KDC server搭建
基础环境配置
安装必要软件
[root@kdc-server ~]# yum install vim wget ntpdate -y
关闭防火墙
[root@kdc-server ~]# service iptables stop [root@kdc-server ~]# chkconfig iptables off
禁用selinux
[root@kdc-server ~]# sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/sysconfig/selinux
配置hosts文件(node是HDP集群的节点)(所有节点都需要配置)
[root@kdc-server ~]# cat /etc/hosts 192.168.101.160 ambari 10.0.6.10 node1 10.0.6.20 node2 10.0.6.30 node3 10.0.6.40 node4 192.168.101.163 kdc-server
时间同步
[root@kdc-server ~]# ntpdate time1.aliyun.com 11 May 14:57:53 ntpdate[1137]: step time server 115.28.122.198 offset -0.780722 sec
kdc server安装
[root@kdc-server ~]# yum install krb5-server krb5-libs krb5-workstation -y
kdc-server配置
[root@kdc-server ~]# cat /etc/krb5.conf [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = HUITONG dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true [realms] HUITONG = { kdc = kdc-server admin_server = kdc-server } [domain_realm] .example.com = HUITONG example.com = HUITONG
realms中把kdc和admin_server改成kdc server的主机名,令外我把realms中的EXAMPLE.COM改成了HUITONG,这个看个人,如果改了的话,那下面也都要修改。
[root@kdc-server ~]# cat /var/kerberos/krb5kdc/kdc.conf [kdcdefaults] kdc_ports = 88 kdc_tcp_ports = 88 [realms] HUITONG = { acl_file = /var/kerberos/krb5kdc/kadm5.acl dict_file = /usr/share/dict/words admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal }
[root@kdc-server ~]# cat /var/kerberos/krb5kdc/kadm5.acl */admin@HUITONG *
使用kdb5_util创建数据库
kdb5_util create -s -r HUITONG Loading random data 会一直卡在这里,这是因为随机数生成的太慢了,可以另外起一个shell运行cat /dev/vda > /dev/urandom,其中/dev/vda是虚拟机的磁盘,根据实际情况修改 Initializing database '/var/kerberos/krb5kdc/principal' for realm 'HUITONG', master key name 'K/M@HUITONG' You will be prompted for the database Master Password. It is important that you NOT FORGET this password. Enter KDC database master key: Re-enter KDC database master key to verify:
启动服务以及设置开机自启动
[root@kdc-server ~]# service krb5kdc start [root@kdc-server ~]# service kadmin start [root@kdc-server ~]# chkconfig krb5kdc on [root@kdc-server ~]# chkconfig kadmin on
创建KDC管理
[root@kdc-server ~]# kadmin.local Authenticating as principal root/admin@HUITONG with password. kadmin.local: listprincs K/M@HUITONG kadmin/admin@HUITONG kadmin/changepw@HUITONG kadmin/kdc-server@HUITONG krbtgt/HUITONG@HUITONG kadmin.local: exit
查看当前主体
[root@kdc-server ~]# kadmin.local Authenticating as principal root/admin@HUITONG with password. kadmin.local: addprinc admin/admin@HUITONG WARNING: no policy specified for admin/admin@HUITONG; defaulting to no policy Enter password for principal "admin/admin@HUITONG": Re-enter password for principal "admin/admin@HUITONG": Principal "admin/admin@HUITONG" created. kadmin.local: exit
配置节点JCE(每个节点都要配置)
下载地址:
• For Oracle JDK 1.8: http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html • For Oracle JDK 1.7: http://www.oracle.com/technetwork/java/javase/downloads/jce-7-download-432124.html
部署JCE:
unzip -o -j -q jce_policy-8.zip -d $JAVA_HOME/jre/lib/security/
通过Ambari启用kerberos
选择使用已存在的KDC
配置
等检测通过之后,会停止所有服务,自动修改相关配置文件,然后等待服务都启动起来就可以了。
网友评论