更改之前先备份principal,或者记录现有环境的principal,更改完之后重新添加
/usr/sbin/kdb5_util dump /cfs/backup.dump
kadmin.local
list_principals
1.修改kerberos服务器(主从的话2台都要修改)kdc.conf文件
vim /var/kerberos/krb5kdc/kdc.conf
[logging]
default = FILE:/data/emr/krb5/krb5libs.log
kdc = FILE:/data/emr/krb5/krb5kdc.log
admin_server = FILE:/data/emr/krb5/kadmin.log
[kdcdefaults]
kdc_ports = 88
[realms]
BING.TC-SIT = {
kadmind_port = 749
max_life = 12h 0m 0s
max_renewable_life = 7d 0h 0m 0s
supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
acl_file = ""
}
2.修改/etc/krb5.conf,所有用到kerberos服务的机器都要修改
最好修改之后分发一下/etc/krb5.conf
# Configuration snippets may be placed in this directory as well
includedir /etc/krb5.conf.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
default_realm = BING.TC-SIT
default_tgs_enctypes = rc4-hmac
default_tkt_enctypes = rc4-hmac
permitted_enctypes = rc4-hmac
[realms]
BING.TC-SIT = {
kdc = 172.24.215.11:88
admin_server = 172.24.215.11
kdc = 172.24.215.16:88
admin_server = 172.24.215.16
}
[domain_realm]
.bing.tc-sit = BING.TC-SIT
bing.tc-sit = BING.TC-SIT
3.重新初始化下数据库
kdb5_util create -r BING.TC-SIT -s
如果报错
Failed to start Kerberos 5 Password-changing and Administration.
或者/var/kerberos/krb5kdc/principa已存在不能创建
删除后在执行
rm -rf /var/kerberos/krb5kdc/principal*
kdb5_util create -r BING.TC-SIT -s
4.添加各个服务的principal
脚本load进去
/usr/sbin/kdb5_util load /cfs/backup.dump
5.分发emr.keytab到所有节点的/etc/security/keytab/目录下
/etc/security/keytab/
说明:因为emr的hdfs、zookeeper、hbase、hive、hbase等服务配置的keytab为:
keytab:/etc/security/keytab/emr.keytab
principal:HTTP/_HOST@BING.TC-SIT
目录需要对应
6.备节点更新加密类型
kdb5_util create -r BINGSHENG.TC-SIT -s
如果报错先删掉之前的在创建
rm -rf /var/kerberos/krb5kdc/principal*
然后就可以了。
查看服务状态,应该都为启动状态,如果不是就启动服务
systemctl status krb5kdc
systemctl status kadmin
systemctl start krb5kdc
systemctl start kadmin
最后把
/etc/krb5.conf
分发到所有客户端节点