要了解kerberos除了它的[http://web.mit.edu/kerberos/krb5-1.10/ 官网][[BR]] 找了很多久,比较好的中文说明居然在[http://docs.oracle.com/cd/E26926_01/html/E25889/intro-1.html#scrolltoc oracle-solaris上面],大公司就是大公司 选择一套机器做KDC,测试环境选择了192.168.11.63 - hadooptest-11-63.pconline.ctc[[BR]] Client有四台机器: 192.168.11.64 - hadooptest-11-64.pconline.ctc[[BR]] 192.168.11.65 - hadooptest-11-65.pconline.ctc[[BR]] 192.168.11.66 - hadooptest-11-66.pconline.ctc[[BR]] 192.168.11.67 - hadooptest-11-67.pconline.ctc[[BR]] tar -zxvf krb5-1.10.3.tar.gz[[BR]] cd krb5-1.10.3/src[[BR]] ./configure[[BR]] make[[BR]] make install 1. 编辑 11.63 上/etc/krb5.conf 文件[[BR]] {{{ [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = PCONLINE dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h forwardable = yes [realms] PCONLINE = { kdc = hadooptest-11-63.pconline.ctc:88 admin_server = hadooptest-11-63.pconline.ctc:749 default_domain = pconline.ctc } [domain_realm] .pconline.ctc = PCONLINE pconline.ctc = PCONLINE [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false } }}} 2.新建 /usr/local/var/krb5kdc/kdc.conf文件[[BR]] {{{ [kdcdefaults] v4_mode = nopreauth kdc_ports = 750,88 kdc_tcp_ports = 88 [realms] PCONLINE = { acl_file = /usr/local/var/krb5kdc/kadm5.acl dict_file = /usr/share/dict/words admin_keytab = /usr/local/var/krb5kdc/kadm5.keytab kdc_ports = 750,88 max_life = 1d 0h 0m 0s max_renewable_life = 7d 0h 0m 0s supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal des:normal des:v4 des:norealm des:onlyrealm default_principal_flags = +preauth } }}} 3.新建Kerberos数据库[[BR]] {{{ # /usr/local/sbin/kdb5_util create -r PCONLINE -s[[BR]] }}} 4.在/usr/local/var/krb5kdc/目录下新建kadm5.acl文件,内容如下: */admin@HADOOP.LOCALDOMAIN * 5.开始为KDC设置初始用户信息,这里需要在KDC上执行kadmin.local命令(该命令仅能在KDC上运行,如果你需要在其他机器上管理kerberos的话,直接运行kadmin) # /usr/local/sbin/kadmin.local[[BR]] Enter password forprincipal "admin/admin@PCONLINE":[[BR]] kadmin.local: addprinc admin/admin@PCONLINE[[BR]] Re-enter password forprincipal "admin/admin@PCONLINE":[[BR]] Principal "admin/admin@PCONLINE"created.[[BR]] 生成admin keytab文件:[[BR]] kadmin.local: ktadd -k /usr/local/var/krb5kdc/kadm5.keytab kadmin/admin kadmin/changepw[[BR]] Entry forprincipal kadmin/admin with kvno 3, encryption type DES-CBC-CRC added to keytab WRFILE:/usr/local/var/krb5kdc/kadm5.keytab.[[BR]] Entry forprincipal kadmin/changepw with kvno 3, encryption type DES-CBC-CRC added to keytab WRFILE:/usr/local/var/krb5kdc/kadm5.keytab.[[BR]] 6.启动KDC和kadmind[[BR]] # /usr/local/sbin/krb5kdc[[BR]] # /usr/local/sbin/kadmind[[BR]] 7.为了使集群内所有机器都有Kerberos工具,你需要在集群中每个机器上安装Kerberos程序。并给出/etc/krb5.conf配置文件,并不需要做其他配置。 8.首先在KDC上为Kerberos添加一个新的管理员hadoop/admin:[[BR]] # /usr/local/sbin/kadmin.local[[BR]] Enter password forprincipal "hadoop/admin@PCOLINE":[[BR]] kadmin.local: addprinc hadoop/admin@PCOLINE[[BR]] Re-enter password forprincipal "hadoop/admin@PCOLINE":[[BR]] Principal "hadoop/admin@PCOLINE"created.[[BR]] 9.在各机器上增加hadoop用户 /usr/local/bin/kadmin[[BR]] addprinc -randkey host/hadooptest-11-64@PCONLINE[[BR]] addprinc -randkey hadoop/hadooptest-11-64@PCONLINE[[BR]] addprinc -randkey hadoop/hadooptest-11-64.pconline.ctc@PCONLINE[[BR]] 不知道为什么要两个,可能是没有DNS的原因,每台机器都要配 ktadd -k /data/hadoop-1.0.3/conf/hadoop.keytab hadoop/hadooptest-11-64.pconline.ctc@PCONLINE host/hadooptest-11-64.pconline.ctc@PCONLINE hadoop/hadooptest-11-64@PCONLINE ---- 查看keytab文件内容[[BR]] /usr/local/bin/klist -e -k -t hadoop.keytab