KDC server搭建

基础环境配置

安装必要软件

[root@kdc-server ~]# yum install vim wget ntpdate -y

关闭防火墙

[root@kdc-server ~]# service iptables stop [root@kdc-server ~]# chkconfig iptables off

禁用selinux

[root@kdc-server ~]# sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/sysconfig/selinux

配置hosts文件(node是HDP集群的节点)（所有节点都需要配置）

[root@kdc-server ~]# cat /etc/hosts 192.168.101.160 ambari 10.0.6.10 node1 10.0.6.20 node2 10.0.6.30 node3 10.0.6.40 node4 192.168.101.163 kdc-server

时间同步

[root@kdc-server ~]# ntpdate time1.aliyun.com 11 May 14:57:53 ntpdate[1137]: step time server 115.28.122.198 offset -0.780722 sec

kdc server安装

[root@kdc-server ~]# yum install krb5-server krb5-libs krb5-workstation -y

kdc-server配置

[root@kdc-server ~]# cat /etc/krb5.conf [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = HUITONG dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true [realms] HUITONG = { kdc = kdc-server admin_server = kdc-server } [domain_realm] .example.com = HUITONG example.com = HUITONG
realms中把kdc和admin_server改成kdc server的主机名，令外我把realms中的EXAMPLE.COM改成了HUITONG，这个看个人，如果改了的话，那下面也都要修改。
[root@kdc-server ~]# cat /var/kerberos/krb5kdc/kdc.conf [kdcdefaults] kdc_ports = 88 kdc_tcp_ports = 88 [realms] HUITONG = { acl_file = /var/kerberos/krb5kdc/kadm5.acl dict_file = /usr/share/dict/words admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal }
[root@kdc-server ~]# cat /var/kerberos/krb5kdc/kadm5.acl */admin@HUITONG *

使用kdb5_util创建数据库

kdb5_util create -s -r HUITONG Loading random data 会一直卡在这里，这是因为随机数生成的太慢了，可以另外起一个shell运行cat /dev/vda > /dev/urandom，其中/dev/vda是虚拟机的磁盘，根据实际情况修改 Initializing database '/var/kerberos/krb5kdc/principal' for realm 'HUITONG', master key name 'K/M@HUITONG' You will be prompted for the database Master Password. It is important that you NOT FORGET this password. Enter KDC database master key: Re-enter KDC database master key to verify:

启动服务以及设置开机自启动

[root@kdc-server ~]# service krb5kdc start [root@kdc-server ~]# service kadmin start [root@kdc-server ~]# chkconfig krb5kdc on [root@kdc-server ~]# chkconfig kadmin on

创建KDC管理

[root@kdc-server ~]# kadmin.local Authenticating as principal root/admin@HUITONG with password. kadmin.local: listprincs K/M@HUITONG kadmin/admin@HUITONG kadmin/changepw@HUITONG kadmin/kdc-server@HUITONG krbtgt/HUITONG@HUITONG kadmin.local: exit

查看当前主体

[root@kdc-server ~]# kadmin.local Authenticating as principal root/admin@HUITONG with password. kadmin.local: addprinc admin/admin@HUITONG WARNING: no policy specified for admin/admin@HUITONG; defaulting to no policy Enter password for principal "admin/admin@HUITONG": Re-enter password for principal "admin/admin@HUITONG": Principal "admin/admin@HUITONG" created. kadmin.local: exit

配置节点JCE（每个节点都要配置）

下载地址：

• For Oracle JDK 1.8: http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html • For Oracle JDK 1.7: http://www.oracle.com/technetwork/java/javase/downloads/jce-7-download-432124.html

部署JCE：

unzip -o -j -q jce_policy-8.zip -d $JAVA_HOME/jre/lib/security/

通过Ambari启用kerberos

选择使用已存在的KDC

配置

等检测通过之后，会停止所有服务，自动修改相关配置文件，然后等待服务都启动起来就可以了。