一,先升级再安装server,执行以下命令
yum install krb5-server krb5-libs krb5-workstation
二、修改三个配置文件
第一个文件 /etc/krb5.conf
[logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = HQGF.COM dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true [realms] HQGF.COM = { kdc = master admin_server = master } [domain_realm] .example.com = HQGF.COM example.com = HQGF.COM
第二个文件 /var/kerberos/krb5kdc/kdc.conf
[kdcdefaults] kdc_ports = 88 kdc_tcp_ports = 88 [realms] HQGF.COM = { #master_key_type = aes256-cts acl_file = /var/kerberos/krb5kdc/kadm5.acl dict_file = /usr/share/dict/words admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal }
第三个文件 /var/kerberos/krb5kdc/kadm5.acl (注意后面的 “*” 号不可以跟前面的字符连接在一起必须空格)
*/[email protected] *
三、创建kerberos 应用
/usr/sbin/kdb5_util create -s -r HQGF.COM
四、启动服务
service krb5kdc start service kadmin start
五、设置开机启动服务
chkconfig krb5kdc on chkconfig kadmin on
六、添加principal
[root@ws1es ~]# kadmin.local Authenticating as principal root/[email protected] with password. kadmin.local: addprinc admin/[email protected] WARNING: no policy specified for admin/[email protected]; defaulting to no policy Enter password for principal "admin/[email protected]": Re-enter password for principal "admin/[email protected]": Principal "admin/[email protected]" created. kadmin.local: listprincs K/[email protected] admin/[email protected] kadmin/[email protected] kadmin/[email protected] kadmin/[email protected] krbtgt/[email protected]
七、重启服务
service kadmin restart
八、
11.下载JCE 补充1: JCE(Java Cryptography Extension)是一组包,它们提供用于加密、密钥生成和协商以及 Message Authentication Code(MAC)算法的框架和实现。 它提供对对称、不对称、块和流密码的加密支持,它还支持安全流和密封的对象。它不对外出口,用它开发完成封装后将无法调用。 补充2: If you are using Oracle JDK, you must distribute and install the JCE on all hosts in the cluster, including the Ambari Server. Be sure to restart Ambari Server after installng the JCE. If you are using OpenJDK, some distributions of the OpenJDK come with unlimited strength JCE automatically and therefore, installation of JCE is not required. For Oracle JDK 1.8: http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html For Oracle JDK 1.7: http://www.oracle.com/technetwork/java/javase/downloads/jce-7-download-432124.html
将下载的JCE解压并覆盖$JAVA_HOME/jre/lib/security/目录下的文件(所有节点)
九、
十、
十一、
十二、
十三、
十四、
十五、
十六、
十七、安装成功后,查看它自动创建的principal和keytab
[root@master krb5kdc]# kadmin.local Authenticating as principal root/[email protected] with password. kadmin.local: listprincs HTTP/[email protected] HTTP/[email protected] HTTP/[email protected] HTTP/[email protected] HTTP/[email protected] HTTP/[email protected] K/[email protected] activity_explorer/[email protected] activity_explorer/[email protected] admin/[email protected] [email protected] [email protected] amshbase/[email protected] amszk/[email protected] dn/[email protected] dn/[email protected] dn/[email protected] [email protected] hbase/[email protected] hbase/[email protected] [email protected] hive/[email protected] hive/[email protected] hive/[email protected] hive/[email protected] hive/[email protected] jhs/[email protected] jn/[email protected] jn/[email protected] jn/[email protected] kadmin/[email protected] kadmin/[email protected] kadmin/[email protected] kafka/[email protected] kafka/[email protected] kafka/[email protected] kiprop/[email protected] krbtgt/[email protected] livy/[email protected] livy/[email protected] nfs/[email protected] nfs/[email protected] nm/[email protected] nm/[email protected] nm/[email protected] nn/[email protected] nn/[email protected] oozie/[email protected] rangeradmin/[email protected] rangerkms/[email protected] rangerlookup/[email protected] rangertagsync/[email protected] rangerusersync/[email protected] rm/[email protected] rm/[email protected] [email protected] yarn/[email protected] zookeeper/[email protected] zookeeper/[email protected] zookeeper/[email protected] zookeeper/[email protected]