Ambari安装freeIPA

环境:Ambari-2.4.2、HDP-2.5.3、CentOS 6.5

freeIPA包含了Kerberos、ldap等服务,经调研感觉可以用它来做认证和统一用户管理,用户都存在freeIPA的ldap中。

1.装一台DNS
http://www.funet8.com/2282.html
http://blog.csdn.net/senvenks/article/details/39829081
https://my.oschina.net/u/142602/blog/186481
http://blog.csdn.net/charlsecharlse/article/details/17955119

[root@hdp named]# cat /etc/named.rfc1912.zones 
。。。
zone "wondersoft.cn" IN {
        type master;
        file "wondersoft.cn.zone";
};

[root@hdp named]# cat wondersoft.cn.zone
@   IN SOA wondersoft.cn hdp.wondersoft.cn. (
                15  ; serial
                2D  ; refresh
                4H  ; retry
                6W  ; expiry
                1W )    ; minimum

@   IN NS  hdp.wondersoft.cn.
hdp IN A 192.168.1.68
ws1es   IN A 192.168.1.66
ws1m    IN A 192.168.1.65
ws1nn1  IN A 192.168.1.64
ws1dn1  IN A 192.168.1.61
ws1dn2  IN A 192.168.1.62
ws1dn3  IN A 192.168.1.63
ws2m    IN A 192.168.1.67
kdc IN A 192.168.1.69

; ldap servers
_ldap._tcp              IN SRV 0 100 389    ws1dn3.wondersoft.cn.

; kerberos realm
_kerberos               IN TXT WONDERSOFT.CN

; kerberos servers
_kerberos._tcp          IN SRV 0 100 88 ws1dn3.wondersoft.cn.
_kerberos._udp          IN SRV 0 100 88 ws1dn3.wondersoft.cn.
_kerberos-master._tcp   IN SRV 0 100 88 ws1dn3.wondersoft.cn.
_kerberos-master._udp   IN SRV 0 100 88 ws1dn3.wondersoft.cn.
_kpasswd._tcp           IN SRV 0 100 464    ws1dn3.wondersoft.cn.
_kpasswd._udp           IN SRV 0 100 464    ws1dn3.wondersoft.cn.

注意空格和制表符
Ambari安装freeIPA_第1张图片

[root@hdp named]# service named restart
停止 named[确定]
启动 named[确定]

2.https://github.com/hortonworks-gallery/ambari-freeipa-service
安装freeIPA服务端的机器需联网,密码至少8位,dns地址填写第一步安装的
dns不对会报如下错误

ipa         : INFO     The ipa-server-install command failed, exception: NetworkError: cannot connect to 'https://ws1dn3.wondersoft.cn:9444/ca/ee/ca/profileSubmitSSLClient': NSPRError() argument 1 must be string or None, not int
Unexpected error - see /var/log/ipaserver-install.log for details:
NetworkError: cannot connect to 'https://ws1dn3.wondersoft.cn:9444/ca/ee/ca/profileSubmitSSLClient': NSPRError() argument 1 must be string or None, not int)

截了一些日志,用那几条命令自己装也可以
freeIPA也包含dns,与第一步装的不是同一个
指定上层DNS服务器 –forwarder=192.168.1.68

2017-02-22 09:14:35,712 - Installing package *ipa-server ('/usr/bin/yum -d 0 -e 0 -y install '*ipa-server'')
2017-02-22 09:19:26,203 - Version 2.5.3.0-37 was provided as effective cluster version.  Using package version 2_5_3_0_37
2017-02-22 09:19:26,205 - Package['bind'] {'retry_on_repo_unavailability': False, 'retry_count': 5}
2017-02-22 09:19:26,223 - Installing package bind ('/usr/bin/yum -d 0 -e 0 -y install bind')
2017-02-22 09:19:49,179 - Version 2.5.3.0-37 was provided as effective cluster version.  Using package version 2_5_3_0_37
2017-02-22 09:19:49,181 - Package['bind-dyndb-ldap'] {'retry_on_repo_unavailability': False, 'retry_count': 5}
2017-02-22 09:19:49,198 - Installing package bind-dyndb-ldap ('/usr/bin/yum -d 0 -e 0 -y install bind-dyndb-ldap')
2017-02-22 09:38:45,880 - Execute['ipa-server-install --hostname=ws1dn3.wondersoft.cn --domain=wondersoft.cn --realm=WONDERSOFT.CN --ds-password=12345678 --master-password=12345678 --admin-password=12345678 --setup-dns --forwarder=192.168.1.68 --unattended --debug >> /var/log/freeipa-stdout.log'] {}
2017-02-22 09:50:39,021 - Execute['echo 12345678 | kinit admin'] {}

卸载
ipa-server-install –uninstall

Ambari安装freeIPA_第2张图片

3.http://192.168.1.65:8080/#/experimental
Ambari安装freeIPA_第3张图片
enableIpa勾选
https://community.hortonworks.com/articles/59645/ambari-24-kerberos-with-freeipa.html
4.安装Kerberos时多了一个Existing IPA
Ambari安装freeIPA_第4张图片
5.创建管理员实体(加到admins组里,需先认证)

kinit [email protected]
ipa user-add hadoopadmin --first=Hadoop --last=Admin
ipa group-add-member admins --users=hadoopadmin
ipa passwd hadoopadmin #修改密码

6.Ambari also requires a group to be created called ambari-managed-principals. This group is not currently created by the Ambari Kerberos wizard. Create the group:

ipa group-add ambari-managed-principals
[root@ws1dn3 ~]# ipa group-add ambari-managed-principals
描述: ambari manage
-------------------------------
已添加组"ambari-managed-principals"
-------------------------------
  组名: ambari-managed-principals
  描述: ambari manage
  GID: 390400003

7.Because of the way FreeIPA automatically expires the new password, it is necessary to kinit as hadoopadmin and change the initial password. The password can be set to the same password unless the password policy prohibits password reuse:

kinit [email protected]
[root@ws1dn3 ~]# kinit [email protected]
Password for [email protected]: 
Password expired.  You must change it now.
Enter new password: 
Enter it again: 

8.修改freeIPA所在机器的DNS配置

[root@ws1dn3 named]# cat /etc/named.rfc1912.zones 
。。。

zone "wondersoft.cn" IN {
        type master;
        file "wondersoft.cn.zone";
};

[root@ws1dn3 named]# cat /var/named/wondersoft.cn.zone 
$TTL 86400
@   IN SOA wondersoft.cn hdp.wondersoft.cn. (
                15  ; serial
                2D  ; refresh
                4H  ; retry
                6W  ; expiry
                1W )    ; minimum

@   IN NS  hdp.wondersoft.cn.
hdp IN A 192.168.1.68
ws1es   IN A 192.168.1.66
ws1m    IN A 192.168.1.65
ws1nn1  IN A 192.168.1.64
ws1dn1  IN A 192.168.1.61
ws1dn2  IN A 192.168.1.62
ws1dn3  IN A 192.168.1.63
ws2m    IN A 192.168.1.67
kdc IN A 192.168.1.69

; ldap servers
_ldap._tcp              IN SRV 0 100 389    ws1dn3.wondersoft.cn.

; kerberos realm
_kerberos               IN TXT WONDERSOFT.CN

; kerberos servers
_kerberos._tcp          IN SRV 0 100 88 ws1dn3.wondersoft.cn.
_kerberos._udp          IN SRV 0 100 88 ws1dn3.wondersoft.cn.
_kerberos-master._tcp   IN SRV 0 100 88 ws1dn3.wondersoft.cn.
_kerberos-master._udp   IN SRV 0 100 88 ws1dn3.wondersoft.cn.
_kpasswd._tcp           IN SRV 0 100 464    ws1dn3.wondersoft.cn.
_kpasswd._udp           IN SRV 0 100 464    ws1dn3.wondersoft.cn.

[root@ws1dn3 named]# service named restart
    停止 named:.                                              [确定]
    启动 named:                                               [确定]

9.Configure the HDP nodes to use the FreeIPA server for DNS resolution(所有节点):

[root@ws1dn1 ~]# cat /etc/resolv.conf 
# Generated by NetworkManager
search wondersoft.cn
#nameserver 8.8.8.8
nameserver 192.168.1.63

10.All nodes in the HDP cluster must have the ipa-client software installed and be joined to the FreeIPA server:

yum -y install ipa-client
[root@ws1dn1 ~]# ipa-client-install --domain=wondersoft.cn  --server=ws1dn3.wondersoft.cn  --realm=WONDERSOFT.CN  [email protected]  --enable-dns-updates

11.On the Amberi server node, install the ipa-admintools package:

yum -y install ipa-admintools
在这台机器上我也配置了ipa客户端,貌似必须得配置
[root@ws1m ~]# ipa-client-install --domain=wondersoft.cn  --server=ws1dn3.wondersoft.cn  --realm=WONDERSOFT.CN  [email protected]  --enable-dns-updates
Autodiscovery of servers for failover cannot work with this configuration.
If you proceed with the installation, services will be configured to always access the discovered server for all operations and will not fail over to other servers in case of failure.
Proceed with fixed values and no DNS discovery? [no]: yes
Hostname: ws1m.wondersoft.cn
Realm: WONDERSOFT.CN
DNS Domain: wondersoft.cn
IPA Server: ws1dn3.wondersoft.cn
BaseDN: dc=wondersoft,dc=cn

Continue to configure the system with these values? [no]: yes
Synchronizing time with KDC...
Unable to sync time with IPA NTP server, assuming the time is in sync. Please check that 123 UDP port is opened.
Password for [email protected]: 
Enrolled in IPA realm WONDERSOFT.CN
Attempting to get host TGT...
Created /etc/ipa/default.conf
New SSSD config will be created
Configured sudoers in /etc/nsswitch.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm WONDERSOFT.CN
trying https://ws1dn3.wondersoft.cn/ipa/xml
Forwarding 'env' to server u'https://ws1dn3.wondersoft.cn/ipa/xml'
Failed to update DNS records.
Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Forwarding 'host_mod' to server u'https://ws1dn3.wondersoft.cn/ipa/xml'
Could not update DNS SSHFP records.
SSSD enabled
Configuring wondersoft.cn as NIS domain
Configured /etc/openldap/ldap.conf
NTP enabled
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Client configuration complete.

12.Run the Kerberos Wizard

Run the Kerberos wizard from Ambari (Admin -> Kerberos -> Enable Kerberos). Select "Existing IPA" and verify that the prerequisites have been met.

Ambari安装freeIPA_第5张图片

13.Enter the appropriate information into the KDC page and 修改配置文件
Ambari安装freeIPA_第6张图片
[root@ws1dn3 ~]# cat /etc/krb5.conf
服务端
includedir /var/lib/sss/pubconf/krb5.include.d/

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = WONDERSOFT.CN
 dns_lookup_realm = false
 dns_lookup_kdc = true
 rdns = false
 ticket_lifetime = 24h
 forwardable = yes
 udp_preference_limit = 0

[realms]
 WONDERSOFT.CN = {
  kdc = ws1dn3.wondersoft.cn:88
  master_kdc = ws1dn3.wondersoft.cn:88
  admin_server = ws1dn3.wondersoft.cn:749
  default_domain = wondersoft.cn
  pkinit_anchors = FILE:/etc/ipa/ca.crt
}

[domain_realm]
 .wondersoft.cn = WONDERSOFT.CN
 wondersoft.cn = WONDERSOFT.CN

[dbmodules]
  WONDERSOFT.CN = {
    db_library = ipadb.so
  }

客户端
includedir /var/lib/sss/pubconf/krb5.include.d/

[libdefaults]
  default_realm = WONDERSOFT.CN
  dns_lookup_realm = false
  dns_lookup_kdc = false
  rdns = false
  ticket_lifetime = 24h
  forwardable = yes

[realms]
  WONDERSOFT.CN = {
    kdc = ws1dn3.wondersoft.cn:88
    master_kdc = ws1dn3.wondersoft.cn:88
    admin_server = ws1dn3.wondersoft.cn:749
    default_domain = wondersoft.cn
    pkinit_anchors = FILE:/etc/ipa/ca.crt
  }

[domain_realm]
  .wondersoft.cn = WONDERSOFT.CN
  wondersoft.cn = WONDERSOFT.CN

把客户端的拷进去
Ambari安装freeIPA_第7张图片

14.
Ambari安装freeIPA_第8张图片

15.
Ambari安装freeIPA_第9张图片

之后我试了一下ambari各客户端所在机器不配置ipa客户端(其实是因为配置失败了,同一个freeIPA server另一台机器就可以,这个就不行。见下)。只在ambari服务端那台机器上装ipa-admintools并配置也成功了,不过要在freeIPA加主机,见下图。

[root@hdp ~]#  ipa-client-install --domain=wondersoft.cn  --server=ws1dn3.wondersoft.cn  --realm=WONDERSOFT.CN  [email protected]  --enable-dns-updates
LDAP Error: Connect error: TLS error -8054:You are attempting to import a cert with the same issuer/serial as an existing cert, but that is not the same cert.
LDAP Error: Connect error: TLS error -8054:You are attempting to import a cert with the same issuer/serial as an existing cert, but that is not the same cert.
Failed to verify that ws1dn3.wondersoft.cn is an IPA Server.
This may mean that the remote server is not up or is not reachable due to network or firewall settings.
Please make sure the following ports are opened in the firewall settings:
     TCP: 80, 88, 389
     UDP: 88 (at least one of TCP/UDP ports 88 has to be open)
Also note that following ports are necessary for ipa-client working properly after enrollment:
     TCP: 464
     UDP: 464, 123 (if NTP enabled)
Installation failed. Rolling back changes.
IPA client is not configured on this system.

Ambari安装freeIPA_第10张图片

LDAP中有了服务主体和用户、组
Ambari安装freeIPA_第11张图片

PS1:

[root@ws1dn3 ~]# kadmin.local -q 'addprinc -pw 12345678 admin/admin' -x ipa-setup-override-restrictions
Authenticating as principal admin/[email protected] with password.
WARNING: no policy specified for admin/[email protected]; defaulting to no policy
Principal "admin/[email protected]" created.
[root@ws1dn3 ~]# vim /var/kerberos/krb5kdc/kadm5.acl 
[root@ws1dn3 ~]# cat /var/kerberos/krb5kdc/kadm5.acl 
*/[email protected]*
[root@ws1dn3 ~]# service krb5kdc restart
停止 Kerberos 5 KDC:                                      [确定]
正在启动 Kerberos 5 KDC:                                  [确定]
[root@ws1dn3 ~]# service kadmin restart
停止 Kerberos 5 Admin Server:                             [确定]
正在启动 Kerberos 5 Admin Server:                         [确定]

PS2:

[root@ws1dn3 named]# cat /etc/resolv.conf
search wondersoft.cn
nameserver 192.168.1.63
[root@ws1dn3 named]# ipa host-add ws2hdp.wondersoft.cn
ipa: ERROR: Host does not have corresponding DNS A record
[root@ws1dn3 named]# vim /var/named/wondersoft.cn.zone 
    增加ws2hdp  IN A 192.168.1.69

[root@ws1dn3 named]# service named restart
停止 named:.                                              [确定]
启动 named:                                               [确定]
[root@ws1dn3 named]# ipa host-add ws2hdp.wondersoft.cn
---------------------------
新增主机 "ws2hdp.wondersoft.cn"
---------------------------
  主机名: ws2hdp.wondersoft.cn
  Principal name: host/[email protected]
  密码: False
  Keytab: False
  Managed by: ws2hdp.wondersoft.cn
[root@ws1dn3 named]# ipa service-add HTTP/ws2hdp.wondersoft.cn
-------------------------------------------------------
Added service "HTTP/[email protected]"
-------------------------------------------------------
  Principal: HTTP/[email protected]
  Managed by: ws2hdp.wondersoft.cn
[root@ws1dn3 named]# ipa service-del HTTP/ws2hdp.wondersoft.cn
---------------------------------------------------------
Deleted service "HTTP/[email protected]"
---------------------------------------------------------
[root@ws1dn3 named]# ipa host-del ws2hdp.wondersoft.cn
----------------------------
已删除主机 "ws2hdp.wondersoft.cn"
----------------------------

参考链接:https://community.hortonworks.com/articles/59645/ambari-24-kerberos-with-freeipa.html

你可能感兴趣的:(大数据动物园)