[kdcdefaults] kdc_ports = 88 kdc_tcp_ports = 88
[realms] HAOHAOZHU.COM = { acl_file = /var/kerberos/krb5kdc/kadm5.acl dict_file = /usr/share/dict/words admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab supported_enctypes = des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal }
初始化数据库
[root@kdcmaster ~]# kdb5_util create -s -r HAOHAOZHU.COM Loading random data Initializing database '/var/kerberos/krb5kdc/principal' for realm 'HAOHAOZHU.COM', master key name 'K/M@HAOHAOZHU.COM' You will be prompted for the database Master Password. It is important that you NOT FORGET this password. Enter KDC database master key: Re-enter KDC database master key to verify:
添加管理员账号
[root@kdcmaster ~]# kadmin.local -q "addprinc admin/admin" Authenticating as principal root/admin@HAOHAOZHU.COM with password. WARNING: no policy specified for admin/admin@HAOHAOZHU.COM; defaulting to no policy Enter password for principal "admin/admin@HAOHAOZHU.COM": Re-enter password for principal "admin/admin@HAOHAOZHU.COM": Principal "admin/admin@HAOHAOZHU.COM" created.
修改kadm5.acl
vi /var/kerberos/krb5kdc/kadm5.acl */admin@HAOHAOZHU.COM *
在kdcmaster上启动kdc和kadmin
[root@kdcmaster ~]# service krb5kdc start Redirecting to /bin/systemctl start krb5kdc.service [root@kdcmaster ~]# service kadmin start Redirecting to /bin/systemctl start kadmin.service
kdcslave上安装kerberos
yum -y install krb5-libs krb5-devel krb5-server krb5-workstation
在kdcmaster上添加host key
[root@kdcmaster ~]# kadmin Authenticating as principal admin/admin@HAOHAOZHU.COM with password. Password for admin/admin@HAOHAOZHU.COM: kadmin: addprinc -randkey host/kdcmaster WARNING: no policy specified for host/kdcmaster@HAOHAOZHU.COM; defaulting to no policy Principal "host/kdcmaster@HAOHAOZHU.COM" created. kadmin: addprinc -randkey host/kdcslave WARNING: no policy specified for host/kdcslave@HAOHAOZHU.COM; defaulting to no policy Principal "host/kdcslave@HAOHAOZHU.COM" created.
生成host keytab
kadmin: ktadd host/kdcmaster Entry for principal host/kdcmaster with kvno 2, encryption type des3-cbc-sha1 added to keytab FILE:/etc/krb5.keytab. Entry for principal host/kdcmaster with kvno 2, encryption type arcfour-hmac added to keytab FILE:/etc/krb5.keytab. Entry for principal host/kdcmaster with kvno 2, encryption type camellia256-cts-cmac added to keytab FILE:/etc/krb5.keytab. Entry for principal host/kdcmaster with kvno 2, encryption type camellia128-cts-cmac added to keytab FILE:/etc/krb5.keytab. Entry for principal host/kdcmaster with kvno 2, encryption type des-hmac-sha1 added to keytab FILE:/etc/krb5.keytab. Entry for principal host/kdcmaster with kvno 2, encryption type des-cbc-md5 added to keytab FILE:/etc/krb5.keytab. kadmin: ktadd -k /tmp/kerberos-1.keytab host/kdcslave Entry for principal host/kdcslave with kvno 2, encryption type des3-cbc-sha1 added to keytab WRFILE:/tmp/kerberos-1.keytab. Entry for principal host/kdcslave with kvno 2, encryption type arcfour-hmac added to keytab WRFILE:/tmp/kerberos-1.keytab. Entry for principal host/kdcslave with kvno 2, encryption type camellia256-cts-cmac added to keytab WRFILE:/tmp/kerberos-1.keytab. Entry for principal host/kdcslave with kvno 2, encryption type camellia128-cts-cmac added to keytab WRFILE:/tmp/kerberos-1.keytab. Entry for principal host/kdcslave with kvno 2, encryption type des-hmac-sha1 added to keytab WRFILE:/tmp/kerberos-1.keytab. Entry for principal host/kdcslave with kvno 2, encryption type des-cbc-md5 added to keytab WRFILE:/tmp/kerberos-1.keytab.
将/tmp/kerberos-1.keytab复制到kdcslave的/etc目录下,并命名为krb5.keytab
[root@kdcmaster ~]# scp /tmp/kerberos-1.keytab root@kdcslave:/etc/krb5.keytab The authenticity of host 'kdcslave (172.16.16.82)' can't be established. ECDSA key fingerprint is SHA256:mXyA1uwn8huNuzL3LPZMl1YU0lpoqKP093F88zWRONI. ECDSA key fingerprint is MD5:f5:01:60:29:98:bb:b7:18:1b:a1:f2:4b:b5:20:37:4e. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'kdcslave,172.16.16.82' (ECDSA) to the list of known hosts. root@kdcslave's password: kerberos-1.keytab
修改kmaster上的/etc/krb5.conf,添加kdc条目
HAOHAOZHU.COM = { kdc = kdcmaster kdc = kdcslave admin_server = kdcmaster }
将kdcmaster的如下文件复制到kdcslave对应目录下
scp /etc/krb5.conf root@kdcslave:/etc/ scp /var/kerberos/krb5kdc/kdc.conf root@kdcslave:/var/kerberos/krb5kdc/ scp /var/kerberos/krb5kdc/kadm5.acl root@kdcslave:/var/kerberos/krb5kdc/ scp /var/kerberos/krb5kdc/.k5.HAOHAOZHU.COM root@kdcslave:/var/kerberos/krb5kdc/
在所有节点上创建
vi /var/kerberos/krb5kdc/kpropd.acl
host/kdcmaster@HAOHAOZHU.COM host/kdcslave@HAOHAOZHU.COM
在kdcslave上启动kpropd
[root@kdcslave ~]# kpropd -dS ready waiting for a kprop connection
在kdcmaster上导出数据库,并同步到kdcslave
[root@kdcmaster ~]# kdb5_util dump /var/kerberos/krb5kdc/slave_datatrans [root@kdcmaster ~]# kprop -f /var/kerberos/krb5kdc/slave_datatrans kdcslave Database propagation to kdcslave: SUCCEEDED
kdcslave 上日志
[root@kdcslave ~]# kpropd -dS ready waiting for a kprop connection Connection from kdcmaster krb5_recvauth(4, kprop5_01, host/kdcslave@HAOHAOZHU.COM, ...) authenticated client: host/kdcmaster@HAOHAOZHU.COM (etype == Triple DES cbc mode with HMAC/sha1) Full propagation transfer started. Full propagation transfer finished. calling kdb5_util to load database Load PID is 3565 Database load process for full propagation completed. waiting for a kprop connection
此时启动kdcslave节点上的kdc,看看数据是否同步过来了
[root@kdcslave krb5kdc]# kadmin.local Authenticating as principal root/admin@HAOHAOZHU.COM with password. kadmin.local: list_principals K/M@HAOHAOZHU.COM admin/admin@HAOHAOZHU.COM host/kdcmaster@HAOHAOZHU.COM host/kdcslave@HAOHAOZHU.COM kadmin/admin@HAOHAOZHU.COM kadmin/changepw@HAOHAOZHU.COM kadmin/kdcmaster.lan@HAOHAOZHU.COM kiprop/kdcmaster.lan@HAOHAOZHU.COM krbtgt/HAOHAOZHU.COM@HAOHAOZHU.COM
可以看见数据已经同步了,现在要做就是写个脚本定时同步数据库
