![(please configure the [header_logo] section in trac.ini)](http://www1.pconline.com.cn/hr/2009/global/images/logo.gif){kind=logo}
| Version 3 (modified by liaojiaohe, 14 years ago) (diff) |
|---|
要了解kerberos除了它的 官网
找了很多久,比较好的中文说明居然在 oracle-solaris上面,大公司就是大公司
选择一套机器做KDC,测试环境选择了192.168.11.63 - hadooptest-11-63.pconline.ctc
Client有四台机器:
192.168.11.64 - hadooptest-11-64.pconline.ctc
192.168.11.65 - hadooptest-11-65.pconline.ctc
192.168.11.66 - hadooptest-11-66.pconline.ctc
192.168.11.67 - hadooptest-11-67.pconline.ctc
tar -zxvf krb5-1.10.3.tar.gz
cd krb5-1.10.3/src
./configure
make
make install
- 编辑 11.63 上/etc/krb5.conf 文件
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = PCONLINE
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes
[realms]
PCONLINE = {
kdc = hadooptest-11-63.pconline.ctc:88
admin_server = hadooptest-11-63.pconline.ctc:749
default_domain = pconline.ctc
}
[domain_realm]
.pconline.ctc = PCONLINE
pconline.ctc = PCONLINE
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
2.新建 /usr/local/var/krb5kdc/kdc.conf文件
[kdcdefaults]
v4_mode = nopreauth
kdc_ports = 750,88
kdc_tcp_ports = 88
[realms]
PCONLINE = {
acl_file = /usr/local/var/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /usr/local/var/krb5kdc/kadm5.keytab
kdc_ports = 750,88
max_life = 1d 0h 0m 0s
max_renewable_life = 7d 0h 0m 0s
supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal des:normal des:v4 des:norealm des:onlyrealm
default_principal_flags = +preauth
}
3.新建Kerberos数据库
# /usr/local/sbin/kdb5_util create -r PCONLINE -s[[BR]]
4.在/usr/local/var/krb5kdc/目录下新建kadm5.acl文件,内容如下:
*/admin@… *
5.开始为KDC设置初始用户信息,这里需要在KDC上执行kadmin.local命令(该命令仅能在KDC上运行,如果你需要在其他机器上管理kerberos的话,直接运行kadmin)
# /usr/local/sbin/kadmin.local
Enter password forprincipal "admin/admin@PCONLINE":
kadmin.local: addprinc admin/admin@PCONLINE
Re-enter password forprincipal "admin/admin@PCONLINE":
Principal "admin/admin@PCONLINE"created.
生成admin keytab文件:
kadmin.local: ktadd -k /usr/local/var/krb5kdc/kadm5.keytab kadmin/admin kadmin/changepw
Entry forprincipal kadmin/admin with kvno 3, encryption type DES-CBC-CRC added to keytab WRFILE:/usr/local/var/krb5kdc/kadm5.keytab.[[BR]]
Entry forprincipal kadmin/changepw with kvno 3, encryption type DES-CBC-CRC added to keytab WRFILE:/usr/local/var/krb5kdc/kadm5.keytab.[[BR]]
6.启动KDC和kadmind
# /usr/local/sbin/krb5kdc
# /usr/local/sbin/kadmind
7.为了使集群内所有机器都有Kerberos工具,你需要在集群中每个机器上安装Kerberos程序。并给出/etc/krb5.conf配置文件,并不需要做其他配置。
8.首先在KDC上为Kerberos添加一个新的管理员hadoop/admin:
# /usr/local/sbin/kadmin.local
Enter password forprincipal "hadoop/admin@PCOLINE":
kadmin.local: addprinc hadoop/admin@PCOLINE
Re-enter password forprincipal "hadoop/admin@PCOLINE":
Principal "hadoop/admin@PCOLINE"created.
9.在各机器上增加hadoop用户
/usr/local/bin/kadmin
addprinc -randkey host/hadooptest-11-64@PCONLINE
addprinc -randkey host/hadooptest-11-64.pconline.ctc@PCONLINE
addprinc -randkey hadoop/hadooptest-11-64@PCONLINE
addprinc -randkey hadoop/hadooptest-11-64.pconline.ctc@PCONLINE
不知道为什么要两个,可能前面配错了什么,每台机器都要配
ktadd -k /data/hadoop-1.0.3/conf/hadoop.keytab hadoop/hadooptest-11-64.pconline.ctc@PCONLINE host/hadooptest-11-64.pconline.ctc@PCONLINE hadoop/hadooptest-11-64@PCONLINE host/hadooptest-11-64@PCONLINE
查看keytab文件内容
/usr/local/bin/klist -e -k -t hadoop.keytab
