1.安装krb
yum -y install krb5-server krb5-libs krb5-auth-dialog krb5-workstation
2.配置krb5.conf
vi /etc/krb5.conf
----------------------------------------------------------------------------------------仅编辑部分
[libdefaults]
default_realm = HADOOP.COM
#default_ccache_name = KEYRING:persistent:%{uid} #注释当前配置。
[realms]
kdc = kerberos_server主机名称
admin_server = kerberos_server主机名称
[domain_realm] domain_realm:当domain名和realm名不同的时候要设置,一般配置 `小写($default_realm)` = $default_realm
.hadoop.com = HADOOP.COM
hadoop.com = HADOOP.COM
----------------------------------------------------------------------------------------
vi /var/kerberos/krb5kdc/kadm5.acl
----------------------------------------------------------------------------------------
*/admin@HADOOP.COM * #配置hadoop.com里,名称匹配 */admin 的用户都是kerberos管理员。
----------------------------------------------------------------------------------------
vi /var/kerberos/krb5kdc/kdc.conf
----------------------------------------------------------------------------------------
[realms]
HADOOP.COM = {
max_renewable_life= 7d 0h 0m 0s
}
----------------------------------------------------------------------------------------
3.创建Kerberos数据库
kdb5_util create -r HADOOP.COM -s #输入管理员密码
4.创建Kerberos的管理账号(admin/admin)
kadmin.local
addprinc admin/admin@HADOOP.COM
5.将Kerberos服务添加到自启动服务,并启动krb5kdc和kadmin服务
systemctl enable krb5kdc
systemctl enable kadmin
systemctl start krb5kdc
systemctl start kadmin
常见问题
1.ticket not renewable (kinit -R -c [ticket cache path]异常)
参看链接Kerberos常见错误
- 检查krb5.conf
ticket_lifetime = 24h #ticket生效时限
renew_lifetime = 7d #ticket最长可被延期的时限
forwardable = true
- 检查kdc.conf
max_renewable_life = 7d 0h 0m 0s
- 检查krbtgt用户的Maximum renewable life
#kadmin.local
getprinc krbtgt/EXAMPLE.COM@EXAMPLE.COM
#当Maximum renewable life:0day,执行
modprinc -maxrenewlife "7d" krbtgt/EXAMPLE.COM@EXAMPLE.COM
#Maximum renewable life:7day
- 删除ticket cache
rm -f /var/run/hue/hue_krb5_ccache - 重启hue(hue kerberos ticket renewer抛出的异常)