Kerberos安装
1、环境准备
(2)下载Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy File。解压下载后的zip包,将得到的jar包放到所有服务器上的$JAVA_HOME/jre/lib/security/目录下。
yum install -y krb5-server
yum install -y krb5-workstation krb5-libs
vim /var/kerberos/krb5kdc/kdc.conf
[kdcdefaults]
kdc_ports = 88
kdc_tcp_ports = 88
[realms]
HDP.COM = {
#master_key_type = aes256-cts
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
}
vim /etc/krb5.conf
# Configuration snippets may be placed in this directory as well
includedir /etc/krb5.conf.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
Default_realm = HADOOP.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
udp_preference_limit = 1
rdns = false
pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt
default_realm = HADOOP.COM
#default_ccache_name = KEYRING:persistent:%{uid}
[realms]
HADOOP.COM = {
kdc = jz001
admin_server = jz001
}
[domain_realm]
# .HADOOP.com = HADOOP.COM
# HADOOP.com = HADOOP.COM
*/admin@HDP.COM *
4、将修改好的文件发送到其它所有客户端主机
scp /etc/krb5.conf root@hadoop02:/etc/krb5.conf
scp /var/kerberos/krb5kdc/kdc.conf root@hadoop02:/var/kerberos/krb5kdc/kdc.conf
scp /var/kerberos/krb5kdc/kadm5.acl root@hadoop02:/var/kerberos/krb5kdc/kadm5.acl
在服务端主机(jz001)执行以下命令,并根据提示输入密码。
kdb5_util create -s -r HADOOP.COM
注意事项:
[root@hadoop01 hadoop]# ll -a /var/kerberos/krb5kdc/
总用量 56
drwxr-xr-x. 2 root root 168 7月 21 15:34 .
drwxr-xr-x. 4 root root 33 7月 6 17:40 ..
-rw-------. 1 root root 75 7月 6 18:57 .k5.HADOOP.COM
-rw-------. 1 root root 72 7月 6 18:43 .k5.HDP.COM
-rw-------. 1 root root 22 7月 6 17:53 kadm5.acl
-rw-------. 1 root root 446 7月 6 17:41 kdc.conf
-rw-------. 1 root root 32768 7月 19 01:52 principal
-rw-------. 1 root root 8192 7月 6 18:57 principal.kadm5
-rw-------. 1 root root 0 7月 6 18:57 principal.kadm5.lock
-rw-------. 1 root root 0 7月 19 01:52 principal.ok
[root@hadoop01 hadoop]#
kadmin.local -q "addprinc admin/admin@HADOOP.COM"
systemctl start krb5kdc
systemctl enable krb5kdc
systemctl start kadmin
systemctl enable kadmin
kadmin.local -q "addprinc admin/admin"
