HDP 03.FreeIPA安装

1、更新系统ipa-v01，ipa-v02   不单独说明就是在两个节点上面安装

yum -y install epel-release

yum -y update

yum -y install bind-utils vim

yum -y install python-pip

pip install --upgrade pip

2、cat /etc/resolv.conf

# Generated by NetworkManager

search tianlingqun.com

nameserver 8.8.8.8

 

3、安装ipa服务

yum -y install ipa-server

yum -y install ipa-server-dns bindipa-server bind-dyndb-ldap

4、pip -V # 查看 pip 版本

5、设置net.ipv6.conf.lo.disable_ipv6 = 0

cat /etc/sysctl.conf |grep ipv6 # 我的服务器无结果

echo "net.ipv6.conf.all.disable_ipv6 = 1" >> /etc/sysctl.conf

echo "net.ipv6.conf.default.disable_ipv6 = 1" >> /etc/sysctl.conf

echo "net.ipv6.conf.lo.disable_ipv6 = 0" >> /etc/sysctl.conf

cat /etc/sysctl.conf

cd ~/scripts

sh ./sync_to_all_node.sh /etc/sysctl.conf /etc/

sh ./ssh_to_all_node.sh "sysctl -p"

6、安装 ipa server

ipa-server-install --setup-dns --allow-zone-overlap

 

 

 

7、备份cacert.p12

cdate=$(date '+%Y%m%d'); cp /root/cacert.p12 /root/cacert.p12.bak.${cdate};

ls -l /root/ |grep cacert;

 

8、查看状态

 

9、resolv.conf的nameserver被修改为127.0.0.1

 

10、验证admin密码

 

11、查询Zone name

 

12、设置 dnszone 的 allow-sync-ptr 属性

ipa dnszone-mod ipa-v01 --allow-sync-ptr=true

ipa dnszone-mod X.168.192.in-addr.arpa --allow-sync-ptr=true

 

13、打开IPA Web UI

https://ipa-v01/ipa/ui

14、修改resolv.conf   ipa-v02

vi /etc/resolv.conf

# Generated by NetworkManager

search tianlingqun.com

nameserver 192.168.0.189

cat /etc/resolv.conf

15、注释以后能ping通      ipa-v02

 

 

16、安装 ipa-server 包

yum -y install ipa-server ipa-server-dns

17、安装 ipa 客户端

ipa-client-install

 

 

18、ipa-v02 服务器配置FreeIPA 主从同步，在 alybjf-hdp-ipa-v02 服务器安装 ipa-replica-install 安装过程，将 ipa-v02 服务器添加到 ipaservers

kinit admin

ipa hostgroup-add-member ipaservers --hosts ipa-v02.tianlingqun.com

 

ipa-replica-install --setup-dns  --auto-forwarders --allow-zone-overlap

 

执行：ipa-ca-install

 

19、用 ipactl status 查看各组件的壮态

 

20、执行 ipa-replica-manage list 命令，检查主从配置是否成功

 

21、两台 ipa 服务器修改 /etc/krb5.conf 文件并 分发到其它节点

修改：

default_ccache_name = FILE:/tmp/krb5cc_%{uid}

添加：

kdc = ipa-v01:88

master_kdc = ipa-v01:88

admin_server = ipa-v01:749

 

22、用 ipa host-find 可以查到两台 ipa 服务器

kinit admin

 

23、修改票据的默认生命周期：ipa pwpolicy-mod --maxlife=0 --minlife=0 global_policy

 

24、创建相关账号：

ipa user-add hadoopadmin --first=Hadoop --last=Admin

ipa group-add-member admins --users=hadoopadmin

创建密码：ipa passwd hadoopadmin

登录测试：kinit hadoopadmin

ipa group-add ambari-managed-principals

ipa permission-add "Set User Password Expiration" --permissions=write --type=user --attrs=krbpasswordexpiration

ipa permission-add "Set Service Password Expiration" --permissions=write --type=service --

attrs=krbpasswordexpiration

ipa privilege-add "Krbpass admin"

ipa privilege-add-permission "Krbpass admin" --permissions="Set User Password Expiration"

ipa privilege-add-permission "Krbpass admin" --permissions="Set Service Password Expiration"

ipa role-add-privilege "Security Architect" --privileges="Krbpass admin"

ipa role-add-member "Security Architect" --groups=admins

25、ambari安装ipa客户端

yum -y install freeipa-client

sh ~/scripts/ssh_to_all_node.sh "yum -y install freeipa-client"

26、配置ifcfg-enp0s3文件

sh ~/scripts/ssh_to_cluster_node.sh 'echo "DNS1=192.168.0.189" >> /etc/sysconfig/network-scripts/ifcfg-enp0s3'

sh ~/scripts/ssh_to_cluster_node.sh 'echo "DNS2=192.168.0.190" >> /etc/sysconfig/network-scripts/ifcfg-enp0s3'

sh ~/scripts/ssh_to_cluster_node.sh "cat  /etc/sysconfig/network-scripts/ifcfg-enp0s3|grep 'DNS'"

 

27、ipa-client 安装所有节点

ipa-client-install --domain=wan --server= ipa-v01 --server= ipa-v02 --realm= WAN --principal= hadoopadmin@xxx

 

 

28、验证客户端是否全部安装

 

29、用 ipa host-find |grep "Host name:" 命令验证