Kerberos HA Setup - 7challa/cloudera-kerberize-encrypt GitHub Wiki
Follow along the steps to install krb5-server package. Add the secondary KDC host to krb5.conf file and restart krb5kdc.
[realms]
HADOOPSECURITY.COM = {
kdc = secure.hadoop1.example.com
kdc = secure.hadoop2.example.com
admin_server = secure.hadoop.example.com
}
Add host principals of the primary KDC and secondary KDC. You should add this on the primary KDC.
kadmin.local <<EOJ
addprinc -randkey host/${name}
EOJ
where ${name} should be replaced with the host names of the Master and Slave KDC's.
Extract the keys of Master and Slave KDCs to a keytab
kadmin.local <<EOJ
ktadd -norandkey host/${name}
EOF
Note: Without norandkey, it modifies the existing principals and the keytabs will no longer be valid until the credentials are re-generated.
where ${name} is the FQDN of the Master and Slave KDC.
You can check the keys in the keytab by running the below command on the Master KDC.
klist -ekt /etc/krb5.keytab
Copy /etc/krb5.keytab from Master to all Slaves under /etc.
On the secondary KDC, start the kprop service
service kprop start
Copy everything under /var/kerberos/krb5kdc* on Primary KDC and dump it on the Secondary KDC.
It may fail on the first if there is no /var/kerberos/krb5kdc/kpropd.acl. Create with the script below.
for name in $(cat kdc_hosts.txt); do
echo "host/${name}@${REALM}" >> /var/kerberos/krb5kdc/kpropd.acl
done
where kdc_hosts.txt should contain both the master and slave KDC.
kpropd.acl should only exist on the slave KDC's. kadmin may not run if there exists kpropd.acl file on the Master kDC. You will get the below error upon starting kprop if kpropd.acl is missing.
Assertion failed on job for kprop.service.
Check Services file if kprop is listed
[root@localhost]# cat /etc/services | grep krb5_prop
krb5_prop 754/tcp tell # Kerberos slave propagation
On the master server run the below manually for the first time to see DB propagation happens successfully
[root@localhost ]# /usr/sbin/kdb5_util dump /var/kerberos/krb5kdc/kdc_dump/slave_datatrans
[root@localhost ]# /usr/sbin/kprop -f /var/kerberos/krb5kdc/kdc_dump/slave_datatrans <slave KDC>
Database propagation to <slave KDC>: SUCCEEDED
You can automate this by using the script below and setting up a cron job for every 15 mins or so.
#!/bin/sh
LOG_FILE=/var/log/kdcdb_prop.log
slave_kdcs=$(cat /opt/kerberos/kdc_slaves.txt)
echo "KDC DB Propagation Started @ `date +%Y-%m-%d" "%H:%M:%S`" >> $LOG_FILE
#Extract and dump DB to a file
/usr/sbin/kdb5_util dump /var/kerberos/krb5kdc/kdc_dump/slave_datatrans >> $LOG_FILE 2>&1
#Propagate the DB file to slave KDCs
for slave_kdc in $slave_kdcs
do
echo $slave_kdc
/usr/sbin/kprop -f /var/kerberos/krb5kdc/kdc_dump/slave_datatrans $slave_kdc >> $LOG_FILE 2>&1
done
echo "KDC DB Propagation Ended @ `date +%Y-%m-%d" "%H:%M:%S`" >> $LOG_FILE
Note: The following URL has some interesting tips for troubleshooting.
[Troubleshooting_Tips](http://research.imb.uq.edu.au/~l.rathbone/ldap/kerberos.shtml)