centos 7.4
yum -y install krb5-server krb5-libs krb5-auth-dialog krb5-workstation
默认如下
修改为
# Configuration snippets may be placed in this directory as well
includedir /etc/krb5.conf.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
pkinit_anchors = /etc/pki/tls/certs/ca-bundle.crt
default_realm = JAST.COM
# default_ccache_name = KEYRING:persistent:%{uid}
[realms]
JAST.COM = {
kdc = hostname1
admin_server = hostname1
}
[domain_realm]
.jast.com = JAST.COM
jast.com = JAST.COM
参数说明
[logging]:表示server端的日志的打印位置
[libdefaults]:每种连接的默认配置,需要注意以下几个关键的小配置
default_realm = HADOOP.COM 默认的realm,必须跟要配置的realm的名称一致。
udp_preference_limit = 1 禁止使用udp可以防止一个Hadoop中的错误
oticket_lifetime表明凭证生效的时限,一般为24小时。
orenew_lifetime表明凭证最长可以被延期的时限,一般为一个礼拜。当凭证过期之后,
对安全认证的服务的后续访问则会失败。
[realms]:列举使用的realm。
kdc:代表要kdc的位置。
admin_server:代表admin的位置。
default_domain:代表默认的域名
[appdefaults]:可以设定一些针对特定应用的配置,覆盖默认配置。
原内容为 */[email protected] *
修改为上面配置的域名
*/[email protected] *
默认为
修改为
[kdcdefaults]
kdc_ports = 88
kdc_tcp_ports = 88
[realms]
JAST.COM = {
#master_key_type = aes256-cts
max_renewable_life= 7d 0h 0m 0s
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
}
需输入两遍你的密码即可
[root@fwqml006 ~]# kdb5_util create -r JAST.COM -s
Loading random data
Initializing database '/var/kerberos/krb5kdc/principal' for realm 'JAST.COM',
master key name 'K/[email protected]'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key:
Re-enter KDC database master key to verify:
创建完成再目录下有几个创建成功的文件,就是创建的数据文件
[root@xxx ~]# kadmin.local
Authenticating as principal root/[email protected] with password.
kadmin.local: addprinc admin/[email protected] #这里输入 addprinc admin/[email protected]
WARNING: no policy specified for admin/[email protected]; defaulting to no policy
Enter password for principal "admin/[email protected]": #这里输入密码
Re-enter password for principal "admin/[email protected]": #这里确认密码
Principal "admin/[email protected]" created.
kadmin.local: exit #上面创建完成退出
如果使用 kadmin.local -q "addprinc admin/[email protected]" 启动的话,可以不需要输入kadmin.local
systemctl enable krb5kdc
systemctl enable kadmin
systemctl start krb5kdc
systemctl start kadmin
systemctl status krb5kdc
systemctl status kadmin
启动成功
[root@xxx ~]# kinit admin/[email protected]
Password for admin/[email protected]: #这里输入密码
[root@xxx ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin/[email protected]
Valid starting Expires Service principal
2019-08-05T14:18:54 2019-08-06T14:18:54 krbtgt/[email protected]
renew until 2019-08-12T14:18:54
所有节点执行
yum -y install krb5-libs krb5-workstation
yum -y install openldap-clients
scp /etc/krb5.conf [email protected]:/etc/
[root@fwqml006 ~]# kadmin.local
Authenticating as principal admin/[email protected] with password.
kadmin.local: addprinc cloudera-scm/[email protected] #这里输入cloudera-scm/[email protected]
WARNING: no policy specified for cloudera-scm/[email protected]; defaulting to no policy
Enter password for principal "cloudera-scm/[email protected]": #这里输入密码
Re-enter password for principal "cloudera-scm/[email protected]": #这里输入密码
Principal "cloudera-scm/[email protected]" created.
kadmin.local: exit
启动集群报错参考 Socket Reader #1 for port 8022: readAndProcess from client:https://datamining.blog.csdn.net/article/details/98615398
启动成功
查看hdfs数据
进入hbase shell 查看一下
使用 kinit 进行授权即可使用, kinit xxx ,xxx是你需要登陆的账号
创建账户详细使用参考:https://datamining.blog.csdn.net/article/details/98625330