环境:
10.70.237.117 bd-1
10.70.237.118 bd-2
10.70.237.119 bd-3
10.70.237.120 bd-4
10.70.237.121 bd-5
10.70.237.122 bd-6
bd-1 - master KDC
bd-2 - slave KDC
hadoop.hna - realm name
admin/admin - admin principal
Install the master KDC
[root@bd-1 ~]# yum -y install krb5-libs krb5-server
configure the master KDC
1.配置/etc/krb5.conf
[root@bd-1 ~]# vim /etc/krb5.conf
[root@bd-1 ~]# cat /etc/krb5.conf
# Configuration snippets may be placed in this directory as well
includedir /etc/krb5.conf.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
default_realm = HADOOP.HNA
# udp_preference_limit = 1
# default_ccache_name = KEYRING:persistent:%{uid}
[realms]
HADOOP.HNA = {
kdc = bd-1.hadoop.hna
admin_server = bd-1.hadoop.hna
}
[domain_realm]
.hadoop.hna = HADOOP.HNA
bd-1 = HADOOP.HNA
bd-2 = HADOOP.HNA
bd-3 = HADOOP.HNA
bd-4 = HADOOP.HNA
bd-5 = HADOOP.HNA
bd-6 = HADOOP.HNA
2.配置/var/kerberos/krb5kdc/kdc.conf
[root@bd-1 ~]# vim /var/kerberos/krb5kdc/kdc.conf
[root@bd-1 ~]# cat /var/kerberos/krb5kdc/kdc.conf
[kdcdefaults]
kdc_ports = 88
kdc_tcp_ports = 88
[realms]
HADOOP.HNA = {
#master_key_type = aes256-cts
max_life = 12h 0m 0s
max_renewable_life= 7d 0h 0m 0s
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
}
3.配置/var/kerberos/krb5kdc/kadm5.acl
[root@bd-1 ~]# vim /var/kerberos/krb5kdc/kadm5.acl
[root@bd-1 ~]# cat /var/kerberos/krb5kdc/kadm5.acl
*/admin@HADOOP.HNA *
4.创建kerberos数据库
[root@bd-1 ~]# kdb5_util create –r HADOOP.HNA -s
Loading random data
Initializing database '/var/kerberos/krb5kdc/principal' for realm 'HADOOP.HNA',
master key name 'K/M@HADOOP.HNA'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key: —输入密码. admin
Re-enter KDC database master key to verify: —数据密码
5.创建管理账户:
[root@bd-1 ~]# kadmin.local
Authenticating as principal root/admin@HADOOP.HNA with password.
kadmin.local: addprinc admin/admin@HADOOP.HNA
WARNING: no policy specified for admin/admin@HADOOP.HNA; defaulting to no policy
Enter password for principal "admin/admin@HADOOP.HNA":
Re-enter password for principal "admin/admin@HADOOP.HNA":
Principal "admin/admin@HADOOP.HNA" created.
kadmin.local: exit
6.启动服务:
[root@bd-1 ~]# chkconfig krb5kdc on
Note: Forwarding request to 'systemctl enable krb5kdc.service'.
Created symlink from /etc/systemd/system/multi-user.target.wants/krb5kdc.service to /usr/lib/systemd/system/krb5kdc.service.
[root@bd-1 ~]# chkconfig kadmin on
Note: Forwarding request to 'systemctl enable kadmin.service'.
Created symlink from /etc/systemd/system/multi-user.target.wants/kadmin.service to /usr/lib/systemd/system/kadmin.service.
[root@bd-1 ~]# service kadmin start
Redirecting to /bin/systemctl start kadmin.service
[root@bd-1 ~]# service krb5kdc start
Redirecting to /bin/systemctl start krb5kdc.service
Install the KDC Client
[root@bd-1 ~]# yum install krb5-workstation krb5-libs
configure the KDC client
1. 配置/etc/krb5.conf,直接把kerberos端的krb5.conf文件复制过来即可
[root@bd-1 ~]# scp /etc/krb5.conf bd-2:/etc/krb5.conf
krb5.conf 100% 635 0.6KB/s 00:00
[root@bd-1 ~]# scp /etc/krb5.conf bd-3:/etc/krb5.conf
krb5.conf 100% 635 0.6KB/s 00:00
[root@bd-1 ~]# scp /etc/krb5.conf bd-4:/etc/krb5.conf
krb5.conf 100% 635 0.6KB/s 00:00
[root@bd-1 ~]# scp /etc/krb5.conf bd-5:/etc/krb5.conf
krb5.conf 100% 635 0.6KB/s 00:00
[root@bd-1 ~]# scp /etc/krb5.conf bd-6:/etc/krb5.conf
krb5.conf 100% 635 0.6KB/s 00:00
[root@bd-1 ~]#ktadd -k /tmp/admin.keytab admin/admin@HADOOP.HNA
[root@bd-1 ~]#klist -e -k -t /tmp/admin.keytab
Install the slave KDCs
1. create hosts keytabs for slave KDCs
[root@bd-2 ~]# yum -y install krb5-libs krb5-server
[root@bd-6 ~]# kadmin
Authenticating as principal root/admin@HADOOP.HNA with password.
Password for root/admin@HADOOP.HNA:
kadmin: addprinc -randkey host/bd-1@HADOOP.HNA
WARNING: no policy specified for host/bd-1@HADOOP.HNA; defaulting to no policy
Principal "host/bd-1@HADOOP.HNA" created.
kadmin: addprnc -randkey host/bd-2@HADOOP.HNA
kadmin: Unknown request "addprnc". Type "?" for a request list.
kadmin: addprinc -randkey host/bd-2@HADOOP.HNA
WARNING: no policy specified for host/bd-2@HADOOP.HNA; defaulting to no policy
Principal "host/bd-2@HADOOP.HNA" created.
kadmin: ktadd -k /etc/bd-1.keytab host/bd-1@HADOOP.HNA
Entry for principal host/bd-1@HADOOP.HNA with kvno 3, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/etc/bd-1.keytab.
Entry for principal host/bd-1@HADOOP.HNA with kvno 3, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/etc/bd-1.keytab.
kadmin: ktadd -k /etc/bd-2.keytab host/bd-2@HADOOP.HNA
Entry for principal host/bd-2@HADOOP.HNA with kvno 3, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/etc/bd-2.keytab.
Entry for principal host/bd-2@HADOOP.HNA with kvno 3, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/etc/bd-2.keytab.
2. Configure slave KDCs
The following files must be copied by hand to each slave
- krb5.conf
- kdc.conf
- kadm5.acl
- master key stash file