配置Kerberos实战案例
作者:尹正杰
版权声明:原创作品,谢绝转载!否则将追究法律责任。
一.Kerberos主要配置文件概述
krb5.conf:
作用:
krb5.conf是kerberos的首要配置文件,可以在这里配置KDC的位置,AS以及Kerberos域域主机名的映射。
此文件是kerberos客户端配置文件,只要客户端尝试使用kinit通过KDC进行身份验证,该文件就会被读取。此文件中的大多数配置参数可以使用默认值。
路径:
通常位于"/etc/krb5.conf"。
kdc.conf:
作用:
路径:
通常位于"/var/Kerberos/krb5kdc/kdc.conf";如果是源码安装通常位于安装目录(如"/yinzhengjie/softwares/kerberos")下的"var/krb5kdc/kdc.conf"。
当然,你也可以不遵守上述约定,因为该配置文件路径你是可以在krb5.conf中指定的哟~
kadm5.acl:
作用:
路径:
通常位于"/var/krb5kdc"目录下;如果是源码安装通常位于安装目录(如"/yinzhengjie/softwares/kerberos")下的"var/krb5kdc/"目录下。
二.配置kerberos客户端配置文件(krb5.conf)
1>.备份配置文件
[root@hadoop101.yinzhengjie.com ~]# cp /etc/krb5.conf /etc/krb5.conf-`date +%F`
2>.修改配置文件
[root@hadoop101.yinzhengjie.com ~]# vim /etc/krb5.conf [root@hadoop101.yinzhengjie.com ~]# [root@hadoop101.yinzhengjie.com ~]# cat /etc/krb5.conf # Configuration snippets may be placed in this directory as well includedir /etc/krb5.conf.d/ [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = YINZHENGJIE.COM dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true [kdc] profile = /var/kerberos/krb5kdc/kdc.conf [realms] YINZHENGJIE.COM = { kdc = kdc.yinzhengjie.com admin_server = kdc.yinzhengjie.com } CERT.YINZHENGJIE.COM = { kdc = kdc.cert.yinzhengjie.com admin_server = kdc.cert.yinzhengjie.com }
[domain_realm] .yinzhengjie.com = YINZHENGJIE.COM yinzhengjie.com = YINZHENGJIE.COM .dev.yinzhengjie.com = YINZHENGJIE.COM dev.yinzhengjie.com = YINZHENGJIE.COM [root@hadoop101.yinzhengjie.com ~]#
[root@hadoop101.yinzhengjie.com ~]# ansible other -m copy -a 'src=/etc/krb5.conf dest=/etc/krb5.conf' #配置好krb5.conf文件后,必须将其复制到Hadoop集群中的每个节点上。 hadoop105.yinzhengjie.com | CHANGED => { "ansible_facts": { "discovered_interpreter_python": "/usr/bin/python" }, "changed": true, "checksum": "07b4e1bfac82f1ab4957670b9a16404ffaf100e3", "dest": "/etc/krb5.conf", "gid": 0, "group": "root", "md5sum": "1f343a0a8ed790b326f9dc8fe3f3bf0d", "mode": "0644", "owner": "root", "size": 797, "src": "/root/.ansible/tmp/ansible-tmp-1601691445.66-9638-247755547729680/source", "state": "file", "uid": 0 } hadoop102.yinzhengjie.com | CHANGED => { "ansible_facts": { "discovered_interpreter_python": "/usr/bin/python" }, "changed": true, "checksum": "07b4e1bfac82f1ab4957670b9a16404ffaf100e3", "dest": "/etc/krb5.conf", "gid": 0, "group": "root", "md5sum": "1f343a0a8ed790b326f9dc8fe3f3bf0d", "mode": "0644", "owner": "root", "size": 797, "src": "/root/.ansible/tmp/ansible-tmp-1601691445.64-9634-168045767927027/source", "state": "file", "uid": 0 } hadoop104.yinzhengjie.com | CHANGED => { "ansible_facts": { "discovered_interpreter_python": "/usr/bin/python" }, "changed": true, "checksum": "07b4e1bfac82f1ab4957670b9a16404ffaf100e3", "dest": "/etc/krb5.conf", "gid": 0, "group": "root", "md5sum": "1f343a0a8ed790b326f9dc8fe3f3bf0d", "mode": "0644", "owner": "root", "size": 797, "src": "/root/.ansible/tmp/ansible-tmp-1601691445.68-9637-54408979140843/source", "state": "file", "uid": 0 } hadoop103.yinzhengjie.com | CHANGED => { "ansible_facts": { "discovered_interpreter_python": "/usr/bin/python" }, "changed": true, "checksum": "07b4e1bfac82f1ab4957670b9a16404ffaf100e3", "dest": "/etc/krb5.conf", "gid": 0, "group": "root", "md5sum": "1f343a0a8ed790b326f9dc8fe3f3bf0d", "mode": "0644", "owner": "root", "size": 797, "src": "/root/.ansible/tmp/ansible-tmp-1601691445.66-9636-241348543456303/source", "state": "file", "uid": 0 } [root@hadoop101.yinzhengjie.com ~]#