kerberos高可用介绍
1.kerberos主备,主down掉,自动切备
2.主备数据同步需自行编写脚本
kerberos需要占用的端口
主:
KDC 88
kadmin 749
从节点:
kpropd 754
环境
3台centos7.5服务器:
主:ip1
备:ip2
客户端:ip3
操作步骤
1.环境准备
1.1 配置hosts
分别执行 vim /etc/hosts,配置hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
ip1 hostname1
ip2 hostname2
ip3 hostname3
分别设置Hostname
hostname hostname1
hostname hostname2
hostname hostname3
1.2 关闭防火墙
systemctl stop firewalld.service
2.安装krb5
主执行:
yum -y install krb5-server krb5-auth-dialog krb5-workstation krb5-devel krb5-libs
备执行:
yum install -y krb5-server openldap-clients krb5-workstation krb5-libs
客户端执行:
yum install -y krb5-workstation krb5-devel
3.修改配置
3.1 主节点修改三个文件:
vim /etc/krb5.conf
注意这里realms配置成了EXAMPLE.COM
# Configuration snippets may be placed in this directory as well
includedir /etc/krb5.conf.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
default_realm = EXAMPLE.COM
udp_preference_limit = 1
clockskew = 120
default_tgs_enctypes = arcfour-hmac
default_tkt_enctypes = arcfour-hmac
[realms]
EXAMPLE.COM = {
kdc = hostname1:88
kdc = hostname2:88
admin_server = hostname1:749
default_domain = example.com
}
[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
vim /var/kerberos/krb5kdc/kdc.conf
[kdcdefaults]
kdc_ports = 88
kdc_tcp_ports = 88
[realms]
EXAMPLE.COM = {
#master_key_type = aes256-cts
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
}
vim /var/kerberos/krb5kdc/kadm5.acl
*/admin@EXAMPLE.COM *
3.2 在备份节点创建文件
vim /var/kerberos/krb5kdc/kpropd.acl
host/hostname1@EXAMPLE.COM
host/hostname2@EXAMPLE.COM
4 主节点初始化数据库、生成krb5.keytab
4.1 初始化数据库
kdb5_util create -r EXAMPLE.COM -s
4.2 生成krb5.keytab
kadmin.local -q "ank -randkey host/hostname1@EXAMPLE.COM"
kadmin.local -q "ank -randkey host/hostname2@EXAMPLE.COM"
kadmin.local -q "xst host/hostname1@EXAMPLE.COM"
kadmin.local -q "xst host/hostname2@EXAMPLE.COM"
klist -ket /etc/krb5.keytab
5 从主->复制配置文件和keytab到->备节点
cd /var/kerberos/krb5kdc
scp .k5.EXAMPLE.COM hostname2:$PWD
scp kadm5.acl hostname2:$PWD
scp kdc.conf hostname2:$PWD
cd /etc
scp krb5.keytab hostname2:$PWD
scp krb5.conf hostname2:$PWD
scp krb5.keytab hostname2:/var/kerberos/krb5kdc/
6 启动主节点
systemctl enable krb5kdc.service
systemctl enable kadmin.service
systemctl start krb5kdc.service
systemctl start kadmin.service
7 在主上添加管理员账户
kadmin.local -q "addprinc admin"
8.备份节点启动krpop
kpropd -S
systemctl start kprop
systemctl status kprop
systemctl enable kprop
9 同步数据
在主上执行:
kdb5_util dump /var/kerberos/krb5kdc/slave_datatrans
kprop -f /var/kerberos/krb5kdc/slave_datatrans hostname2
提示:
Database propagation to hostname2: SUCCEEDED
这一步很有可能出错,出错就需要排查一下从节点的keytab文件是否可用、防火墙、从节点的kpropd.acl是否正确等
执行后,备份节点的/var/kerberos/krb5kdc目录下会发现增加了principal开头的文件
10 在从节点启动kdc
systemctl enable krb5kdc.service
systemctl start krb5kdc.service
11 测试
11.1 分别查看主备服务器 kdc状态
systemctl status krb5kdc.service
11.2 分别查看日志
tail -f /var/log/krb5kdc.log
11.3 在主服务器上kinit查看日志,发现日志刷在了 hostname1节点
11.4 stop或kill掉主服务器的kdc,再次kinit,发现日志刷在了hostname2节点
在主节点编写同步数据库脚本
vim /var/kerberos/kprop_trans.sh
#!/bin/bash
DUMP=/var/kerberos/krb5kdc/slave_datatrans
REALM=EXAMPLE.COM
PORT=754
SLAVE="hostname2"
LOGFILE=/var/kerberos/jump.log
kdb5_util dump $DUMP
CURRENT_TIME=$(date)
SUFFIX=$(date "+%Y.%m.%d")
echo $CURRENT_TIME >> $LOGFILE.${SUFFIX}
/usr/sbin/kprop -r $REALM -f $DUMP -d -P $PORT $SLAVE >> ${LOGFILE}.${SUFFIX}
crontab -e
*/10 * * * * /var/kerberos/kprop_trans.sh
crontab -l
admin_server的手动恢复方式:
停止备用节点的kprop
systemctl stop kprop
修改/var/kerberos/krb5kdc/kpropd.acl为/var/kerberos/krb5kdc/kpropd.acl.bak
启动从节点的as和kdc
systemctl enable krb5kdc.service
systemctl enable kadmin.service
systemctl start krb5kdc.service
systemctl start kadmin.service
关闭主节点的as和kdc
systemctl stop kadmin.service
systemctl stop kadmin.service
验证
kadmin.lcoal可用
网友评论