...
| Code Block |
|---|
#!/usr/bin/env bash
set -e
set -x
# Explicitly add RHEL5/6, SLES11/12 locations to path
export PATH=/usr/kerberos/bin:/usr/kerberos/sbin:/usr/lib/mit/sbin:/usr/sbin:/usr/lib/mit/bin:/usr/bin:$PATH
KEYTAB_OUT=$1
PRINC=$2
MAX_RENEW_LIFE=$3
IPASERVER=`ipa env server|sed 's/ server: //g'`
kinit -kt /opt/cloudera/freeipa/admin.keytab admin
if ipa service-find $PRINC; then
echo Service principle $PRINC found
else
echo Service principle $PRINC not created, creating
ipa service-add $PRINC --pac-type=NONE
fi
if ipa service-show $PRINC | grep 'Keytab' | grep 'False'; then
echo Creating keytab for $PRINC for $KEYTAB_OUT
ipa-getkeytab -s $IPASERVER -p $PRINC -k $KEYTAB_OUT
else
echo Retrieving keytab for $PRINC for $KEYTAB_OUT
ipa-getkeytab -r -s $IPASERVER -p $PRINC -k $KEYTAB_OUT -D "cn=directory manager" -w hadoop123
fi
chmod 600 $KEYTAB_OUT
kdestroy |
脚本有两个问题:一个是不能直接使用第一个生成的 admin 的 keytab,另外一个是需要显式的把 ldap 密码写入到脚本中,这种方式并不安全。
krb5kdc - Kerberos V5 KDC
...