离线迁移或备份/恢复kdc数据库,建议采用搭建主备kdc在线迁移。
导出kdc数据库备份文件
$ sudo kdb5_util dump -verbose /home/dengsc/kdc/bakfile
$ ls -l /home/dengsc/kdc/
total 64
-rw------- 1 root root 55991 Sep 19 10:30 bakfile
-rw------- 1 root root 1 Sep 19 10:30 bakfile.dump_ok
同步kdc.conf,krb5.conf,kadm5.acl,bakfile文件至恢复主机
$ scp kdc.conf kadm5.acl test01:/var/kerberos/krb5kdc/
$ scp krb5.con test01:/etc/
$ scp bakfile test01:~/
在恢复主机初始化数据库,领域名与先前一致
$ sudo kdb5_util create -r HADOOP.COM -s
导入备份数据
$ sudo kdb5_util load -verbose ~/bakfile
登录kadmin.local查看数据是否恢复
$ sudo kadmin.local
kadmin.local: listprincs
修改krb.conf中的kdc,admin_server host为本地主机
$ sudo vi /etc/krb5.conf
[realms]
HADOOP.COM = {
kdc = test01
admin_server = test01
}
调试模式执行kinit认证(失败)
# 认证
$ kinit -kt dengsc.keytab dengsc
kinit: Generic error (see e-text) while getting initial credentials
# debug信息
$ KRB5_TRACE=/dev/stderr kinit -C admin/admin@HADOOP.COM
[158565] 1505798208.611471: Getting initial credentials for admin/admin@HADOOP.COM
[158565] 1505798208.611939: Sending request (174 bytes) to HADOOP.COM
[158565] 1505798208.612140: Resolving hostname nfjd-hadoop02-node177.jpushoa.com
[158565] 1505798208.612715: Initiating TCP connection to stream 192.168.254.226:88
[158565] 1505798208.612817: Sending TCP request to stream 192.168.254.226:88
[158565] 1505798208.613136: Received answer (175 bytes) from stream 192.168.254.226:88
[158565] 1505798208.613156: Terminating TCP connection to stream 192.168.254.226:88
[158565] 1505798208.613217: Response was not from master KDC
[158565] 1505798208.613268: Received error from KDC: -1765328324/Generic error (see e-text)
[158565] 1505798208.613310: Retrying AS request with master KDC
[158565] 1505798208.613328: Getting initial credentials for admin/admin@HADOOP.COM
[158565] 1505798208.613391: Sending request (174 bytes) to HADOOP.COM (master)
kinit: Generic error (see e-text) while getting initial credentials
关于报错社区回答:https://bugzilla.redhat.com/show_bug.cgi?id=1184628
redhat版本bug:"Principal canonicalization does not work for principals in IPA realm"
安装ipa-server
$ sudo yum install ipa-server
$ rpm -qa | grep ipa-server
ipa-server-4.5.0-21.el7.centos.1.2.x86_64
ipa-server-common-4.5.0-21.el7.centos.1.2.noarch
再次执行认证(通过)
$ kinit admin/admin
Password for admin/admin@HADOOP.COM:
$ klist
Ticket cache: FILE:/tmp/krb5cc_2190
Default principal: admin/admin@HADOOP.COM
Valid starting Expires Service principal
09/19/2017 13:21:11 09/20/2017 13:21:11 krbtgt/HADOOP.COM@HADOOP.COM
renew until 09/26/2017 13:21:11
$ kdestroy