CDH版本5.7。
cloudera manager上启用Kerberos失败,配置文件如下:
/etc/krb5.conf
[libdefaults]
default_realm = BIGDATA.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 7d
#ticket_lifetime = 2147483647
renew_lifetime = 30d
#renew_lifetime = 2147483647
forwardable = true
#renewable = true
[realms]
BIGDATA.COM = {
kdc =bigdata-m-003
admin_server = bigdata-m-003
}
[domain_realm]
.bigdata.com = BIGDATA.COM
bigdata.com = BIGDATA.COM
/var/kerberos/krb5kdc/kadm5.acl
*/admin@BIGDATA.COM *
/var/kerberos/krb5kdc/kdc.conf
[kdcdefaults]
kdc_ports = 88
kdc_tcp_ports = 88
[realms]
BIGDATA.COM= {
#master_key_type = aes256-cts
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
supported_enctypes = rc4-hmac:normal aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
max_life = 1d 0h 0m 0s
max_renewable_life = 5d 0h 0m 0s
}
Cloudera Manager启用Kerberos过程中基本采用默认配置,KDC类型MIT KDC,加密类型为rc4-hmac,Kerberos Principal最大可更新生命周期为0,勾选了通过Cloudera Manager管理krb5.conf,KDC Account Manager凭据导入无报错。但后续启用过程失败。
该问题前后分为两个现象:
1.当环境中主机名中还存在大写字母时,比如有主机名为Bigdata-m-001,hadoop各组件相关凭据生成正常,类似于HTTP/Bigdata-m-001@BIGDATA.COM,但是在组件启动时会说因为找不到HTTP/bigdata-m-001@BIGDATA.COM而启动失败。多方调查认为是主机名不该存在大写字母的问题。
2.主机名都改为小写以后,Cloudera Manager中所有主机名有关的配置也更新为小写了。不启用Kerberos时集群运行正常。启用Kerberos后,在生成丢失的凭据这一步只有以下凭据能够成功生成。其它凭据例如HTTP/bigdata-m-001@BIGDATA.COM全部无法生成,也没有任何报错。
求各位大神看看是怎么回事,怎么解决。
