Kerberos服务搭建

服务端搭建

yum install -y krb5-server krb5-libs krb5-auth-dialog krb5-workstation

kdc.conf

cat > /var/kerberos/krb5kdc/kdc.conf << EOF
[kdcdefaults]
 kdc_ports = 88
 kdc_tcp_ports = 88

[realms]
 CHUNYU.COM = {
  #master_key_type = aes256-cts
  acl_file = /var/kerberos/krb5kdc/kadm5.acl
  dict_file = /usr/share/dict/words
  admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
  max_renewable_life = 7d
  supported_enctypes = aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
 }
EOF

krb5.conf

cat > /etc/krb5.conf << EOF
includedir /etc/krb5.conf.d/

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 dns_lookup_kdc = false
 dns_lookup_realm = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 default_realm = CHUNYU.COM
 udp_preference_limit = 1
[realms]
 CHUNYU.COM = {
  kdc = kdc
  admin_server = kdc
 }

[domain_realm]
 .chunyu.com = CHUNYU.COM
 chunyu.com = CHUNYU.COM
EOF

kadm5.acl

cat > /var/kerberos/krb5kdc/kadm5.acl << EOF
*/admin@CHUNYU.COM  *
EOF

修改hosts

cat  >>  /etc/hosts << EOF
127.0.0.1 kdc 
EOF

初始化数据库

kdb5_util create -s -r HADOOP.COM

启动服务

systemctl start kadmin krb5kdc
systemctl enable kadmin krb5kdc

添加权限管理

需要先在kadmin.local中创建出一个principal,有对应的权限之后才能使用

kadmin.local
addprinc hadoop/admin@CHUNYU.COM

初始化并输入密码，然后查看信息

kinit hadoop/admin@CHUNYU.COM
klist

生成keytab文件

xst -k hadoop.keytab hadoop/admin@CHUNYU.COM

会在当前路径生成hadoop.keytab文件

在其他机器使用keytab文件

复制服务端的/etc/krb5.conf和刚刚生成的hadoop.keytab文件到要部署的客户端

修改客户端hosts文件 ip地址为kerberos服务端ip

cat  >>  /etc/hosts << EOF
10.241.241.113 CHUNYU.COM kdc
EOF

kinit -kt hadoop.keytab hadoop/admin@CHUNYU.COM

klist查看信息