CDH 08Cloudera Manager freeIPAKerberos安装配置
文章目录
- 一、配置Kerberos
- 1、配置krb5.conf凭据缓存
- 2、配置kadm5.acl
- 3、freeIPA重启服务
- 4、验证freeIPA KDC
- 5、安装freeIPA客户端(除cdh-ipa-v01服务器)
- 6、其它节点修改krb5.conf配置文件
- 1)配置krb5.conf
- 2)分发其它节点
- 3)验证(cdh-ipa-v01服务器)
一、配置Kerberos
1、配置krb5.conf凭据缓存
vi /etc/krb5.conf
[root@cdh-ipa-v01 ~]# vi /etc/krb5.conf
includedir /etc/krb5.conf.d/
includedir /var/lib/sss/pubconf/krb5.include.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = YUNES.COM
dns_lookup_realm = false
dns_lookup_kdc = true
rdns = false
ticket_lifetime = 24h
forwardable = true
udp_preference_limit = 0
# default_ccache_name = KEYRING:persistent:%{uid}
default_ccache_name = FILE:/tmp/krb5cc_%{uid}
[realms]
YUNES.COM = {
kdc = cdh-ipa-v01.yunes.com:88
master_kdc = cdh-ipa-v01.yunes.com:88
admin_server = cdh-ipa-v01.yunes.com:749
default_domain = yunes.com
pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem
pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem
}
[domain_realm]
.yunes.com = YUNES.COM
yunes.com = YUNES.COM
cdh-ipa-v01.yunes.com = YUNES.COM
[dbmodules]
YUNES.COM = {
db_library = ipadb.so
}
[plugins]
certauth = {
module = ipakdb:kdb/ipadb.so
enable_only = ipakdb
}
2、配置kadm5.acl
vi /var/kerberos/krb5kdc/kadm5.acl
[root@cdh-ipa-v01 ~]# vi /var/kerberos/krb5kdc/kadm5.acl
3、freeIPA重启服务
ipactl restart
[root@cdh-ipa-v01 ~]# ipactl restart
[root@cdh-ipa-v01 ~]# ipactl restart
Restarting Directory Service
Restarting krb5kdc Service
Restarting kadmin Service
Restarting named Service
Restarting httpd Service
Restarting ipa-custodia Service
Restarting ntpd Service
Restarting pki-tomcatd Service
Restarting ipa-otpd Service
Restarting ipa-dnskeysyncd Service
ipa: INFO: The ipactl command was successful
4、验证freeIPA KDC
kinit admin
[root@cdh-ipa-v01 ~]# kinit admin
[root@cdh-ipa-v01 ~]# klist
[root@cdh-ipa-v01 ~]# ipa --version
[root@cdh-ipa-v01 ~]# kinit admin
Password for admin@YUNES.COM: adminrootROOT@1234
[root@cdh-ipa-v01 ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin@YUNES.COM
Valid starting Expires Service principal
09/23/2022 21:15:28 09/24/2022 21:15:22 krbtgt/YUNES.COM@YUNES.COM
[root@cdh-ipa-v01 ~]# ipa --version
VERSION: 4.6.8, API_VERSION: 2.237
5、安装freeIPA客户端(除cdh-ipa-v01服务器)
ipa-client-install --domain=yunes.com
–server=cdh-ipa-v01.yunes.com
–realm=YUNES.COM
–principal=admin@YUNES.COM
–password=adminrootROOT@1234
[root@cdh-cm-v01 scripts]# ipa-client-install --domain=yunes.com \
> --server=cdh-ipa-v01.yunes.com \
> --realm=YUNES.COM \
> --principal=admin@YUNES.COM \
> --password=adminrootROOT@1234
Autodiscovery of servers for failover cannot work with this configuration.
If you proceed with the installation, services will be configured to always access the discovered server for all operations and will not fail over to other servers in case of failure.
Proceed with fixed values and no DNS discovery? [no]: yes
Client hostname: cdh-cm-v01.yunes.com
Realm: YUNES.COM
DNS Domain: yunes.com
IPA Server: cdh-ipa-v01.yunes.com
BaseDN: dc=yunes,dc=com
Continue to configure the system with these values? [no]: yes
Synchronizing time with KDC...
Attempting to sync time using ntpd. Will timeout after 15 seconds
Attempting to sync time using ntpd. Will timeout after 15 seconds
Unable to sync time with NTP server, assuming the time is in sync. Please check that 123 UDP port is opened.
Successfully retrieved CA cert
Subject: CN=Certificate Authority,O=YUNES.COM
Issuer: CN=Certificate Authority,O=YUNES.COM
Valid From: 2022-09-23 06:12:10
Valid Until: 2042-09-23 06:12:10
Enrolled in IPA realm YUNES.COM
Created /etc/ipa/default.conf
New SSSD config will be created
Configured sudoers in /etc/nsswitch.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm YUNES.COM
trying https://cdh-ipa-v01.yunes.com/ipa/json
[try 1]: Forwarding 'schema' to json server 'https://cdh-ipa-v01.yunes.com/ipa/json'
trying https://cdh-ipa-v01.yunes.com/ipa/session/json
[try 1]: Forwarding 'ping' to json server 'https://cdh-ipa-v01.yunes.com/ipa/session/json'
[try 1]: Forwarding 'ca_is_enabled' to json server 'https://cdh-ipa-v01.yunes.com/ipa/session/json'
Systemwide CA database updated.
Hostname (cdh-cm-v01.yunes.com) does not have A/AAAA record.
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
[try 1]: Forwarding 'host_mod' to json server 'https://cdh-ipa-v01.yunes.com/ipa/session/json'
SSSD enabled
Configured /etc/openldap/ldap.conf
NTP enabled
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Configuring yunes.com as NIS domain.
Client configuration complete.
The ipa-client-install command was successful
6、其它节点修改krb5.conf配置文件
1)配置krb5.conf
vi /etc/krb5.conf
[root@cdh-cm-v01 .ssh]# vi /etc/krb5.conf
[root@cdh-cm-v01 .ssh]# vi /etc/krb5.conf
includedir /etc/krb5.conf.d/
includedir /var/lib/sss/pubconf/krb5.include.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = YUNES.COM
dns_lookup_realm = false
dns_lookup_kdc = true
rdns = false
ticket_lifetime = 24h
forwardable = true
udp_preference_limit = 0
# default_ccache_name = KEYRING:persistent:%{uid}
default_ccache_name = FILE:/tmp/krb5cc_%{uid}
[realms]
YUNES.COM = {
kdc = cdh-ipa-v01.yunes.com:88
master_kdc = cdh-ipa-v01.yunes.com:88
admin_server = cdh-ipa-v01.yunes.com:749
default_domain = yunes.com
pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem
pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem
}
2)分发其它节点
cd ~/scripts/
./sync_to_all_node.sh /etc/krb5.conf /etc/
[root@cdh-cm-v01 ~]# cd ~/scripts/
[root@cdh-cm-v01 scripts]# ./sync_to_all_node.sh /etc/krb5.conf /etc/
3)验证(cdh-ipa-v01服务器)
ipa host-find|grep -E “Host name|主机名”|grep “yunes.com”
[root@cdh-ipa-v01 ~]# ipa host-find|grep -E "Host name|主机名"|grep "yunes.com"
Host name: cdh-client-v01.yunes.com
Host name: cdh-cm-v01.yunes.com
Host name: cdh-datanode-v01.yunes.com
Host name: cdh-datanode-v02.yunes.com
Host name: cdh-datanode-v03.yunes.com
Host name: cdh-ipa-v01.yunes.com
Host name: cdh-master-v01.yunes.com
Host name: cdh-master-v02.yunes.com