cdh集群需要开启Kerberos认证，但是 KDC存在单点故障的问题，这就需要搭建主备，这方面的问题网上的文档很多，但是照着坐下来基本都是失败，大多说只是介绍了搭建的具体过程而没讲前提脚尖，结果导致失败，我就自己写了一篇，做一个记录。
主机环境： 192.168.157.20 master.posinda.com -->主 KDC
192.168.157.30 slave.posinda.com -->从KDC
kadmin和主KDC安装到一个节点
主机要求：
关闭防火墙，关闭selinux,主机时间同步，安装Oracle jdk，下载JCE文件，放置到$JAVA_HOME/jre/lib/security文件夹中,这些环境准备一定要做好，以免后来出现各种奇怪的错误
master Kerberos安装：

    yum install krb5-server krb5-libs krb5-workstation openldap-clients -y

/etc/krb5.conf 客户端配置文件
说明：配置这些文件的时候不要直接复制黏贴，会启动异常，主要是格式不正确，我有次直接复制下面的文件，结果日志文件总出不来，弄了好久,结果发现是[logging]这个标签没有顶格写。。。所以不要直接复制

 # Configuration snippets may be placed in this directory as well
 includedir /etc/krb5.conf.d/

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 dns_lookup_realm = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 rdns = false
 default_realm = POSINDA.COM
 renewable = true

[realms]
POSINDA.COM = {
  kdc = master.posinda.com
  kdc = slave.posinda.com
  admin_server = master.posinda.com
  default_domain = posinda.com
 }

[domain_realm]
.posinda.com=POSINDA.COM
posinda.com=POSINDA.COM

vi /var/kerberos/krb5kdc/kdc.conf

[kdcdefaults]
 kdc_ports = 88
 kdc_tcp_ports = 88

[realms]
POSINDA.COM = {
master_key_type = aes256-cts
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
max_life = 1d
max_renewable_life = 7d
supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-    hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal $
 }

vi /var/kerberos/krb5kdc/kadm5.acl

/admin@POSINDA.COM     *

修改完成，创建数据库

kdb5_util create -r POSINDA.COM -s
Loading random data
Initializing database '/var/kerberos/krb5kdc/principal' for realm 'POSINDA.COM',
master key name 'K/M@POSINDA.COM'
You will be prompted for the database Master Password. 
It is important that you NOT FORGET this password.
Enter KDC database master key: 
Re-enter KDC database master key to verify:

输入认证的密码为： POSINDA.COM

添加管理账号：

kadmin.local
Authenticating as principal root/admin@POSINDA.COM with password.
kadmin.local:  addprinc admin/admin@POSINDA.COM 
WARNING: no policy specified for admin/admin@POSINDA.COM; defaulting to no policy
Enter password for principal "admin/admin@POSINDA.COM":  [输入密码]
Re-enter password for principal "admin/admin@POSINDA.COM":  [输入密码]
Principal "admin/admin@POSINDA.COM" created.
kadmin.local: q

启动KDC和Kadmin服务

systemctl start krb5kdc.service
systemctl start kadmin.service
systemctl enable krb5kdc.service
systemctl enable kadmin.service

验证服务，添加host/master.posinda.com,host/slave.posinda.com账户，生成keytab文件

[root@master krb5kdc]# kinit admin/admin
Password for admin/admin@POSINDA.COM:
[root@master krb5kdc]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin/admin@POSINDA.COM

Valid starting       Expires              Service principal
12/06/2018 17:04:25  12/07/2018 17:04:24  krbtgt/POSINDA.COM@POSINDA.COM
    renew until 12/13/2018 17:04:24
kadmin.local
addprinc -randkey host/master.posinda.com
addprinc -randkey host/slave.posinda.com
ktadd host/master.posinda.com
ktadd host/slave.posinda.com
ktadd kiprop/master.posinda.com

生成的keytab文件位于/etc/krb5.keytab,查看密码文件

[root@master krb5kdc]# klist -ket /etc/krb5.keytab
Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp           Principal
---- ------------------- ------------------------------------------------------
5 12/05/2018 16:00:00 host/master.posinda.com@POSINDA.COM (aes256-cts-hmac-sha1-96)
5 12/05/2018 16:00:00 host/master.posinda.com@POSINDA.COM (aes128-cts-hmac-sha1-96)
5 12/05/2018 16:00:00 host/master.posinda.com@POSINDA.COM (des3-cbc-sha1)
5 12/05/2018 16:00:00 host/master.posinda.com@POSINDA.COM (arcfour-hmac)
5 12/05/2018 16:00:00 host/master.posinda.com@POSINDA.COM (camellia256-cts-cmac)
5 12/05/2018 16:00:00 host/master.posinda.com@POSINDA.COM (camellia128-cts-cmac)
5 12/05/2018 16:00:00 host/master.posinda.com@POSINDA.COM (des-hmac-sha1)
5 12/05/2018 16:00:00 host/master.posinda.com@POSINDA.COM (des-cbc-md5)
5 12/05/2018 16:00:12 host/slave.posinda.com@POSINDA.COM (aes256-cts-hmac-sha1-96)
5 12/05/2018 16:00:12 host/slave.posinda.com@POSINDA.COM (aes128-cts-hmac-sha1-96)
5 12/05/2018 16:00:12 host/slave.posinda.com@POSINDA.COM (des3-cbc-sha1)
5 12/05/2018 16:00:12 host/slave.posinda.com@POSINDA.COM (arcfour-hmac)
5 12/05/2018 16:00:12 host/slave.posinda.com@POSINDA.COM (camellia256-cts-cmac)
5 12/05/2018 16:00:12 host/slave.posinda.com@POSINDA.COM (camellia128-cts-cmac)
5 12/05/2018 16:00:12 host/slave.posinda.com@POSINDA.COM (des-hmac-sha1)
5 12/05/2018 16:00:12 host/slave.posinda.com@POSINDA.COM (des-cbc-md5)
4 12/05/2018 16:00:26 kiprop/master.posinda.com@POSINDA.COM (aes256-cts-hmac-sha1-96)
4 12/05/2018 16:00:26 kiprop/master.posinda.com@POSINDA.COM (aes128-cts-hmac-sha1-96)
4 12/05/2018 16:00:26 kiprop/master.posinda.com@POSINDA.COM (des3-cbc-sha1)
4 12/05/2018 16:00:26 kiprop/master.posinda.com@POSINDA.COM (arcfour-hmac)
4 12/05/2018 16:00:26 kiprop/master.posinda.com@POSINDA.COM (camellia256-cts-cmac)
4 12/05/2018 16:00:26 kiprop/master.posinda.com@POSINDA.COM (camellia128-cts-cmac)
4 12/05/2018 16:00:26 kiprop/master.posinda.com@POSINDA.COM (des-hmac-sha1)
4 12/05/2018 16:00:26 kiprop/master.posinda.com@POSINDA.COM (des-cbc-md5)
[root@master krb5kdc]#

slave节点 Kerberos安装：

    yum install krb5-server krb5-libs krb5-workstation openldap-clients -y

将master.posinda.com节点的以下文件发送到slave.posinda.com节点

/etc/krb5.keytab
/etc/krb5.conf
/var/kerberos/krb5kdc/kadm5.acl
/var/kerberos/krb5kdc/kdc.conf
/var/kerberos/krb5kdc/.k5.POSINDA.COM

在slave.posinda.com节点启动kpropd服务

kpropd -S

在slave服务器上创建kpropd.acl

vim /var/kerberos/krb5kdc/kpropd.acl，添加以下内容
host/master.posinda.com@POSINDA.COM
host/slave.posinda.com@POSINDA.COM

这时由于slave节点还没有数据库文件，所以不能启动KDC
将master节点的数据库文件增量同步到slave节点，在master节点进行操作

kdb5_util dump /var/kerberos/krb5kdc/kdc.dump
kprop -f /var/kerberos/krb5kdc/kdc.dump slave.posinda.com

成功后，会出现以下信息：

Database propagation to slave.posinda.com: SUCCEEDED

如果没出现？那就是没成功了，检查以下吧。
测试主从是否生效(成功)
1）从第三台服务器，使用kinit获取ticket，正常情况下会从master上获取
2）关闭master上的kdc服务
3）再次从第三台服务器上，使用kinit 获取ticket，如果成功，说明生效。
也可以观察kdc的日志，在 /var/log/krb5kdc.log

当有多台slave时，定时更新脚本可以这样：

 #!/bin/sh
 #从KDC主机名列表
 kdclist = "node1 node2 node3"

 kdb5_util dump /var/kerberos/krb5kdc/kdc.dump

 for kdc in $kdclist

 do

   kprop -f  /var/kerberos/krb5kdc/kdc.dump $kdc

done

当在主节点操作kadmin.local的时候实际是对本地文件进行读写的操作，所以关闭主节点的KDC的时候依然可以操作kadmin.local进行账户的添加或者删除操作,从KDC读取的是本地的文件，而不是主节点上的文件，当搭建主从复制的时候，不要在从节点上进行账户的添加，删除或者修改操作，只是作为当主KDC异常的时候的验证节点，在主节点进行的账户添加，删除或者修改操作，从KDC不能立即感应到，只有当主节点向从节点进行数据同步的时候，从节点才有相应的结果，所以当主机点进行相应操作的时候，都需要向从节点数据同步，当有多个从KDC的时候，可以使用上面的脚本进行数据同步。