主机系统:centos7
发行版:hdp 3.0.1.0-187
安装kdc
单独找一台额外的服务器安装kdc服务。
yum install krb5-server
systemctl enable krb5kdc kadmin配置kadmin用户,编辑/var/kerberos/krb5kdc/kadm5.acl
*/admin@BIGDATA.COM *编辑/etc/krb5.conf
# Configuration snippets may be placed in this directory as well
includedir /etc/krb5.conf.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt
default_realm = BIGDATA.COM
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
BIGDATA.COM = {
admin_server = hadoop1.lan
kdc = hadoop1.lan
master_kdc = hadoop1.lan
database_name = /var/kerberos/krb5kdc/principal
key_stash_file = /var/kerberos/krb5kdc/.k5.BIGDATA.COM
acl_file = /var/kerberos/krb5kdc/kadm5.acl
}
[domain_realm]
bigdata.com = BIGDATA.COM创建数据库,按照提示输入密码
[root@hadoop1 ~]# kdb5_util create -r BIGDATA.COM -s
Loading random data
Initializing database '/var/kerberos/krb5kdc/principal' for realm 'BIGDATA.COM',
master key name 'K/M@BIGDATA.COM'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key:
Re-enter KDC database master key to verify:启动kdc服务
systemctl start krb5kdc kadmin创建principal,该principal已经在上面的acl中配置成为管理员
[root@hadoop1 ~]# kadmin.local
Authenticating as principal root/admin@BIGDATA.COM with password.
kadmin.local: addprinc admin/admin@BIGDATA.COM
WARNING: no policy specified for admin/admin@BIGDATA.COM; defaulting to no policy
Enter password for principal "admin/admin@BIGDATA.COM":
Re-enter password for principal "admin/admin@BIGDATA.COM":
Principal "admin/admin@BIGDATA.COM" created.
kadmin.local:ambari开启kerberos
开始页面
配置kdc信息
编辑kerberos-env配置
开始安装
问题
kerberos中的加密算法可能有些已经过时不太安全了,默认是不启用的。因此好多组件启动不起来。可以修改“Encryption Types”指定算法,或者注释掉krb-conf template中的default_tgs_enctypes和encrytion_types,让kerberos自己选择。
