# yum install krb5-server krb5-libs krb5-auth-dialog krb5-workstation -y
vim /etc/krb5.conf
---
includedir /etc/krb5.conf.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_kdc = false
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
default_realm = GEMS.COM
default_tgs_enctypes = rc4-hmac
default_tkt_enctypes = rc4-hmac
permitted_enctypes = rc4-hmac
udp_preference_limit = 1
kdc_timeout = 3000
# default_ccache_name = KEYRING:persistent:%{uid}
[realms]
GEMS.COM = {
kdc = node01.yangyang.com
admin_server = node01.yangyang.com
}
[domain_realm]
.node01.yangyang.com = GEMS.COM
node01.yangyang.com = GEMS.COM
vim /var/kerberos/krb5kdc/kadm5.acl
*/admin@GEMS.COM *
vim /var/kerberos/krb5kdc/kdc.conf
----
[kdcdefaults]
kdc_ports = 88
kdc_tcp_ports = 88
[realms]
GEMS.COM = {
#master_key_type = aes256-cts
max_renewable_life = 7d
max_life = 1d
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
default_principal_flags = +renewable, +forwardable
}
# kdb5_util create -r GEMS.COM -s
---
Loading random data
Initializing database ‘/var/kerberos/krb5kdc/principal‘ for realm ‘GEMS.COM‘,
master key name ‘K/M@GEMS.COM‘
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key:
Re-enter KDC database master key to verify:
---
输入认证的密码为: GEMS.COM
# kadmin.local
Authenticating as principal root/admin@GEMS.COM with password.
kadmin.local: addprinc admin/admin@GEMS.COM
WARNING: no policy specified for admin/admin@GEMS.COM; defaulting to no policy
Enter password for principal "admin/admin@GEMS.COM": [输入密码]
Re-enter password for principal "admin/admin@GEMS.COM": [输入密码]
Principal "admin/admin@GEMS.COM" created.
kadmin.local: exit
service krb5kdc start
service kadmin start
chkconfig krb5kdc on
chkconfig kadmin on
kinit admin/admin@GEMS.COM
---> 输入密码:admin
# klist
全部节点都要安装:
yum -y install krb5-libs krb5-workstation (所有节点都要安装)
CM节点安装额外组件
yum -y install openldap-clients (kdc-server 节点安装)
scp /etc/krb5.conf node02:/etc
scp /etc/krb5.conf node03:/etc
# unzip jce_policy-8.zip
# cd UnlimitedJCEPolicyJDK8/
# cp -p *.jar /usr/java/jdk1.8.0_151/jre/lib/security/
# scp *.jar node02:/usr/java/jdk1.8.0_151/jre/lib/security/
# scp *.jar node03:/usr/java/jdk1.8.0_151/jre/lib/security/
3.2.1 配置jdk 的目录:
kadmin.local
Authenticating as principal admin/admin@GEMS.COM with password.
kadmin.local: addprinc cloudera-scm/admin@GEMS.COM
WARNING: no policy specified for cloudera-scm/admin@GEMS.COM; defaulting to no policy
Enter password for principal "cloudera-scm/admin@GEMS.COM": [输入密码]
Re-enter password for principal "cloudera-scm/admin@GEMS.COM": [输入密码]
Principal "cloudera-scm/admin@GEMS.COM" created.
密码为: Cloudera-scm
- 3.2.3 启用kerberos
原文:http://blog.51cto.com/flyfish225/2096487