Kerberos installation

The Kerberos server is installed

Environment preparation: Edit the /etc/hosts file and specify the host name as Hadoop (customized).

  1. Install directly using yum

    yum -y install krb5-server krb5-libs krb5-workstation
Copy the code

  2. Configure the KDC service vi /etc/krb5.conf

    # said server side log print position [logging] default = FILE: / var/log/krb5libs log KDC = FILE: / var/log/krb5kdc. Log admin_server = FILE: / var/log/kadmind log # each connection of the default configuration [libdefaults] dns_lookup_realm = false # show that effective credentials of time limit, generally for 24 hours. Ticket_lifetime = 24h # Indicates the maximum period in which a credential can be extended, usually one week. When the credentials expire, subsequent access to the security authenticated service will fail. Renew_lifetime = 7d forwardable = true RDNS = false Default_realm = HADOOP.COM default_ccache_name = KEYRING:persistent:%{uid} # Disabling UDP prevents a Hadoop error udp_preference_limit = 1 # Enumerates the realm used. [Realms] HADOOP.COM = {# represents the location of the KDC. The format is IP: port default 88? Remember to configure the host name in the hosts file for domain name resolution using KDC = hadoop # to represent the location of admin. The format is IP: port default 88? Admin_server = hadoop} # [domain_realm].HADOOP.COM = HADOOP.COM HADOOP.COM = HADOOP.COMCopy the code

  3. Modify the vi/var/kerberos/krb5kdc/kadm5 acl for content

    */[email protected]  *
Copy the code

  4. Modify/var/kerberos/krb5kdc/KDC. The content for the conf

    Kdc_ports = 88 kdc_tcp_ports = 88 [realms] # specifies realms. The name is optional. Kerberos can support multiple Realms, which adds complexity. Case sensitive, generally use all caps for identification purposes. This Realms has nothing to do with the machine's host. HADOOP.COM = {# default aes256-cts #master_key_type = aes256-cts # Renwe must be configured if ticket can be enabled. Max_renewable_life = 7D # marks the admin user permissions. The file format is Kerberos_principal Permissions [target_Principal] [Restrictions] Support for wildcards, etc. Acl_file = / var/kerberos/krb5kdc/kadm5 acl dict_file = / usr/share/dict/words # : KDC check the keytab admin_keytab = The/var/kerberos/krb5kdc/kadm5. Keytab # support way of checking. supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal }Copy the code

  5. Create/initialize Kerberos database

    Kdb5_util creat -s -r HADOOP.COM # PS1: where [-s] means stash file is generated and the master server key (krb5kdc) is stored; You can also specify a realm name with [-r] -- this is necessary if more than one realm is defined in krb5.conf. If you need to rebuild the database, delete the principal files in this directory. Remember the password you set here; if you forget it, you will not be able to manage Kerberos Server.Copy the code

  6. Add database Administrator. We need to add administrative Principals for Kerberos Database — At least one principal must be added to enable the Kerberos administrative process kadmind to communicate with the program Kadmin on the network.

    /usr/sbin/kadmin.local -q "addprinc root/admin"
Copy the code

  7. Master KDC Starts Kerberos Daemons

    systemctl start krb5kdc
systemctl start kadmin
chkconfig krb5kdc on
chkconfig kadmin on
Copy the code

  8. Example Export the keytab file of the kadmin service

    kadmin.local:  ktadd -k /var/kerberos/krb5kdc/krb5.keytab root/admin
Copy the code

  9. Use the keytab file to authenticate the login, and take the root/[email protected] credentials to the local cache, so that you do not need to enter the password again.

    The kinit - kt/var/kerberos/krb5kdc/krb5. Keytab root/admin # to see their own credential (notes) klistCopy the code

The Kerberos client is installed

Environment preparation: Edit the /etc/hosts file and specify the host name of the server as Hadoop to ensure normal communication with the server host

  1. Yum Install

    yum -y install krb5-workstation krb5-libs
Copy the code

  2. Copy the configuration file on the server to the client

    scp root@hadoop:/etc/krb5.conf /etc/krb5.conf
Copy the code

  3. Copy A keytab file generated on the server to the client for keytab authentication.

    scp root@hadoop:/var/kerberos/krb5kdc/krb5.keytab /var/kerberos/krb5/krb5.keytab
Copy the code

  4. Keytab is used for authentication

    The kinit - kt/var/kerberos/krb5 / krb5. Keytab root/admin # to see their own credential (notes) klistCopy the code