Changes between Initial Version and Version 1 of kerberos

Timestamp:

08/30/2012 02:10:10 PM (14 years ago)

Author:

liaojiaohe

Comment:

--

kerberos

@@ +1 @@
+选择一套机器做KDC,测试环境选择了192.168.11.63 - hadooptest-11-63.pconline.ctc[[BR]]
+
+Client有四台机器：
+192.168.11.64 - hadooptest-11-64.pconline.ctc[[BR]]
+192.168.11.65 - hadooptest-11-65.pconline.ctc[[BR]]
+192.168.11.66 - hadooptest-11-66.pconline.ctc[[BR]]
+192.168.11.67 - hadooptest-11-67.pconline.ctc[[BR]]
+
+tar -zxvf krb5-1.10.3.tar.gz[[BR]]
+cd krb5-1.10.3/src[[BR]]
+./configure[[BR]]
+make[[BR]]
+make install
+
+1. 编辑 11.63 上/etc/krb5.conf 文件[[BR]]
+
+{{{
+[logging]
+ default = FILE:/var/log/krb5libs.log
+ kdc = FILE:/var/log/krb5kdc.log
+ admin_server = FILE:/var/log/kadmind.log
+
+[libdefaults]
+ default_realm = PCONLINE
+ dns_lookup_realm = false
+ dns_lookup_kdc = false
+ ticket_lifetime = 24h
+ forwardable = yes
+
+[realms]
+ PCONLINE = {
+  kdc = hadooptest-11-63.pconline.ctc:88
+  admin_server = hadooptest-11-63.pconline.ctc:749
+  default_domain = pconline.ctc
+ }
+
+[domain_realm]
+ .pconline.ctc = PCONLINE
+ pconline.ctc = PCONLINE
+
+[appdefaults]
+ pam = {
+   debug = false
+   ticket_lifetime = 36000
+   renew_lifetime = 36000
+   forwardable = true
+   krb4_convert = false
+ }
+
+}}}
+
+2.新建 /usr/local/var/krb5kdc/kdc.conf文件[[BR]]
+
+{{{
+[kdcdefaults]
+ v4_mode = nopreauth
+ kdc_ports = 750,88
+ kdc_tcp_ports = 88
+ 
+[realms]
+ PCONLINE = {
+  acl_file = /usr/local/var/krb5kdc/kadm5.acl
+  dict_file = /usr/share/dict/words
+  admin_keytab = /usr/local/var/krb5kdc/kadm5.keytab
+  kdc_ports = 750,88
+  max_life = 1d 0h 0m 0s
+  max_renewable_life = 7d 0h 0m 0s
+  supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal des:normal des:v4 des:norealm des:onlyrealm
+  default_principal_flags = +preauth
+ }
+}}}
+
+
+3.新建Kerberos数据库[[BR]]
+
+{{{
+# /usr/local/sbin/kdb5_util create -r PCONLINE -s[[BR]]
+}}}
+
+4.在/usr/local/var/krb5kdc/目录下新建kadm5.acl文件，内容如下：
+
+*/admin@HADOOP.LOCALDOMAIN      *
+
+
+5.开始为KDC设置初始用户信息，这里需要在KDC上执行kadmin.local命令（该命令仅能在KDC上运行，如果你需要在其他机器上管理kerberos的话，直接运行kadmin）
+
+# /usr/local/sbin/kadmin.local[[BR]]
+Enter password forprincipal "admin/admin@PCONLINE":[[BR]]
+kadmin.local: addprinc admin/admin@PCONLINE[[BR]]
+Re-enter password forprincipal "admin/admin@PCONLINE":[[BR]]
+Principal "admin/admin@PCONLINE"created.[[BR]]
+生成admin keytab文件：[[BR]]
+
+kadmin.local: ktadd -k /usr/local/var/krb5kdc/kadm5.keytab kadmin/admin kadmin/changepw[[BR]]
+Entry forprincipal kadmin/admin with kvno 3, encryption type DES-CBC-CRC added to keytab WRFILE:/usr/local/var/krb5kdc/kadm5.keytab.[[BR]]
+Entry forprincipal kadmin/changepw with kvno 3, encryption type DES-CBC-CRC added to keytab WRFILE:/usr/local/var/krb5kdc/kadm5.keytab.[[BR]]
+
+
+ 6.启动KDC和kadmind[[BR]]
+
+# /usr/local/sbin/krb5kdc[[BR]]
+# /usr/local/sbin/kadmind[[BR]]
+
+7.为了使集群内所有机器都有Kerberos工具，你需要在集群中每个机器上安装Kerberos程序。并给出/etc/krb5.conf配置文件，并不需要做其他配置。
+
+8.首先在KDC上为Kerberos添加一个新的管理员hadoop/admin：[[BR]]
+
+# /usr/local/sbin/kadmin.local[[BR]]
+Enter password forprincipal "hadoop/admin@PCOLINE":[[BR]]
+kadmin.local: addprinc hadoop/admin@PCOLINE[[BR]]
+Re-enter password forprincipal "hadoop/admin@PCOLINE":[[BR]]
+Principal "hadoop/admin@PCOLINE"created.[[BR]]
+