDC for requested realm while getting initial credentials

Fri May 10 14:43:21 CST 2019
/usr/sbin/kprop: Cannot contact any KDC for requested realm while getting initial credentials

Fri May 10 14:43:31 CST 2019
/usr/sbin/kprop: Cannot contact any KDC for requested realm while getting initial credentials

Fri May 10 14:43:41 CST 2019
/usr/sbin/kprop: Cannot contact any KDC for requested realm while getting initial credentials

Fri May 10 14:43:51 CST 2019
/usr/sbin/kprop: Cannot contact any KDC for requested realm while getting initial credentials

Fri May 10 14:44:01 CST 2019
/usr/sbin/kprop: Cannot contact any KDC for requested realm while getting initial credentials

^C
[root@node101.yinzhengjie.org.cn ~]# 

[root@node103.yinzhengjie.org.cn ~]# klist 
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin@YINZHENGJIE.COM

Valid starting       Expires              Service principal
05/10/2019 14:39:58  05/20/2019 14:39:58  krbtgt/YINZHENGJIE.COM@YINZHENGJIE.COM
[root@node103.yinzhengjie.org.cn ~]# 
[root@node103.yinzhengjie.org.cn ~]# 
[root@node103.yinzhengjie.org.cn ~]# kdestroy 　　　　　　　　
[root@node103.yinzhengjie.org.cn ~]# 
[root@node103.yinzhengjie.org.cn ~]# klist    
klist: No credentials cache found (filename: /tmp/krb5cc_0)
[root@node103.yinzhengjie.org.cn ~]# 
[root@node103.yinzhengjie.org.cn ~]# kinit admin　　　　　　　　　　　　　　　　　　　　　　　　　　　　#由于我们停掉了主KDC服务，也停掉了备KDC服务，因此它找不到可用的KDC啦！
kinit: Cannot contact any KDC for realm 'YINZHENGJIE.COM' while getting initial credentials
[root@node103.yinzhengjie.org.cn ~]#

 

 

 

 

参考链接：

　　https://blog.csdn.net/w1331808514/article/details/83474345#_msocom_9

　　https://www.cnblogs.com/xiaodf/p/5968178.html

 

博主推荐阅读：

　　https://www.cnblogs.com/yinzhengjie/p/10765503.html

　　https://docs.oracle.com/cd/E24847_01/html/819-7061/trouble-2.html

　　https://blog.csdn.net/wk022/article/details/50541699