kerberos安装详见:https://www.cnblogs.com/barneywill/p/10394164.html

一 为CM创建用户

# kadmin.local -q "addprinc scm/admin"

名字和密码任意,后续配置中会使用

二 CM配置过程

1 启用Kerberos

2 全部选中

3 按照/etc/krb5.conf填写

4

5 填写刚才创建的用户名密码

6 下一步

7 下一步

8

可以查看cm创建的用户

# kadmin.local -q 'listprincs'

三 可能的问题

如果安装过程中有问题,有些组件可能会启动失败,

1)impala

statestored启动报错

SASL message (Kerberos (internal)): Couldn't find mech GSSAPI

或者catalogd和impalad启动报错

I0219 00:31:16.314851 857 statestore-subscriber.cc:238] statestore registration unsuccessful: Couldn't open transport for $server2.bj:24000 (No more data to read.)
F0219 00:31:16.314926 857 catalogd-main.cc:88] Couldn't open transport for $server2.bj:24000 (No more data to read.)
. Impalad exiting.

检查如下library是否安装

# yum install cyrus-sasl-plain cyrus-sasl-devel cyrus-sasl-gssapi

2)hue

hue实例 Kerberos Ticket Renewer 启动失败

INFO kt_renewer
Renewing kerberos ticket to work around kerberos 1.8.1: /bin/kinit -R -c /var/run/hue/hue_krb5_ccache
ERROR kt_renewer
Couldn't renew kerberos ticket in order to work around Kerberos 1.8.1 issue. Please check that the ticket for 'hue/$server1@ANYTHING.COM' is still renewable:
$ klist -f -c /var/run/hue/hue_krb5_ccache
If the 'renew until' date is the same as the 'valid starting' date, the ticket cannot be renewed. Please check your KDC configuration, and the ticket renewal policy (maxrenewlife) for the 'hue/$server1@ANYTHING.COM' and `krbtgt' principals.
[19/Feb/2019 07:32:04 ] settings INFO Welcome to Hue 3.9.0

重现问题

# klist -f -c /var/run/hue/hue_krb5_ccache
Ticket cache: FILE:/var/run/hue/hue_krb5_ccache
Default principal: hue/$server1@ANYTHING.COM

Valid starting Expires Service principal
02/19/2019 10:06:50 02/20/2019 10:06:50 krbtgt/ANYTHING.COM@ANYTHING.COM
Flags: FI
# /bin/kinit -R -c /var/run/hue/hue_krb5_ccache
kinit: KDC can't fulfill requested option while renewing credentials

检查:

1)检查配置文件

# vi /etc/krb5.conf
ticket_lifetime = 24h
renew_lifetime = 7d
# vi /var/kerberos/krb5kdc/kdc.conf
max_renewable_life = 7d 0h 0m 0s
default_principal_flags = +renewable

2)检查krbtgt用户的Maximum renewable life

# kadmin.local -q 'getprinc krbtgt/ANYTHING.COM@ANYTHING.COM'
Principal: krbtgt/ANYTHING.COM@ANYTHING.COM
Expiration date: [never]
Last password change: [never]
Password expiration date: [never]
Maximum ticket life: 1 day 00:00:00
Maximum renewable life: 0 days 00:00:00
Last modified: Mon Feb 18 22:02:42 CST 2019 (db_creation@ANYTHING.COM)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 9
Key: vno 1, aes256-cts-hmac-sha1-96
Key: vno 1, aes128-cts-hmac-sha1-96
Key: vno 1, des3-cbc-sha1
Key: vno 1, arcfour-hmac
Key: vno 1, camellia256-cts-cmac
Key: vno 1, camellia128-cts-cmac
Key: vno 1, des-hmac-sha1
Key: vno 1, des-cbc-md5
Key: vno 1, des-cbc-crc
MKey: vno 1
Attributes: LOCKDOWN_KEYS
Policy: [none]

重点是

Maximum renewable life: 0 days 00:00:00

修改krbtgt的maxrenewlife

# kadmin.local -q 'modprinc -maxrenewlife "7d" krbtgt/ANYTHING.COM'

如果有必要,修改其他用户的maxrenewlife

# kadmin.local -q 'modprinc -maxrenewlife "7d" +allow_renewable $user/$host@ANYTHING.COM'

删除cache

# /bin/rm /var/run/hue/hue_krb5_ccache

重启Kerberos Ticket Renewer

3)

Activity Monitor 报错

ERROR Main
Failed to start Firehose
java.lang.RuntimeException: java.util.concurrent.ExecutionException: java.lang.RuntimeException: java.io.IOException: Login failure for hue/$server1@ANYTHING.COM from keytab cmon.keytab
...
Caused by: KrbException: no supported default etypes for default_tkt_enctypes

查找default_tkt_enctypes

# vi /etc/krb5.conf
default_tkt_enctypes = aes256-cts

查找cmon.keytab

# find /opt -name cmon.keytab
/opt/cloudera-manager/cm-5.16.1/run/cloudera-scm-agent/process/240-cloudera-mgmt-ACTIVITYMONITOR/cmon.keytab

查看keytab中的principal

# klist -k /opt/cloudera-manager/cm-5.16.1/run/cloudera-scm-agent/process/240-cloudera-mgmt-ACTIVITYMONITOR/cmon.keytab
Keytab name: FILE:/opt/cloudera-manager/cm-5.16.1/run/cloudera-scm-agent/process/240-cloudera-mgmt-ACTIVITYMONITOR/cmon.keytab
KVNO Principal
---- --------------------------------------------------------------------------
2 hue/$server1@ANYTHING.COM (aes256-cts-hmac-sha1-96)
2 hue/$server1@ANYTHING.COM (aes128-cts-hmac-sha1-96)
2 hue/$server1@ANYTHING.COM (des3-cbc-sha1)
2 hue/$server1@ANYTHING.COM (arcfour-hmac)
2 hue/$server1@ANYTHING.COM (camellia256-cts-cmac)
2 hue/$server1@ANYTHING.COM (camellia128-cts-cmac)
2 hue/$server1@ANYTHING.COM (des-hmac-sha1)
2 hue/$server1@ANYTHING.COM (des-cbc-md5)

发现确实没有 aes256-cts,修改

# vi /etc/krb5.conf

default_tgs_enctypes = aes256-cts des3-cbc-sha1
default_tkt_enctypes = aes256-cts des3-cbc-sha1
permitted_enctypes = aes256-cts des3-cbc-sha1

重启Activity Monitor

4)如果遇到

[javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: Failure unspecified at GSS-API level (Mechanism level: Encryption type AES256 CTS mode with HMAC SHA1-96 is not supported/enabled)]]

请见:https://www.cnblogs.com/barneywill/p/10540008.html

转载于:https://www.cnblogs.com/barneywill/p/10398663.html

【原创】大叔经验分享(30)CM开启kerberos相关推荐

  1. 【原创】经验分享:一个小小emoji尽然牵扯出来这么多东西?

    前言 之前也分享过很多工作中踩坑的经验: 一个线上问题的思考:Eureka注册中心集群如何实现客户端请求负载及故障转移? [原创]经验分享:一个Content-Length引发的血案(almost-) ...

  2. hue访问mysql,【原创】大叔经验分享(50)hue访问mysql(librdbms)

    cloudera manager安装hue后想开启访问mysql(librdbms)需要在这里配置(hue_safety_valve.ini) 添加配置如下 [librdbms]#The RDBMS ...

  3. 【原创】大叔经验分享(65)spark读取不到hive表

    spark 2.4.3 spark读取hive表,步骤: 1)hive-site.xml hive-site.xml放到$SPARK_HOME/conf下 2)enableHiveSupport Sp ...

  4. 【原创】大叔经验分享(33)hive select count为0

    hive建表后直接将数据文件拷贝到table目录下,select * 可以查到数据,但是select count(1) 一直返回0,这个是因为hive中有个配置 hive.stats.autogath ...

  5. 【原创】大叔经验分享(25)hive通过外部表读写hbase数据

    在hive中创建外部表: CREATE EXTERNAL TABLE hive_hbase_table( key string, name string, desc string ) STORED B ...

  6. 【原创】大叔经验分享(27)linux服务器升级glibc故障恢复

    redhat6系统默认安装的glibc-2.12,有的软件依赖的是glibc-2.14,这时需要升级glibc,下载安装 http://ftp.gnu.org/gnu/glibc/glibc-2.14 ...

  7. 【原创】大叔经验分享(6)Oozie如何查看提交到Yarn上的任务日志

    通过oozie job id可以查看流程详细信息,命令如下: oozie job -info 0012077-180830142722522-oozie-hado-W 流程详细信息如下: Job ID ...

  8. python no module named pandas_【原创】大叔经验分享(11)python引入模块报错ImportError: No module named pandas numpy...

    python应用通常需要一些库,比如numpy.pandas等,安装也很简单,直接通过pip # pip install numpy Requirement already satisfied: nu ...

  9. CS的陋室60w字原创算法经验分享-2022版

    哈喽,在此给大家带来我的文章合集2022版. 相比上次更新,有如下更新点: 新系列和老系列做了切分,分成新系列和老系列两本合集. 新增近期更新的左右内容,2022年5月及前所有的"前沿重器& ...

最新文章

  1. DOS批处理的字符串功能
  2. linux设备模型bus,device,driver,(kobject、ktype、kset,bus_type、device、device_driver)
  3. C++ Primer 5th笔记(2)chapter 2变量和基本类型:constexpr 、auto、类型别名、decltype
  4. python 画图_用python解九宫格以及画图
  5. ubuntu: ssh: connect to host ubuntu port 22: No route to host
  6. Linux命令之zip命令
  7. c语言获取栈可用大小,[求助]求教各位大神如何获得C语言函数体的大小?
  8. java8 时间加一秒_好好讲讲关于Java中的时间处理
  9. Ubuntu Software Center has closed unexpectly解决方案
  10. 吾爱破解论坛2021年11月11日,光棍节免费开放注册
  11. python libusb_使用python开发usb的两种方式(windriver与pyusb)
  12. 华大单片机HC32L130J6TA入坑全纪录(二)——关于SWD下载的问题
  13. 本地的项目上传到 Git 仓库的步骤-超详细
  14. 全球教育ERP系统软件行业调研及趋势分析报告
  15. 计算机网络功能中的提高系统的可靠性指的是,下列不属于计算机网络功能的是()。A.提高系统可靠性B.提高工作效率C.分散数据的综合处理D.使...
  16. VM Ware安装CentOS 7
  17. 【网络安全】利用burp进行爆破(普通爆破+验证码爆破)
  18. softmax是什么?
  19. iOS开发之第三方分享微博分享、微博分享失败原因总结,史上最新最全第三方分享微博方式实现。 微博分享各种坑总结
  20. 用知乎为公众号引流分析报告

热门文章

  1. 计算机专业java餐厅点餐系统,Java实现餐厅点餐系统的实例代码.pdf
  2. Item 2: Understand auto type deduction.
  3. 微服务架构下路由、多活、灰度、限流的探索与挑战
  4. SQL Server的安装和要求
  5. 计算机视觉——棋盘格标定法获取相机内参外参
  6. 【python】自动填写问卷星问卷及提交
  7. nvm use 报错:You do not have sufficient privilege to perform this operation
  8. 【Proteus8+keil5的仿真使用】
  9. 广西教育学院计算机技术专业可以当老师吗,广西教育学院老师待遇 广西教育学院好吗...
  10. 关键词生成原创文章及句子的软件!开发原理分析