离线安装Kerberos
首先下载kerberos客户端所需rpm包
在网站https://pkgs.org/搜索以下3个rpm包:
https://pkgs.org/
libkadm5
krb5-libs
krb5-workstation
(还有个krb5-server包,是服务端需要安装的,本次只安装客户端就不需要)
krb5-server(服务端安装)
./krb5-server-1.15.1-55.el7_9.x86_64.rpm
./krb5-libs-1.15.1-55.el7_9.x86_64.rpm
./krb5-workstation-1.15.1-55.el7_9.x86_64.rpm
./libkadm5-1.15.1-55.el7_9.x86_64.rpm
./libevent-2.0.21-4.el7.x86_64.rpm
./libverto-libevent-0.2.5-4.el7.x86_64.rpm
安装顺序:
rpm -Uvh krb5-libs-1.15.1-55.el7_9.x86_64.rpm
rpm -ivh libkadm5-1.15.1-55.el7_9.x86_64.rpm
rpm -ivh libevent-2.0.21-4.el7.x86_64
rpm -ivh libverto-libevent-0.2.5-4.el7.x86_64.rpm
rpm -ivh krb5-workstation-1.15.1-55.el7_9.x86_64.rpm
rpm -ivh words-3.0-22.el7.noarch.rpm
如果安装server 执行rpm -ivh krb5-server.x86_64.0.1.15.1-55.el7_9
ps
./base/packages/libevent-2.0.21-4.el7.x86_64.rpm
./base/packages/libverto-libevent-0.2.5-4.el7.x86_64.rpm
./base/packages/words-3.0-22.el7.noarch.rpm
./updates/packages/krb5-libs-1.15.1-55.el7_9.x86_64.rpm
./updates/packages/krb5-server-1.15.1-55.el7_9.x86_64.rpm
./updates/packages/krb5-workstation-1.15.1-55.el7_9.x86_64.rpm
./updates/packages/libkadm5-1.15.1-55.el7_9.x86_64.rpm
http://mirror.centos.org/centos/7/os/x86_64/Packages/libkadm5-1.15.1-50.el7.x86_64.rpm
http://mirror.centos.org/centos/7/os/x86_64/Packages/krb5-libs-1.15.1-50.el7.x86_64.rpm
http://mirror.centos.org/centos/7/os/x86_64/Packages/krb5-workstation-1.15.1-50.el7.x86_64.rpm
http://mirror.centos.org/centos/7/os/x86_64/Packages/krb5-server-1.15.1-50.el7.x86_64.rpm
安装rpm包
rpm -ivh libkadm5的rpm文件名
rpm -ivh krb5-libs的rpm文件名
rpm -ivh krb5-workstation的rpm文件名
注意:
krb5-server-1.15.1-50.el7.x86_64.rpm
启动krb5kdc前需要配置
/etc/krb5.conf
# Configuration snippets may be placed in this directory as well
includedir /etc/krb5.conf.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt
default_realm = HADOOP.COM
[realms]
HADOOP.COM = {
kdc = 172.16.121.147
admin_server = 172.16.121.147
}
[domain_realm]
.hadoop.com = HADOOP.COM
hadoop.com = HADOOP.COM
修改server服务端的配置文件kdc.conf
vim /var/kerberos/krb5kdc/kdc.conf
[kdcdefaults]
kdc_ports = 88
kdc_tcp_ports = 88
[realms]
HADOOP.COM = {
#master_key_type = aes256-cts
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
}
配置阶段
创建kerberos数据库
[root@hdp01 ~]# kdb5_util create -s -r HADOOP.COM
Loading random data
Initializing database '/var/kerberos/krb5kdc/principal' for realm 'HADOOP.COM',
master key name 'K/M@HADOOP.COM'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key:
Re-enter KDC database master key to verify:
(123456)
[root@hdp01 ~]#
创建管理员admin
[root@hdp01 ~]# kadmin.local -q "addprinc admin/admin"
Authenticating as principal root/admin@HADOOP.COM with password.
WARNING: no policy specified for admin/admin@HADOOP.COM; defaulting to no policy
Enter password for principal "admin/admin@HADOOP.COM":
Re-enter password for principal "admin/admin@HADOOP.COM":
Principal "admin/admin@HADOOP.COM" created.
(123456)
[root@hdp01 ~]#
给管理员账户添加acl权限
[root@hdp01 ~]# cat /var/kerberos/krb5kdc/kadm5.acl
*/admin@HADOOP.COM *
