版权声明:本文为博主原创文章,未经博主允许不得转载。 https://blog.csdn.net/tom_fans/article/details/89152092
安装可以编译源代码或者通过yum直接安装,主要是3个包:
yum install krb5-server krb5-libs krb5-workstationkerberos主要包含如下配置文件:
krb5.conf
kdc.conf
acl_file
key_stash_file
database_name(数据库文件)
软件安装完成之后,接下来就是配置,krb5, kdc.conf是主要的2个配置文件,其他3个文件是在kdc.conf中配置,以下是一个Demo:
kdc.conf:
[kdcdefaults]
kdc_ports = 88
kdc_tcp_ports = 88
[realms]
TRINASOLAR.COM = {
max_renewable_life = 7d 0h 0m 0s
master_key_type = aes256-cts
supported_enctypes = aes256-cts:normal aes128-cts:normal
database_name = /data/krb/var/krb5kdc/principal
acl_file = /data/krb/var/krb5kdc/kadm5.acl
key_stash_file = /data/krb/var/krb5kdc/.TRINASOLAR.COM
kdc_ports = 88
kdc_tcp_ports = 88
max_life = 1d 0h 0m 0s
}krb5.conf:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = TRINASOLAR.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 1d
renew_lifetime = 7d
forwardable = true
udp_preference_limit = 1
[realms]
TRINASOLAR.COM = {
kdc = tsczbddbprd3.trinasolar.com
admin_server = tsczbddbprd3.trinasolar.com
}
[domain_realm]
trinasolar.com = TRINASOLAR.COM
.trinasolar.com = TRINASOLAR.COM这2个文件有默认的存储位置,一般在/etc目录下,为了确保没有问题,我习惯性设置环境变量:
export KRB5_CONFIG=/etc/krb5.conf
export KRB5_KDC_PROFILE=/etc/kdc.conf以上的配置基本够用了,至少hadoop集成kerberos够用了。
接下来就是要处理kdc.conf配置中的3个文件,先创建数据库,修改acl文件以便增加管理员。
1)创建数据库
[root@tsczbddbprd4 data]# kdb5_util create -r TRINASOLAR.COM -s
Loading random data
Initializing database '/data/krb/var/krb5kdc/principal' for realm 'TRINASOLAR.COM',
master key name 'K/[email protected]'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key:
Re-enter KDC database master key to verify: 2) 修改ACL配置文件
[root@tsczbddbprd4 ~]# cat /data/krb/var/krb5kdc/kadm5.acl
*/[email protected] * 启动kerberos服务:
[root@tsczbddbprd4 data]# krb5kdc
[root@tsczbddbprd4 data]#
[root@tsczbddbprd4 data]#
[root@tsczbddbprd4 data]# kadmind
[root@tsczbddbprd4 data]#
[root@tsczbddbprd4 data]#
[root@tsczbddbprd4 data]#
[root@tsczbddbprd4 data]# ps -ef | grep krb5
root 18724 1 0 16:09 ? 00:00:00 krb5kdc
root 18740 15394 0 16:09 pts/0 00:00:00 grep krb5
[root@tsczbddbprd4 data]# ps -ef | grep kadmin
root 18732 1 0 16:09 ? 00:00:00 kadmind
root 18745 15394 0 16:09 pts/0 00:00:00 grep kadmin或者通过端口检查:这个地方要注意,一定要看到有TCP启动,比如HADOOP是通过TCP与kerberos沟通,如果只有UDP启动,那么会出现通讯错误。
[root@tsczbddbprd4 data]# lsof -i:88
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
krb5kdc 14336 root 7u IPv4 42900671 0t0 UDP *:kerberos
krb5kdc 14336 root 8u IPv6 42900677 0t0 UDP [fe80::20c:29ff:fe3d:3abf]:kerberos
krb5kdc 14336 root 9u IPv6 42900680 0t0 TCP *:kerberos (LISTEN)
krb5kdc 14336 root 10u IPv4 42900681 0t0 TCP *:kerberos (LISTEN)经过以上步骤,一个kerberos就安装完成。我们可以自己做一些测试,新建用户,修改用户等等。
[root@tsczbddbprd4 data]# kinit admin/[email protected]
Password for admin/[email protected]:
[root@tsczbddbprd4 data]#
[root@tsczbddbprd4 data]#
[root@tsczbddbprd4 data]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin/[email protected]
Valid starting Expires Service principal
04/09/19 16:15:31 04/10/19 16:15:31 krbtgt/[email protected]
renew until 04/16/19 16:15:31[root@tsczbddbprd4 data]# klist -e
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin/[email protected]
Valid starting Expires Service principal
04/09/19 16:15:31 04/10/19 16:15:31 krbtgt/[email protected]
renew until 04/16/19 16:15:31, Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96