Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Code Block
srv-host = _kerberos-master._tcp.in.nopadding.com,ux4.in.nopadding.com,88
srv-host = _kerberos-master._udp.in.nopadding.com,ux4.in.nopadding.com,88
srv-host = _kerberos._tcp.in.nopadding.com,ux4.in.nopadding.com,88
srv-host = _kerberos._udp.in.nopadding.com,ux4.in.nopadding.com,88
srv-host = _kpasswd._tcp.in.nopadding.com,ux4.in.nopadding.com,88
srv-host = _kpasswd._tcp.in.nopadding.com,ux4.in.nopadding.com,88
srv-host = _ldap._tcp.in.nopadding.com,ux4.in.nopadding.com,389
txt-record = _kerberos.in.nopadding.com,"IN.NOPADDING.COM"

A 记录添加到 hosts 文件中。

IPA 服务

安装 ipa-client

Code Block
yum install -y ipa-client

ipa-client-install --domain=in.nopadding.com --realm=IN.NOPADDING.COM --principal=admin@IN.NOPADDING.COM --password=hadoop123 --mkhomedir --permit --no-ntp --no-ssh --no-sshd -d

...

Code Block
KRB5_TRACE=/dev/stderr kinit admin

IPA KDC 和 Cloudera Manager 整合的问题

CM 配置的 kerberos 的过程中,包含两个阶段,第一个是通过 kdc 管理者的账户和密码,导入凭据。实际上是一个生成 keytab 的过程。

...

Code Block
ldappasswd -ZZ -D 'cn=Directory Manager' -W -S uid=admin,cn=users,cn=accounts,dc=in,dc=nopadding,dc=com -H ldap://ux4.in.nopadding.com

certmonger

...

证书服务(TODO)

生成证书:

Code Block
openssl pkcs12 -export -name hdfs -passout pass:hadoop123 -in hdfs.pem.5 -inkey hdfs.key.5 -out hdfs.p12
keytool -importkeystore -srckeystore hdfs.p12 -srcstoretype PKCS12 -srcstorepass hadoop123 -destkeystore hdfs.jks -deststorepass hadoop123 -alias hdfs
keytool -importkeystore -srckeystore hdfs.jks -destkeystore hdfs.jks -deststoretype pkcs12
keytool -keystore hdfs.jks -import -file /etc/ipa/ca.crt -alias ipa-ca

...