CDH 启用kerberos

1. kerberos安装server节点

yum install -y krb5-server krb5-workstation krb5-libs

[root@freeipa krb5kdc]#  cat  /var/kerberos/krb5kdc/kdc.conf
[kdcdefaults]
 kdc_ports = 88
 kdc_tcp_ports = 88
[realms]
 HANMAMA.COM = {
  #master_key_type = aes256-cts
  acl_file = /var/kerberos/krb5kdc/kadm5.acl
  dict_file = /usr/share/dict/words
  admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
  max_life = 1d
  max_renewable_life = 7d
  supported_enctypes = aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
 }
[root@freeipa krb5kdc]#

[root@freeipa krb5kdc]# cat /etc/krb5.conf
includedir /etc/krb5.conf.d/
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log
[libdefaults]
 dns_lookup_realm = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 rdns = false
 pkinit_anchors = /etc/pki/tls/certs/ca-bundle.crt
 default_realm = BAIDU.COM
 #default_ccache_name = KEYRING:persistent:%{uid}
 udp_preference_limit = 1
[realms]
 HANMAMA.COM = {
  kdc = freeipa.BAIDU.com 
  admin_server = freeipa.baidu.com
}
[root@freeipa krb5kdc]#

2.kerberos 安装agent节点

yum install -y krb5-workstation krb5-libs

[krb5kdc]# cat /etc/krb5.conf
includedir /etc/krb5.conf.d/
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log
[libdefaults]
 dns_lookup_realm = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 rdns = false
 pkinit_anchors = /etc/pki/tls/certs/ca-bundle.crt
 default_realm = BAIDU.COM
 #default_ccache_name = KEYRING:persistent:%{uid}
 udp_preference_limit = 1
[realms]
 HANMAMA.COM = {
  kdc = freeipa.BAIDU.com 
  admin_server = freeipa.baidu.com
}
[ krb5kdc]#

3.配置管理员权限

[root@freeipa krb5kdc]# cat  /var/kerberos/krb5kdc/kadm5.acl
*/[email protected]   *
[root@freeipa krb5kdc]#

4. 生成kerberos数据库

 kdb5_util create -s

5.server节点启动服务

systemctl start krb5kdc
systemctl start kadmin

systemctl enable krb5kdc
systemctl enable kadmin

6.创建管理员主体(输入密码即可)

 kadmin.local -q "addprinc admin/admin"

7.CDH启动kerberos

  添加管理员:
kadmin.local -q "addprinc cloudera-scm/admin"