离线迁移或备份/恢复kdc数据库,建议采用搭建主备kdc在线迁移。
导出kdc数据库备份文件
$ sudo kdb5_util dump -verbose /home/dengsc/kdc/bakfile $ ls -l /home/dengsc/kdc/ total 64 -rw------- 1 root root 55991 Sep 19 10:30 bakfile -rw------- 1 root root 1 Sep 19 10:30 bakfile.dump_ok同步kdc.conf,krb5.conf,kadm5.acl,bakfile文件至恢复主机
$ scp kdc.conf kadm5.acl test01:/var/kerberos/krb5kdc/ $ scp krb5.con test01:/etc/ $ scp bakfile test01:~/在恢复主机初始化数据库,领域名与先前一致
$ sudo kdb5_util create -r HADOOP.COM -s导入备份数据
$ sudo kdb5_util load -verbose ~/bakfile登录kadmin.local查看数据是否恢复
$ sudo kadmin.local kadmin.local: listprincs修改krb.conf中的kdc,admin_server host为本地主机
$ sudo vi /etc/krb5.conf [realms] HADOOP.COM = { kdc = test01 admin_server = test01调试模式执行kinit认证(失败)
$ kinit -kt dengsc.keytab dengsc kinit: Generic error (see e-text) while getting initial credentials # debug信息 $ KRB5_TRACE=/dev/stderr kinit -C admin/admin@HADOOP.COM [158565] 1505798208.611471: Getting initial credentials for admin/admin@HADOOP.COM [158565] 1505798208.611939: Sending request (174 bytes) to HADOOP.COM [158565] 1505798208.612140: Resolving hostname nfjd-hadoop02-node177.jpushoa.com [158565] 1505798208.612715: Initiating TCP connection to stream 192.168.254.226:88 [158565] 1505798208.612817: Sending TCP request to stream 192.168.254.226:88 [158565] 1505798208.613136: Received answer (175 bytes) from stream 192.168.254.226:88 [158565] 1505798208.613156: Terminating TCP connection to stream 192.168.254.226:88 [158565] 1505798208.613217: Response was not from master KDC [158565] 1505798208.613268: Received error from KDC: -1765328324/Generic error (see e-text) [158565] 1505798208.613310: Retrying AS request with master KDC [158565] 1505798208.613328: Getting initial credentials for admin/admin@HADOOP.COM [158565] 1505798208.613391: Sending request (174 bytes) to HADOOP.COM (master) kinit: Generic error (see e-text) while getting initial credentials关于报错社区回答:https://bugzilla.redhat.com/show_bug.cgi?id=1184628
redhat版本bug:"Principal canonicalization does not work for principals in IPA realm"
安装ipa-server
$ sudo yum install ipa-server $ rpm -qa | grep ipa-server ipa-server-4.5.0-21.el7.centos.1.2.x86_64 ipa-server-common-4.5.0-21.el7.centos.1.2.noarch再次执行认证(通过)
$ kinit admin/admin Password for admin/admin@HADOOP.COM: $ klist Ticket cache: FILE:/tmp/krb5cc_2190 Default principal: admin/admin@HADOOP.COM
|
|