环境:Ambari-2.4.2、HDP-2.5.3、CentOS 6.5
freeIPA包含了Kerberos、ldap等服务,经调研感觉可以用它来做认证和统一用户管理,用户都存在freeIPA的ldap中。
1.装一台DNS
http://www.funet8.com/2282.html
http://blog.csdn.net/senvenks/article/details/39829081
https://my.oschina.net/u/142602/blog/186481
http://blog.csdn.net/charlsecharlse/article/details/17955119
[root@hdp named]# cat /etc/named.rfc1912.zones
。。。
zone "wondersoft.cn" IN {
type master;
file "wondersoft.cn.zone";
};
[root@hdp named]# cat wondersoft.cn.zone
@ IN SOA wondersoft.cn hdp.wondersoft.cn. (
15 ; serial
2D ; refresh
4H ; retry
6W ; expiry
1W ) ; minimum
@ IN NS hdp.wondersoft.cn.
hdp IN A 192.168.1.68
ws1es IN A 192.168.1.66
ws1m IN A 192.168.1.65
ws1nn1 IN A 192.168.1.64
ws1dn1 IN A 192.168.1.61
ws1dn2 IN A 192.168.1.62
ws1dn3 IN A 192.168.1.63
ws2m IN A 192.168.1.67
kdc IN A 192.168.1.69
; ldap servers
_ldap._tcp IN SRV 0 100 389 ws1dn3.wondersoft.cn.
; kerberos realm
_kerberos IN TXT WONDERSOFT.CN
; kerberos servers
_kerberos._tcp IN SRV 0 100 88 ws1dn3.wondersoft.cn.
_kerberos._udp IN SRV 0 100 88 ws1dn3.wondersoft.cn.
_kerberos-master._tcp IN SRV 0 100 88 ws1dn3.wondersoft.cn.
_kerberos-master._udp IN SRV 0 100 88 ws1dn3.wondersoft.cn.
_kpasswd._tcp IN SRV 0 100 464 ws1dn3.wondersoft.cn.
_kpasswd._udp IN SRV 0 100 464 ws1dn3.wondersoft.cn.注意空格和制表符
[root@hdp named]# service named restart
停止 named: [确定]
启动 named: [确定]2.https://github.com/hortonworks-gallery/ambari-freeipa-service
安装freeIPA服务端的机器需联网,密码至少8位,dns地址填写第一步安装的
dns不对会报如下错误
ipa : INFO The ipa-server-install command failed, exception: NetworkError: cannot connect to 'https://ws1dn3.wondersoft.cn:9444/ca/ee/ca/profileSubmitSSLClient': NSPRError() argument 1 must be string or None, not int
Unexpected error - see /var/log/ipaserver-install.log for details:
NetworkError: cannot connect to 'https://ws1dn3.wondersoft.cn:9444/ca/ee/ca/profileSubmitSSLClient': NSPRError() argument 1 must be string or None, not int)截了一些日志,用那几条命令自己装也可以
freeIPA也包含dns,与第一步装的不是同一个
指定上层DNS服务器 –forwarder=192.168.1.68
2017-02-22 09:14:35,712 - Installing package *ipa-server ('/usr/bin/yum -d 0 -e 0 -y install '*ipa-server'')
2017-02-22 09:19:26,203 - Version 2.5.3.0-37 was provided as effective cluster version. Using package version 2_5_3_0_37
2017-02-22 09:19:26,205 - Package['bind'] {'retry_on_repo_unavailability': False, 'retry_count': 5}
2017-02-22 09:19:26,223 - Installing package bind ('/usr/bin/yum -d 0 -e 0 -y install bind')
2017-02-22 09:19:49,179 - Version 2.5.3.0-37 was provided as effective cluster version. Using package version 2_5_3_0_37
2017-02-22 09:19:49,181 - Package['bind-dyndb-ldap'] {'retry_on_repo_unavailability': False, 'retry_count': 5}
2017-02-22 09:19:49,198 - Installing package bind-dyndb-ldap ('/usr/bin/yum -d 0 -e 0 -y install bind-dyndb-ldap')
2017-02-22 09:38:45,880 - Execute['ipa-server-install --hostname=ws1dn3.wondersoft.cn --domain=wondersoft.cn --realm=WONDERSOFT.CN --ds-password=12345678 --master-password=12345678 --admin-password=12345678 --setup-dns --forwarder=192.168.1.68 --unattended --debug >> /var/log/freeipa-stdout.log'] {}
2017-02-22 09:50:39,021 - Execute['echo 12345678 | kinit admin'] {}卸载
ipa-server-install –uninstall
3.http://192.168.1.65:8080/#/experimental
enableIpa勾选
https://community.hortonworks.com/articles/59645/ambari-24-kerberos-with-freeipa.html
4.安装Kerberos时多了一个Existing IPA
5.创建管理员实体(加到admins组里,需先认证)
kinit [email protected]
ipa user-add hadoopadmin --first=Hadoop --last=Admin
ipa group-add-member admins --users=hadoopadmin
ipa passwd hadoopadmin #修改密码
6.Ambari also requires a group to be created called ambari-managed-principals. This group is not currently created by the Ambari Kerberos wizard. Create the group:
ipa group-add ambari-managed-principals
[root@ws1dn3 ~]# ipa group-add ambari-managed-principals
描述: ambari manage
-------------------------------
已添加组"ambari-managed-principals"
-------------------------------
组名: ambari-managed-principals
描述: ambari manage
GID: 390400003
7.Because of the way FreeIPA automatically expires the new password, it is necessary to kinit as hadoopadmin and change the initial password. The password can be set to the same password unless the password policy prohibits password reuse:
kinit [email protected]
[root@ws1dn3 ~]# kinit [email protected]
Password for [email protected]:
Password expired. You must change it now.
Enter new password:
Enter it again:
8.修改freeIPA所在机器的DNS配置
[root@ws1dn3 named]# cat /etc/named.rfc1912.zones
。。。
zone "wondersoft.cn" IN {
type master;
file "wondersoft.cn.zone";
};
[root@ws1dn3 named]# cat /var/named/wondersoft.cn.zone
$TTL 86400
@ IN SOA wondersoft.cn hdp.wondersoft.cn. (
15 ; serial
2D ; refresh
4H ; retry
6W ; expiry
1W ) ; minimum
@ IN NS hdp.wondersoft.cn.
hdp IN A 192.168.1.68
ws1es IN A 192.168.1.66
ws1m IN A 192.168.1.65
ws1nn1 IN A 192.168.1.64
ws1dn1 IN A 192.168.1.61
ws1dn2 IN A 192.168.1.62
ws1dn3 IN A 192.168.1.63
ws2m IN A 192.168.1.67
kdc IN A 192.168.1.69
; ldap servers
_ldap._tcp IN SRV 0 100 389 ws1dn3.wondersoft.cn.
; kerberos realm
_kerberos IN TXT WONDERSOFT.CN
; kerberos servers
_kerberos._tcp IN SRV 0 100 88 ws1dn3.wondersoft.cn.
_kerberos._udp IN SRV 0 100 88 ws1dn3.wondersoft.cn.
_kerberos-master._tcp IN SRV 0 100 88 ws1dn3.wondersoft.cn.
_kerberos-master._udp IN SRV 0 100 88 ws1dn3.wondersoft.cn.
_kpasswd._tcp IN SRV 0 100 464 ws1dn3.wondersoft.cn.
_kpasswd._udp IN SRV 0 100 464 ws1dn3.wondersoft.cn.
[root@ws1dn3 named]# service named restart
停止 named:. [确定]
启动 named: [确定]
9.Configure the HDP nodes to use the FreeIPA server for DNS resolution(所有节点):
[root@ws1dn1 ~]# cat /etc/resolv.conf
# Generated by NetworkManager
search wondersoft.cn
#nameserver 8.8.8.8
nameserver 192.168.1.63
10.All nodes in the HDP cluster must have the ipa-client software installed and be joined to the FreeIPA server:
yum -y install ipa-client
[root@ws1dn1 ~]# ipa-client-install --domain=wondersoft.cn --server=ws1dn3.wondersoft.cn --realm=WONDERSOFT.CN [email protected] --enable-dns-updates
11.On the Amberi server node, install the ipa-admintools package:
yum -y install ipa-admintools
在这台机器上我也配置了ipa客户端,貌似必须得配置
[root@ws1m ~]# ipa-client-install --domain=wondersoft.cn --server=ws1dn3.wondersoft.cn --realm=WONDERSOFT.CN [email protected] --enable-dns-updates
Autodiscovery of servers for failover cannot work with this configuration.
If you proceed with the installation, services will be configured to always access the discovered server for all operations and will not fail over to other servers in case of failure.
Proceed with fixed values and no DNS discovery? [no]: yes
Hostname: ws1m.wondersoft.cn
Realm: WONDERSOFT.CN
DNS Domain: wondersoft.cn
IPA Server: ws1dn3.wondersoft.cn
BaseDN: dc=wondersoft,dc=cn
Continue to configure the system with these values? [no]: yes
Synchronizing time with KDC...
Unable to sync time with IPA NTP server, assuming the time is in sync. Please check that 123 UDP port is opened.
Password for [email protected]:
Enrolled in IPA realm WONDERSOFT.CN
Attempting to get host TGT...
Created /etc/ipa/default.conf
New SSSD config will be created
Configured sudoers in /etc/nsswitch.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm WONDERSOFT.CN
trying https://ws1dn3.wondersoft.cn/ipa/xml
Forwarding 'env' to server u'https://ws1dn3.wondersoft.cn/ipa/xml'
Failed to update DNS records.
Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Forwarding 'host_mod' to server u'https://ws1dn3.wondersoft.cn/ipa/xml'
Could not update DNS SSHFP records.
SSSD enabled
Configuring wondersoft.cn as NIS domain
Configured /etc/openldap/ldap.conf
NTP enabled
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Client configuration complete.
12.Run the Kerberos Wizard
Run the Kerberos wizard from Ambari (Admin -> Kerberos -> Enable Kerberos). Select "Existing IPA" and verify that the prerequisites have been met.
13.Enter the appropriate information into the KDC page and 修改配置文件
[root@ws1dn3 ~]# cat /etc/krb5.conf
服务端
includedir /var/lib/sss/pubconf/krb5.include.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = WONDERSOFT.CN
dns_lookup_realm = false
dns_lookup_kdc = true
rdns = false
ticket_lifetime = 24h
forwardable = yes
udp_preference_limit = 0
[realms]
WONDERSOFT.CN = {
kdc = ws1dn3.wondersoft.cn:88
master_kdc = ws1dn3.wondersoft.cn:88
admin_server = ws1dn3.wondersoft.cn:749
default_domain = wondersoft.cn
pkinit_anchors = FILE:/etc/ipa/ca.crt
}
[domain_realm]
.wondersoft.cn = WONDERSOFT.CN
wondersoft.cn = WONDERSOFT.CN
[dbmodules]
WONDERSOFT.CN = {
db_library = ipadb.so
}
客户端
includedir /var/lib/sss/pubconf/krb5.include.d/
[libdefaults]
default_realm = WONDERSOFT.CN
dns_lookup_realm = false
dns_lookup_kdc = false
rdns = false
ticket_lifetime = 24h
forwardable = yes
[realms]
WONDERSOFT.CN = {
kdc = ws1dn3.wondersoft.cn:88
master_kdc = ws1dn3.wondersoft.cn:88
admin_server = ws1dn3.wondersoft.cn:749
default_domain = wondersoft.cn
pkinit_anchors = FILE:/etc/ipa/ca.crt
}
[domain_realm]
.wondersoft.cn = WONDERSOFT.CN
wondersoft.cn = WONDERSOFT.CN
把客户端的拷进去
14.
15.
之后我试了一下ambari各客户端所在机器不配置ipa客户端(其实是因为配置失败了,同一个freeIPA server另一台机器就可以,这个就不行。见下)。只在ambari服务端那台机器上装ipa-admintools并配置也成功了,不过要在freeIPA加主机,见下图。
[root@hdp ~]# ipa-client-install --domain=wondersoft.cn --server=ws1dn3.wondersoft.cn --realm=WONDERSOFT.CN [email protected] --enable-dns-updates
LDAP Error: Connect error: TLS error -8054:You are attempting to import a cert with the same issuer/serial as an existing cert, but that is not the same cert.
LDAP Error: Connect error: TLS error -8054:You are attempting to import a cert with the same issuer/serial as an existing cert, but that is not the same cert.
Failed to verify that ws1dn3.wondersoft.cn is an IPA Server.
This may mean that the remote server is not up or is not reachable due to network or firewall settings.
Please make sure the following ports are opened in the firewall settings:
TCP: 80, 88, 389
UDP: 88 (at least one of TCP/UDP ports 88 has to be open)
Also note that following ports are necessary for ipa-client working properly after enrollment:
TCP: 464
UDP: 464, 123 (if NTP enabled)
Installation failed. Rolling back changes.
IPA client is not configured on this system.
LDAP中有了服务主体和用户、组
PS1:
[root@ws1dn3 ~]# kadmin.local -q 'addprinc -pw 12345678 admin/admin' -x ipa-setup-override-restrictions
Authenticating as principal admin/[email protected] with password.
WARNING: no policy specified for admin/[email protected]; defaulting to no policy
Principal "admin/[email protected]" created.
[root@ws1dn3 ~]# vim /var/kerberos/krb5kdc/kadm5.acl
[root@ws1dn3 ~]# cat /var/kerberos/krb5kdc/kadm5.acl
*/[email protected]*
[root@ws1dn3 ~]# service krb5kdc restart
停止 Kerberos 5 KDC: [确定]
正在启动 Kerberos 5 KDC: [确定]
[root@ws1dn3 ~]# service kadmin restart
停止 Kerberos 5 Admin Server: [确定]
正在启动 Kerberos 5 Admin Server: [确定]
PS2:
[root@ws1dn3 named]# cat /etc/resolv.conf
search wondersoft.cn
nameserver 192.168.1.63
[root@ws1dn3 named]# ipa host-add ws2hdp.wondersoft.cn
ipa: ERROR: Host does not have corresponding DNS A record
[root@ws1dn3 named]# vim /var/named/wondersoft.cn.zone
增加ws2hdp IN A 192.168.1.69
[root@ws1dn3 named]# service named restart
停止 named:. [确定]
启动 named: [确定]
[root@ws1dn3 named]# ipa host-add ws2hdp.wondersoft.cn
---------------------------
新增主机 "ws2hdp.wondersoft.cn"
---------------------------
主机名: ws2hdp.wondersoft.cn
Principal name: host/[email protected]
密码: False
Keytab: False
Managed by: ws2hdp.wondersoft.cn
[root@ws1dn3 named]# ipa service-add HTTP/ws2hdp.wondersoft.cn
-------------------------------------------------------
Added service "HTTP/[email protected]"
-------------------------------------------------------
Principal: HTTP/[email protected]
Managed by: ws2hdp.wondersoft.cn
[root@ws1dn3 named]# ipa service-del HTTP/ws2hdp.wondersoft.cn
---------------------------------------------------------
Deleted service "HTTP/[email protected]"
---------------------------------------------------------
[root@ws1dn3 named]# ipa host-del ws2hdp.wondersoft.cn
----------------------------
已删除主机 "ws2hdp.wondersoft.cn"
----------------------------参考链接:https://community.hortonworks.com/articles/59645/ambari-24-kerberos-with-freeipa.html