centos7.5 kerberos 主從配置

主機規划：

192.168.2.132 master
192.168.2.131 slave

環境：
名稱 版本

CentOS CentOS release 7.5

下載jce_policy-8.zip

cp jce_policy-8.zip /usr/java/jdk1.8.0_152/jre/lib/security
unzip jce_policy-8.zip

2、安裝kdc server 和client

yum -y install krb5-libs krb5-server krb5-workstation

客戶端：yum -y install krb5-libs krb5-workstation
軟件包 krb5-libs-1.15.1-18.el7.x86_64 已安裝並且是最新版本
軟件包 krb5-server-1.15.1-18.el7.x86_64 已安裝並且是最新版本
軟件包 krb5-workstation-1.15.1-18.el7.x86_64 已安裝並且是最新版本

配置主機名稱配置
vi /etc/hosts
192.168.2.132 bigdata003
192.168.2.131 bigdata002

vi /etc/krb5.conf
******************************************************************
# Configuration snippets may be placed in this directory as well
includedir /etc/krb5.conf.d/

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]

dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
default_realm = STARYEA.COM
udp_preference_limit = 1
clockskew = 300
renewable = true
#default_ccache_name = KEYRING:persistent:%{uid}

[realms]
STARYEA.COM = {
admin_server = bigdata003:749
kdc = bigdata003:88
kdc = bigdata002:88
}

[domain_realm]
.staryea.com = STARYEA.COM
staryea.com = STARYEA.COM

*******************************************************************************
配置
vi /var/kerberos/krb5kdc/kdc.conf

*******************************************************************************
[kdcdefaults]
kdc_ports = 88
kdc_tcp_ports = 88

[realms]
STARYEA.COM = {
master_key_type = aes256-cts
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
max_life = 24h
max_renewable_life = 10d
default_principal_flags= +renewable,+forwardable
supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
}

******************************************************************************

3 )創建數據庫 添加管理員

生成master服務器上的kdc database
kdb5_util create -r STARYEA.COM -s
Loading random data
Initializing database '/var/kerberos/krb5kdc/principal' for realm 'STARYEA.COM',
master key name 'K/M@STARYEA.COM'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key: 
Re-enter KDC database master key to verify: 

添加database administrator

kadmin.local -q "addprinc admin/admin"
Authenticating as principal root/admin@STARYEA.COM with password.
WARNING: no policy specified for admin/admin@STARYEA.COM; defaulting to no policy
Enter password for principal "admin/admin@STARYEA.COM": 
Re-enter password for principal "admin/admin@STARYEA.COM": 
Principal "admin/admin@STARYEA.COM" created.

修改 /var/kerberos/krb5kdc/kadm5.acl

*/admin@STARYEA.COM *

4）啟動服務
/bin/systemctl start krb5kdc.service
/bin/systemctl start kadmin.service

添加開機啟動： chkconfig krb5kdc on
chkconfig kadmin on

5)查看運行日志
/var/log/krb5kdc.log 和 /var/log/kadmind.log

使用kinit 命令，測試admin賬戶是否生成成功
kinit admin/admin@STARYEA.COM
Password for admin/admin@STARYEA.COM:

[root@bigdata003 ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin/admin@STARYEA.COM

Valid starting Expires Service principal
2018-08-19T19:16:37 2018-08-20T19:16:37 krbtgt/STARYEA.COM@STARYEA.COM

6 )安裝slave KDC的相關配置
創建host keytab 文件 在master服務器上

[root@kerberos ~]# kadmin.local

kadmin: addprinc -randkey host/bigdata003 #添加principal

kadmin：ktadd host/bigdata003 #生成keytab文件

kadmin: addprinc -randkey host/bigdata002 #添加principal

kadmin：ktadd host/bigdata002 #生成keytab文件

將master上的幾個文件拷貝到從服務器，
文件: krb5.conf、kdc.conf、kadmin5.acl、master key stash file

[root@kerberos ~]# scp /etc/krb5.conf root@192.168.2.131:/etc
[root@kerberos ~]# scp /var/kerberos/krb5kdc/kdc.conf root@192.168.2.131:/var/kerberos/krb5kdc/
[root@kerberos ~]# scp /var/kerberos/krb5kdc/kadm5.acl root@192.168.2.131:/var/kerberos/krb5kdc/
[root@kerberos ~]# scp /var/kerberos/krb5kdc/.k5.STARYEA.COM root@192.168.2.131:/var/kerberos/krb5kdc/.k5.STARYEA.COM

7) Slave上創建數據庫 bigdata002 上
kdb5_util create -r STARYEA.COM -s
Loading random data
Initializing database '/var/kerberos/krb5kdc/principal' for realm 'STARYEA.COM',
master key name 'K/M@STARYEA.COM'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key: 
Re-enter KDC database master key to verify:

#創建host keytab 文件 在slave服務器上 添加規則：

kadmin.local

kadmin: addprinc -randkey host/bigdata002 #添加principal
kadmin: ktadd host/bigdata002 #生成keytab文件

#在slave服務器上創建kpropd.acl文件
vi /var/kerberos/krb5kdc/kpropd.acl

添加如下內容：
host/bigdata003@STARYEA.COM
host/bigdata002@STARYEA.COM

#在slave上啟動kpropd服務
[root@bigdata002 krb5kdc]# kpropd -S
[root@bigdata002 krb5kdc]# ps -ef|grep kprop
root 32709 1 0 21:19 ? 00:00:00 kpropd -S

#在slave上導出host/bigdata002 到/etc/krb5.keytab
[root@bigdata002 krb5kdc]# kadmin
Authenticating as principal admin/admin@STARYEA.COM with password.
Password for admin/admin@STARYEA.COM:
kadmin: ktadd host/bigdata002

新開一個窗口
數據同步 在master上將相關數據同步到slave上
[root@bigdata003 ~]# kdb5_util dump /var/kerberos/krb5kdc/kdc.dump
[root@kerberos~]#kprop -f /var/kerberos/krb5kdc/kdc.dump bigdata002

是因為 slave 上未有host/bigdata002 在/etc/krb5.key 中
需要 在slave 上導出 信息
執行：（在同步之前執行這個 應該）
[root@bigdata002 krb5kdc]# kadmin
Authenticating as principal admin/admin@STARYEA.COM with password.
Password for admin/admin@STARYEA.COM:
kadmin: ktadd host/bigdata002

[root@bigdata003 log]# kprop -f /var/kerberos/krb5kdc/kdc.dump bigdata002
Database propagation to bigdata002: SUCCEEDED
[root@bigdata003 log]#

在slave上/var/kerberos/krb5kdc/會多出一些文件，如：

8)至此，可以啟動slave上的kdc服務
啟動服務
/bin/systemctl start krb5kdc.service

當有多台slave時，定時更新腳本可以這樣：

#!/bin/sh

kdclist = "bigdata002 bigdata001"

kdb5_util dump /var/kerberos/krb5kdc/slave_datatrans

for kdc in $kdclist

do

kprop -f /var/kerberos/krb5kdc/slave_datatrans $kdc

done

9）測試，在bigdata001上，kinit 測試
創建host/bigdata001的憑證
導出 xst -kt /etc/bigdata001.keytab host/bigdata001
scp /etc/bigdata001.keytab bigdata001:/etc
[root@bigdata003 etc]# kdb5_util dump /var/kerberos/krb5kdc/kdc.dump
[root@bigdata003 etc]# kprop -f /var/kerberos/krb5kdc/kdc.dump bigdata002
Database propagation to bigdata002: SUCCEEDED

關閉主kdc
/bin/systemctl stop krb5kdc.service

[root@bigdata001 etc]# kinit -kt /etc/bigdata001.keytab host/bigdata001
[root@bigdata001 etc]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: host/bigdata001@STARYEA.COM

Valid starting Expires Service principal
2018-08-20T08:03:50 2018-08-21T08:03:50 krbtgt/STARYEA.COM@STARYEA.COM
renew until 2018-08-27T08:03:50