FreeIPA主从+HDP3.0.0安装配置.

50 阅读 0 评论 33 点赞

我是靠谱客的博主暴躁月光，最近开发中收集的这篇文章主要介绍FreeIPA主从+HDP3.0.0安装配置.，觉得挺不错的，现在分享给大家，希望可以做个参考。

概述

-- 安装后的效果如上三图所示，其中最后一张图，你可以看到: KDC Type=Existing IPA

-- 大家安装时若遇到问题欢迎加QQ群进一步交流：661945126

-- 参考：https://blog.csdn.net/Post_Yuan/article/details/78204957
https://github.com/emaxwell-hw/HDP-2.5-Security-FreeIPA

-- 官方建议参考：
https://www.freeipa.org/page/Deployment_Recommendations#Considerations_for_Active_Directory_integration
https://www.freeipa.org/page/Deployment_Recommendations
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/install-server#install-determine-dns
https://www.freeipa.org/page/Quick_Start_Guide
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/installing-ipa
https://community.hortonworks.com/questions/11288/kerberos-cache-in-ipa-redhat-idm-keyring-solved.html
https://stackoverflow.com/questions/30943614/hadoop-kerberos-security
https://www.freeipa.org/page/Trusts
https://github.com/freeipa/freeipa/blob/master/install/share/krb5.conf.template

-- 操作系统：CentOS 7

-- hdp3 cluster 服务器信息
192.168.11.101 wfldap001.wanfeng.com wfldap001
192.168.11.102 wfldap002.wanfeng.com wfldap002
192.168.11.103 wfambari.wanfeng.com wfambari
192.168.11.104 wfclient001.wanfeng.com wfclient001
192.168.11.105 wfnn001.wanfeng.com wfnn001
192.168.11.106 wfnn002.wanfeng.com wfnn002
192.168.11.107 wfdn001.wanfeng.com wfdn001
192.168.11.108 wfdn002.wanfeng.com wfdn002
192.168.11.109 wfdn003.wanfeng.com wfdn003

-- ipa 版本
[root@wfldap001 run]# ipa --version
VERSION: 4.5.4, API_VERSION: 2.228

-- Ambari 版本 2.7.0.0
-- HDP 版本：3.0.0 ( 详细版本：3_0_0_0_1634 )

------------------------------------------------------------------------------------------------------
-- ################################################################################################ --
-- ################################################################################################ --
-- ################################################################################################ --

-- 篇章一 ipa 初步安装篇

-- 注意：操作前，先搭建 dns 域名解析服务器(不需要主从，只要 systemctl start named 能正常启动就OK了)

yum -y install rng-tools
systemctl start rngd
systemctl enable rngd

yum -y install ntp ipa-server ipa-server-dns
systemctl enable ntpd
systemctl start ntpd

vi /etc/named.conf -- 将以下两个参数改为 yes
dnssec-enable yes;
dnssec-validation yes;

------------------------------------------------------------------------------------------------------
-- ################################################################################################ --
-- 安装前 cat /etc/resolv.conf
[root@wfldap001 ~]# cat /etc/resolv.conf
nameserver 127.0.0.1
nameserver 8.8.8.8

-- 整个安装过程，控制台输出如下：
ipa-server-install --allow-zone-overlap

[[root@wfldap001 ~]# ipa-server-install --allow-zone-overlap

The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will set up the IPA Server.

This includes:
* Configure a stand-alone CA (dogtag) for certificate management
* Configure the Network Time Daemon (ntpd)
* Create and configure an instance of Directory Server
* Create and configure a Kerberos Key Distribution Center (KDC)
* Configure Apache (httpd)
* Configure the KDC to enable PKINIT

To accept the default shown in brackets, press the Enter key.

WARNING: conflicting time&date synchronization service 'chronyd' will be disabled
in favor of ntpd

Do you want to configure integrated DNS (BIND)? [no]: yes

Enter the fully qualified domain name of the computer
on which you're setting up server software. Using the form
<hostname>.<domainname>
Example: master.example.com.

Server host name [wfldap001.wanfeng.com]:

Warning: skipping DNS resolution of host wfldap001.wanfeng.com
The domain name has been determined based on the host name.

Please confirm the domain name [wanfeng.com]:

The kerberos protocol requires a Realm name to be defined.
This is typically the domain name converted to uppercase.

Please provide a realm name [WANFENG.COM]:
Certain directory server operations require an administrative user.
This user is referred to as the Directory Manager and has full access
to the Directory for system management tasks and will be added to the
instance of directory server created for IPA.
The password must be at least 8 characters long.

Directory Manager password:
Password (confirm):

The IPA server requires an administrative user, named 'admin'.
This user is a regular system account used for IPA server administration.

IPA admin password:
Password (confirm):

Checking DNS domain wanfeng.com., please wait ...
Do you want to configure DNS forwarders? [yes]: yes
Following DNS servers are configured in /etc/resolv.conf: 127.0.0.1, 8.8.8.8
Do you want to configure these servers as DNS forwarders? [yes]: yes
All DNS servers from /etc/resolv.conf were added. You can enter additional addresses now:
Enter an IP address for a DNS forwarder, or press Enter to skip:
Checking DNS forwarders, please wait ...
DNS server 8.8.8.8: answer to query '. SOA' is missing DNSSEC signatures (no RRSIG data)
Please fix forwarder configuration to enable DNSSEC support.
(For BIND 9 add directive "dnssec-enable yes;" to "options {}")
WARNING: DNSSEC validation will be disabled
Do you want to search for missing reverse zones? [yes]: yes
Do you want to create reverse zone for IP 192.168.11.101 [yes]: yes
Please specify the reverse zone name [11.168.192.in-addr.arpa.]:
Using reverse zone(s) 11.168.192.in-addr.arpa.

The IPA Master Server will be configured with:
Hostname: wfldap001.wanfeng.com
IP address(es): 192.168.11.101
Domain name: wanfeng.com
Realm name: WANFENG.COM

BIND DNS server will be configured to serve IPA domain with:
Forwarders: 127.0.0.1, 8.8.8.8
Forward policy: only
Reverse zone(s): 11.168.192.in-addr.arpa.

Continue to configure the system with these values? [no]: yes

The following operations may take some minutes to complete.
Please wait until the prompt is returned.

Configuring NTP daemon (ntpd)
[1/4]: stopping ntpd
[2/4]: writing configuration
[3/4]: configuring ntpd to start on boot
[4/4]: starting ntpd
Done configuring NTP daemon (ntpd).
Configuring directory server (dirsrv). Estimated time: 30 seconds
[1/45]: creating directory server instance
[2/45]: enabling ldapi
[3/45]: configure autobind for root
[4/45]: stopping directory server
[5/45]: updating configuration in dse.ldif
[6/45]: starting directory server
[7/45]: adding default schema
[8/45]: enabling memberof plugin
[9/45]: enabling winsync plugin
[10/45]: configuring replication version plugin
[11/45]: enabling IPA enrollment plugin
[12/45]: configuring uniqueness plugin
[13/45]: configuring uuid plugin
[14/45]: configuring modrdn plugin
[15/45]: configuring DNS plugin
[16/45]: enabling entryUSN plugin
[17/45]: configuring lockout plugin
[18/45]: configuring topology plugin
[19/45]: creating indices
[20/45]: enabling referential integrity plugin
[21/45]: configuring certmap.conf
[22/45]: configure new location for managed entries
[23/45]: configure dirsrv ccache
[24/45]: enabling SASL mapping fallback
[25/45]: restarting directory server
[26/45]: adding sasl mappings to the directory
[27/45]: adding default layout
[28/45]: adding delegation layout
[29/45]: creating container for managed entries
[30/45]: configuring user private groups
[31/45]: configuring netgroups from hostgroups
[32/45]: creating default Sudo bind user
[33/45]: creating default Auto Member layout
[34/45]: adding range check plugin
[35/45]: creating default HBAC rule allow_all
[36/45]: adding entries for topology management
[37/45]: initializing group membership
[38/45]: adding master entry
[39/45]: initializing domain level
[40/45]: configuring Posix uid/gid generation
[41/45]: adding replication acis
[42/45]: activating sidgen plugin
[43/45]: activating extdom plugin
[44/45]: tuning directory server
[45/45]: configuring directory to start on boot
Done configuring directory server (dirsrv).
Configuring Kerberos KDC (krb5kdc)
[1/10]: adding kerberos container to the directory
[2/10]: configuring KDC
[3/10]: initialize kerberos container
[4/10]: adding default ACIs
[5/10]: creating a keytab for the directory
[6/10]: creating a keytab for the machine
[7/10]: adding the password extension to the directory
[8/10]: creating anonymous principal
[9/10]: starting the KDC
[10/10]: configuring KDC to start on boot
Done configuring Kerberos KDC (krb5kdc).
Configuring kadmin
[1/2]: starting kadmin
[2/2]: configuring kadmin to start on boot
Done configuring kadmin.
Configuring ipa-custodia
[1/5]: Making sure custodia container exists
[2/5]: Generating ipa-custodia config file
[3/5]: Generating ipa-custodia keys
[4/5]: starting ipa-custodia
[5/5]: configuring ipa-custodia to start on boot
Done configuring ipa-custodia.
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
[1/29]: configuring certificate server instance
[2/29]: exporting Dogtag certificate store pin
[3/29]: stopping certificate server instance to update CS.cfg
[4/29]: backing up CS.cfg
[5/29]: disabling nonces
[6/29]: set up CRL publishing
[7/29]: enable PKIX certificate path discovery and validation
[8/29]: starting certificate server instance
[9/29]: configure certmonger for renewals
[10/29]: requesting RA certificate from CA
[11/29]: setting up signing cert profile
[12/29]: setting audit signing renewal to 2 years
[13/29]: restarting certificate server
[14/29]: publishing the CA certificate
[15/29]: adding RA agent as a trusted user
[16/29]: authorizing RA to modify profiles
[17/29]: authorizing RA to manage lightweight CAs
[18/29]: Ensure lightweight CAs container exists
[19/29]: configure certificate renewals
[20/29]: configure Server-Cert certificate renewal
[21/29]: Configure HTTP to proxy connections
[22/29]: restarting certificate server
[23/29]: updating IPA configuration
[24/29]: enabling CA instance
[25/29]: migrating certificate profiles to LDAP
[26/29]: importing IPA certificate profiles
[27/29]: adding default CA ACL
[28/29]: adding 'ipa' CA entry
[29/29]: configuring certmonger renewal for lightweight CAs
Done configuring certificate server (pki-tomcatd).
Configuring directory server (dirsrv)
[1/3]: configuring TLS for DS instance
[2/3]: adding CA certificate entry
[3/3]: restarting directory server
Done configuring directory server (dirsrv).
Configuring ipa-otpd
[1/2]: starting ipa-otpd
[2/2]: configuring ipa-otpd to start on boot
Done configuring ipa-otpd.
Configuring the web interface (httpd)
[1/22]: stopping httpd
[2/22]: setting mod_nss port to 443
[3/22]: setting mod_nss cipher suite
[4/22]: setting mod_nss protocol list to TLSv1.0 - TLSv1.2
[5/22]: setting mod_nss password file
[6/22]: enabling mod_nss renegotiate
[7/22]: disabling mod_nss OCSP
[8/22]: adding URL rewriting rules
[9/22]: configuring httpd
[10/22]: setting up httpd keytab
[11/22]: configuring Gssproxy
[12/22]: setting up ssl
[13/22]: configure certmonger for renewals
[14/22]: importing CA certificates from LDAP
[15/22]: publish CA cert
[16/22]: clean up any existing httpd ccaches
[17/22]: configuring SELinux for httpd
[18/22]: create KDC proxy config
[19/22]: enable KDC proxy
[20/22]: starting httpd
[21/22]: configuring httpd to start on boot
[22/22]: enabling oddjobd
Done configuring the web interface (httpd).
Configuring Kerberos KDC (krb5kdc)
[1/1]: installing X509 Certificate for PKINIT
Done configuring Kerberos KDC (krb5kdc).
Applying LDAP updates
Upgrading IPA:. Estimated time: 1 minute 30 seconds
[1/9]: stopping directory server
[2/9]: saving configuration
[3/9]: disabling listeners
[4/9]: enabling DS global lock
[5/9]: starting directory server
[6/9]: upgrading server
[7/9]: stopping directory server
[8/9]: restoring configuration
[9/9]: starting directory server
Done.
Restarting the KDC
Configuring DNS (named)
[1/12]: generating rndc key file
[2/12]: adding DNS container
[3/12]: setting up our zone
[4/12]: setting up reverse zone
[5/12]: setting up our own record
[6/12]: setting up records for other masters
[7/12]: adding NS record to the zones
[8/12]: setting up kerberos principal
[9/12]: setting up named.conf
[10/12]: setting up server configuration
[11/12]: configuring named to start on boot
[12/12]: changing resolv.conf to point to ourselves
Done configuring DNS (named).
Restarting the web server to pick up resolv.conf changes
Configuring DNS key synchronization service (ipa-dnskeysyncd)
[1/7]: checking status
[2/7]: setting up bind-dyndb-ldap working directory
[3/7]: setting up kerberos principal
[4/7]: setting up SoftHSM
[5/7]: adding DNSSEC containers
[6/7]: creating replica keys
[7/7]: configuring ipa-dnskeysyncd to start on boot
Done configuring DNS key synchronization service (ipa-dnskeysyncd).
Restarting ipa-dnskeysyncd
Restarting named
Updating DNS system records
Configuring client side components
Using existing certificate '/etc/ipa/ca.crt'.
Client hostname: wfldap001.wanfeng.com
Realm: WANFENG.COM
DNS Domain: wanfeng.com
IPA Server: wfldap001.wanfeng.com
BaseDN: dc=wanfeng,dc=com

Skipping synchronizing time with NTP server.
New SSSD config will be created
Configured sudoers in /etc/nsswitch.conf
Configured /etc/sssd/sssd.conf
trying https://wfldap001.wanfeng.com/ipa/json
[try 1]: Forwarding 'schema' to json server 'https://wfldap001.wanfeng.com/ipa/json'
trying https://wfldap001.wanfeng.com/ipa/session/json
[try 1]: Forwarding 'ping' to json server 'https://wfldap001.wanfeng.com/ipa/session/json'
[try 1]: Forwarding 'ca_is_enabled' to json server 'https://wfldap001.wanfeng.com/ipa/session/json'
Systemwide CA database updated.
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
[try 1]: Forwarding 'host_mod' to json server 'https://wfldap001.wanfeng.com/ipa/session/json'
SSSD enabled
Configured /etc/openldap/ldap.conf
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Configuring wanfeng.com as NIS domain.
Client configuration complete.
The ipa-client-install command was successful

==============================================================================
Setup complete

Next steps:
   1. You must make sure these network ports are open:
       TCP Ports:
       * 80, 443: HTTP/HTTPS
       * 389, 636: LDAP/LDAPS
       * 88, 464: kerberos
       * 53: bind
       UDP Ports:
       * 88, 464: kerberos
       * 53: bind
       * 123: ntp

   2. You can now obtain a kerberos ticket using the command: 'kinit admin'
   This ticket will allow you to use the IPA tools (e.g., ipa user-add)
   and the web user interface.

Be sure to back up the CA certificates stored in /root/cacert.p12
These files are required to create replicas. The password for these
files is the Directory Manager password

cp /root/cacert.p12 /root/cacert.p12.bak.20180725

-- 安装后，发现 /etc/resolv.conf 文件被修改：

[root@wfldap001 var]# cat /etc/resolv.conf
search wanfeng.com
nameserver 127.0.0.1

-----------------------------------------------------------------------------
-- 用 ipactl status 发现有 10 个组件是 RUNNING 状态

[root@wfldap001 ~]# ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
ntpd Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
ipa: INFO: The ipactl command was successful

-----------------------------------------------------------------------------

打开IPA Web UI
https://wfldap001.wanfeng.com/ipa/ui

-----------------------------------------------------------------------------
[root@wfldap001 ~]# kinit admin
Password for admin@WANFENG.COM: bee56915

-----------------------------------------------------------------------------
[root@wfldap001 ~]# ipa dnszone-find --all | grep "Zone name"
Zone name: 11.168.192.in-addr.arpa.
Zone name: wanfeng.com.

[root@wfldap001 ~]# ipa dnszone-mod wanfeng.com --allow-sync-ptr=true
Zone name: wanfeng.com.
Active zone: TRUE
Authoritative nameserver: wfldap001.wanfeng.com.
Administrator e-mail address: hostmaster.wanfeng.com.
SOA serial: 1532594055
SOA refresh: 3600
SOA retry: 900
SOA expire: 1209600
SOA minimum: 3600
Allow query: any;
Allow transfer: none;
Allow PTR sync: TRUE
You have new mail in /var/spool/mail/root

-----------------------------------------------------------------------------

HDP does not support the in-memory keyring storage of the Kerberos credential cache. Edit the /etc/krb5.conf file and change:

default_ccache_name = KEYRING:persistent:%{uid}
to
default_ccache_name = FILE:/tmp/krb5cc_%{uid}

-- 在 wfldap001.wanfeng.com 上创建用于安装 wfldap002.wanfeng.com 的replica文件

ipa-replica-prepare wfldap002.wanfeng.com

[root@wfldap001 ~]# ipa-replica-prepare wfldap002.wanfeng.com

Replica creation using 'ipa-replica-prepare' to generate replica file
is supported only in 0-level IPA domain.

The current IPA domain level is 1 and thus the replica must
be created by promoting an existing IPA client.

To set up a replica use the following procedure:
1.) set up a client on the host using 'ipa-client-install'
2.) promote the client to replica running 'ipa-replica-install'
*without* replica file specified

'ipa-replica-prepare' is allowed only in domain level 0
The ipa-replica-prepare command failed.

----------------------------------------------------------------------------

-- 以上操作报错：所以，先在 wfldap002 服务器安装 ipa-client

[root@wfldap001 named]# ipa host-add --force --ip-address=192.168.11.102 wfldap002.wanfeng.com
ipa: ERROR: IP address 192.168.11.102 is already assigned in domain wanfeng.com..

-- 检查是否添加成功：( 注意：此时 wfldap002 没有 SSH public key fingerprint 信息 )
[root@wfldap001 named]# ipa host-find
---------------
2 hosts matched
---------------
Host name: wfldap001.wanfeng.com
Principal name: host/wfldap001.wanfeng.com@WANFENG.COM
Principal alias: host/wfldap001.wanfeng.com@WANFENG.COM
SSH public key fingerprint: SHA256:Miz4TWxXUNl6vUBHNPNjovyGi5DgGXzACndNxnMQgYI (ssh-rsa),
SHA256:7F/Az4A47NNJOiYddrWcIsJGJA47IfFUXrNjtr30sRg (ecdsa-sha2-nistp256),
SHA256:D0gGCAjO4BuYQZEsKfah3EKaCir8/FSa1ulmyJi+KSw (ssh-ed25519)

Host name: wfldap002.wanfeng.com
Principal name: host/wfldap002.wanfeng.com@WANFENG.COM
Principal alias: host/wfldap002.wanfeng.com@WANFENG.COM
----------------------------
Number of entries returned 2
----------------------------

-- 最后：所有添加的主机信息列表如下：
[root@wfldap002 ~]# ipa host-find |grep "Host name"
Host name: wfambari.wanfeng.com
Host name: wfclient001.wanfeng.com
Host name: wfdn001.wanfeng.com
Host name: wfdn002.wanfeng.com
Host name: wfdn003.wanfeng.com
Host name: wfldap001.wanfeng.com
Host name: wfldap002.wanfeng.com
Host name: wfnn001.wanfeng.com
Host name: wfnn002.wanfeng.com

[root@wfldap002 ~]# cat /etc/resolv.conf
search wanfeng.com
nameserver 192.168.11.101

-- 并在 /etc/hosts 文件中注释以下两行：

# 192.168.11.101 wfldap001.wanfeng.com wfldap001
# 192.168.11.102 wfldap002.wanfeng.com wfldap002

-- 注释后，若还能 ping 通，说明 dns 解析生效了
ping wfldap001

-- 在 wfldap002 服务器安装 ipa-client-install 安装过程，整个控制台输出如下：

[root@wfldap002 ~]# ipa-client-install
WARNING: ntpd time&date synchronization service will not be configured as
conflicting service (chronyd) is enabled
Use --force-ntpd option to disable it and force configuration of ntpd

Discovery was successful!
Client hostname: wfldap002.wanfeng.com
Realm: WANFENG.COM
DNS Domain: wanfeng.com
IPA Server: wfldap001.wanfeng.com
BaseDN: dc=wanfeng,dc=com

Continue to configure the system with these values? [no]: yes
Skipping synchronizing time with NTP server.
User authorized to enroll computers: admin
Password for admin@WANFENG.COM:
Successfully retrieved CA cert
Subject: CN=Certificate Authority,O=WANFENG.COM
Issuer: CN=Certificate Authority,O=WANFENG.COM
Valid From: 2018-07-26 12:28:14
Valid Until: 2038-07-26 12:28:14

Enrolled in IPA realm WANFENG.COM
Created /etc/ipa/default.conf
New SSSD config will be created
Configured sudoers in /etc/nsswitch.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm WANFENG.COM
trying https://wfldap001.wanfeng.com/ipa/json
[try 1]: Forwarding 'schema' to json server 'https://wfldap001.wanfeng.com/ipa/json'
trying https://wfldap001.wanfeng.com/ipa/session/json
[try 1]: Forwarding 'ping' to json server 'https://wfldap001.wanfeng.com/ipa/session/json'
[try 1]: Forwarding 'ca_is_enabled' to json server 'https://wfldap001.wanfeng.com/ipa/session/json'
Systemwide CA database updated.
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
[try 1]: Forwarding 'host_mod' to json server 'https://wfldap001.wanfeng.com/ipa/session/json'
SSSD enabled
Configured /etc/openldap/ldap.conf
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Configuring wanfeng.com as NIS domain.
Client configuration complete.
The ipa-client-install command was successful

[root@wfldap002 slaves]# kinit admin
Password for admin@WANFENG.COM: bee56915
[root@wfldap002 slaves]#
[root@wfldap002 slaves]#
[root@wfldap002 slaves]# klist
Ticket cache: KEYRING:persistent:0:0
Default principal: admin@WANFENG.COM

Valid starting Expires Service principal
07/25/2018 11:08:25 07/26/2018 11:08:22 krbtgt/WANFENG.COM@WANFENG.COM

------------------------------------------------------------------------------------------------------
-- ################################################################################################ --
-- 在 wfldap002 服务器安装 ipa-replica-install 安装过程，整个控制台输出如下：

[root@wfldap002 ~]# ipa-replica-install
WARNING: cannot check if port 443 is already configured
httpd returned error when checking: Command '/usr/sbin/httpd -t -D DUMP_VHOSTS' returned non-zero exit status 1
WARNING: conflicting time&date synchronization service 'chronyd' will
be disabled in favor of ntpd

Run connection check to master
Connection check OK
Configuring NTP daemon (ntpd)
[1/4]: stopping ntpd
[2/4]: writing configuration
[3/4]: configuring ntpd to start on boot
[4/4]: starting ntpd
Done configuring NTP daemon (ntpd).
Configuring directory server (dirsrv). Estimated time: 30 seconds
[1/42]: creating directory server instance
[2/42]: enabling ldapi
[3/42]: configure autobind for root
[4/42]: stopping directory server
[5/42]: updating configuration in dse.ldif
[6/42]: starting directory server
[7/42]: adding default schema
[8/42]: enabling memberof plugin
[9/42]: enabling winsync plugin
[10/42]: configuring replication version plugin
[11/42]: enabling IPA enrollment plugin
[12/42]: configuring uniqueness plugin
[13/42]: configuring uuid plugin
[14/42]: configuring modrdn plugin
[15/42]: configuring DNS plugin
[16/42]: enabling entryUSN plugin
[17/42]: configuring lockout plugin
[18/42]: configuring topology plugin
[19/42]: creating indices
[20/42]: enabling referential integrity plugin
[21/42]: configuring certmap.conf
[22/42]: configure new location for managed entries
[23/42]: configure dirsrv ccache
[24/42]: enabling SASL mapping fallback
[25/42]: restarting directory server
[26/42]: creating DS keytab
[27/42]: ignore time skew for initial replication
[28/42]: setting up initial replication
Starting replication, please wait until this has completed.
Update in progress, 3 seconds elapsed
Update succeeded

[29/42]: prevent time skew after initial replication
[30/42]: adding sasl mappings to the directory
[31/42]: updating schema
[32/42]: setting Auto Member configuration
[33/42]: enabling S4U2Proxy delegation
[34/42]: initializing group membership
[35/42]: adding master entry
[36/42]: initializing domain level
[37/42]: configuring Posix uid/gid generation
[38/42]: adding replication acis
[39/42]: activating sidgen plugin
[40/42]: activating extdom plugin
[41/42]: tuning directory server
[42/42]: configuring directory to start on boot
Done configuring directory server (dirsrv).
Configuring Kerberos KDC (krb5kdc)
[1/5]: configuring KDC
[2/5]: adding the password extension to the directory
[3/5]: creating anonymous principal
[4/5]: starting the KDC
[5/5]: configuring KDC to start on boot
Done configuring Kerberos KDC (krb5kdc).
Configuring kadmin
[1/2]: starting kadmin
[2/2]: configuring kadmin to start on boot
Done configuring kadmin.
Configuring directory server (dirsrv)
[1/3]: configuring TLS for DS instance
[2/3]: importing CA certificates from LDAP
[3/3]: restarting directory server
Done configuring directory server (dirsrv).
Configuring the web interface (httpd)
[1/22]: stopping httpd
[2/22]: setting mod_nss port to 443
[3/22]: setting mod_nss cipher suite
[4/22]: setting mod_nss protocol list to TLSv1.0 - TLSv1.2
[5/22]: setting mod_nss password file
[6/22]: enabling mod_nss renegotiate
[7/22]: disabling mod_nss OCSP
[8/22]: adding URL rewriting rules
[9/22]: configuring httpd
[10/22]: setting up httpd keytab
[11/22]: configuring Gssproxy
[12/22]: setting up ssl
[13/22]: configure certmonger for renewals
[14/22]: importing CA certificates from LDAP
[15/22]: publish CA cert
[16/22]: clean up any existing httpd ccaches
[17/22]: configuring SELinux for httpd
[18/22]: create KDC proxy config
[19/22]: enable KDC proxy
[20/22]: starting httpd
[21/22]: configuring httpd to start on boot
[22/22]: enabling oddjobd
Done configuring the web interface (httpd).
Configuring ipa-otpd
[1/2]: starting ipa-otpd
[2/2]: configuring ipa-otpd to start on boot
Done configuring ipa-otpd.
Configuring ipa-custodia
[1/4]: Generating ipa-custodia config file
[2/4]: Generating ipa-custodia keys
[3/4]: starting ipa-custodia
[4/4]: configuring ipa-custodia to start on boot
Done configuring ipa-custodia.
Configuring certificate server (pki-tomcatd)
[1/2]: configure certmonger for renewals
[2/2]: Importing RA key
Done configuring certificate server (pki-tomcatd).
Configuring Kerberos KDC (krb5kdc)
[1/1]: installing X509 Certificate for PKINIT
Done configuring Kerberos KDC (krb5kdc).
Applying LDAP updates
Upgrading IPA:. Estimated time: 1 minute 30 seconds
[1/9]: stopping directory server
[2/9]: saving configuration
[3/9]: disabling listeners
[4/9]: enabling DS global lock
[5/9]: starting directory server
[6/9]: upgrading server
[7/9]: stopping directory server
[8/9]: restoring configuration
[9/9]: starting directory server
Done.
Restarting the KDC

-- 检查主从配置是否成功：
ipa-replica-manage list

[root@wfldap001 ~]# ipa-replica-manage list
wfldap002.wanfeng.com: master
wfldap001.wanfeng.com: master

[root@wfldap002 ~]# ipa-replica-manage list
wfldap002.wanfeng.com: master
wfldap001.wanfeng.com: master

------------------------------------------------------------------------------------------------------
-- 再次执行 ipa host-fid ：( 发现：此时 wfldap002 已经有 SSH public key fingerprint 信息 )

[root@wfldap001 ~]# ipa host-find
---------------
2 hosts matched
---------------
Host name: wfldap001.wanfeng.com
Principal name: host/wfldap001.wanfeng.com@WANFENG.COM
Principal alias: host/wfldap001.wanfeng.com@WANFENG.COM
SSH public key fingerprint: SHA256:Miz4TWxXUNl6vUBHNPNjovyGi5DgGXzACndNxnMQgYI (ssh-rsa),
SHA256:7F/Az4A47NNJOiYddrWcIsJGJA47IfFUXrNjtr30sRg (ecdsa-sha2-nistp256),
SHA256:D0gGCAjO4BuYQZEsKfah3EKaCir8/FSa1ulmyJi+KSw (ssh-ed25519)

Host name: wfldap002.wanfeng.com
Principal name: host/wfldap002.wanfeng.com@WANFENG.COM
Principal alias: host/wfldap002.wanfeng.com@WANFENG.COM
SSH public key fingerprint: SHA256:Miz4TWxXUNl6vUBHNPNjovyGi5DgGXzACndNxnMQgYI (ssh-rsa),
SHA256:7F/Az4A47NNJOiYddrWcIsJGJA47IfFUXrNjtr30sRg (ecdsa-sha2-nistp256),
SHA256:D0gGCAjO4BuYQZEsKfah3EKaCir8/FSa1ulmyJi+KSw (ssh-ed25519)
----------------------------
Number of entries returned 2
----------------------------

------------------------------------------------------------------------------------------------------
-- 最后，你将发现 wfldap002 比 wfldap001 少了 named, pki-tomcatd, ipa-dnskeysyncd 这三个组件。
-- 具体是为什么：有待进一步了解（但我估计是安装方法有点问题，所以想卸载再安装)。

[root@wfldap002 ~]# ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
ntpd Service: RUNNING
ipa-otpd Service: RUNNING
ipa: INFO: The ipactl command was successful

-- ipa 卸载
-- 参考： https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/identity_management_guide/removing-replica

-- 先在 wfldap001 上执行
[root@wfldap001 ~]# ipa-replica-manage del wfldap002.wanfeng.com
Updating DNS system records
ipa: WARNING: Failed to cleanup wfldap002.wanfeng.com DNS entries: no matching entry found
ipa: WARNING: You may need to manually remove them from the tree
------------------------------------------
Deleted IPA server "wfldap002.wanfeng.com"
------------------------------------------
You have new mail in /var/spool/mail/root

-- 然后在 wfldap002 上执行
[root@wfldap002 ~]# ipa-server-install --uninstall -U

-- 然后在 wfldap001 上执行
[root@wfldap001 ~]# ipa-server-install --uninstall

-- 然后重启 wfldap001, wfldap002

-- 篇章二 ipa 再安装篇
------------------------------------------------------------------------------------------------------
-- ################################################################################################ --
-- Step 1. 先在 wfldap001 和 wfldap002 上 disable chronyd

systemctl disable chronyd
systemctl stop chronyd

------------------------------------------------------------------------------------------------------
-- ################################################################################################ --
-- Step 2. 在 wfldap001 上安装 ip-server （详细输出如下)
-- 安装前，先在 wfldap001 上编辑 /etc/resolv.conf 文件
[root@wfldap001 ~]# cat /etc/resolv.conf
nameserver 127.0.0.1
nameserver 192.168.11.102

/etc/resolv.conf

[root@wfldap001 ~]# ipa-server-install --allow-zone-overlap

To accept the default shown in brackets, press the Enter key.

WARNING: conflicting time&date synchronization service 'chronyd' will be disabled
in favor of ntpd

Do you want to configure integrated DNS (BIND)? [no]: yes

Enter the fully qualified domain name of the computer
on which you're setting up server software. Using the form
<hostname>.<domainname>
Example: master.example.com.

Server host name [wfldap001.wanfeng.com]:

Warning: skipping DNS resolution of host wfldap001.wanfeng.com
The domain name has been determined based on the host name.

Please confirm the domain name [wanfeng.com]:

The kerberos protocol requires a Realm name to be defined.
This is typically the domain name converted to uppercase.

Directory Manager password:
Password (confirm):

The IPA server requires an administrative user, named 'admin'.
This user is a regular system account used for IPA server administration.

IPA admin password:
Password (confirm):

Checking DNS domain wanfeng.com., please wait ...
Do you want to configure DNS forwarders? [yes]: yes
Following DNS servers are configured in /etc/resolv.conf: 127.0.0.1, 192.168.11.102
Do you want to configure these servers as DNS forwarders? [yes]: yes
All DNS servers from /etc/resolv.conf were added. You can enter additional addresses now:
Enter an IP address for a DNS forwarder, or press Enter to skip:
Checking DNS forwarders, please wait ...
Do you want to search for missing reverse zones? [yes]: yes
Do you want to create reverse zone for IP 192.168.11.101 [yes]:
Please specify the reverse zone name [11.168.192.in-addr.arpa.]:
Using reverse zone(s) 11.168.192.in-addr.arpa.

The IPA Master Server will be configured with:
Hostname: wfldap001.wanfeng.com
IP address(es): 192.168.11.101
Domain name: wanfeng.com
Realm name: WANFENG.COM

BIND DNS server will be configured to serve IPA domain with:
Forwarders: 127.0.0.1, 192.168.11.102
Forward policy: only
Reverse zone(s): 11.168.192.in-addr.arpa.

Continue to configure the system with these values? [no]: yes

The following operations may take some minutes to complete.
Please wait until the prompt is returned.

Skipping synchronizing time with NTP server.
New SSSD config will be created
Configured sudoers in /etc/nsswitch.conf
Configured /etc/sssd/sssd.conf
trying https://wfldap001.wanfeng.com/ipa/json
[try 1]: Forwarding 'ping' to json server 'https://wfldap001.wanfeng.com/ipa/json'
[try 1]: Forwarding 'ca_is_enabled' to json server 'https://wfldap001.wanfeng.com/ipa/json'
Systemwide CA database updated.
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
[try 1]: Forwarding 'host_mod' to json server 'https://wfldap001.wanfeng.com/ipa/json'
SSSD enabled
Configured /etc/openldap/ldap.conf
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Configuring wanfeng.com as NIS domain.
Client configuration complete.
The ipa-client-install command was successful

==============================================================================
Setup complete

   2. You can now obtain a kerberos ticket using the command: 'kinit admin'
   This ticket will allow you to use the IPA tools (e.g., ipa user-add)
   and the web user interface.

Be sure to back up the CA certificates stored in /root/cacert.p12
These files are required to create replicas. The password for these
files is the Directory Manager password

------------------------------------------------------------------------------------------------------
-- ################################################################################################ --
-- Step 3. 在 wfldap001 服务器初始化 kerberos 票据，并将所有 dnszone 设置 allow-sync-ptr=true
-- 并添加 wfldap002 服务器到 ipa 管理

------------------------------------------------------------------------------------------------------
-- 3.1 在 wfldap001 服务器初始化 kerberos 票据
[root@wfldap001 ~]# kinit admin
Password for admin@WANFENG.COM: bee56915

------------------------------------------------------------------------------------------------------
-- 3.2 执行 ipa-replica-manage list 命令，检查主从配置是否成功：
[root@wfldap002 ~]# ipa-replica-manage list
wfldap002.wanfeng.com: master
wfldap001.wanfeng.com: master

------------------------------------------------------------------------------------------------------
-- 3.3 查看当前所有 Zone 的 Zone name
[root@wfldap001 ~]# ipa dnszone-find|grep "Zone name"
Zone name: 11.168.192.in-addr.arpa.
Zone name: wanfeng.com.

------------------------------------------------------------------------------------------------------
-- 3.4 设置 dnszone 的 allow-sync-ptr 属性 ( 注意：先执行以下命令，再去执行添加或删除机器操作 )
ipa dnszone-mod wanfeng.com --allow-sync-ptr=true
ipa dnszone-mod 11.168.192.in-addr.arpa --allow-sync-ptr=true

------------------------------------------------------------------------------------------------------
-- 3.5 添加 wfldap002 服务器到 ipa 管理
ipa-replica-install --setup-dns --forwarder 127.0.0.1 --forwarder 192.168.11.101

[root@wfldap002 ~]# ipa-client-install
DNS discovery failed to determine your DNS domain
Provide the domain name of your IPA server (ex: example.com): wanfeng.com
Provide your IPA server name (ex: ipa.example.com): wfldap001.wanfeng.com
The failure to use DNS to find your IPA server indicates that your resolv.conf file is not properly configured.
Autodiscovery of servers for failover cannot work with this configuration.
If you proceed with the installation, services will be configured to always access the discovered server for all operations and will not fail over to other servers in case of failure.
Proceed with fixed values and no DNS discovery? [no]: yes
Client hostname: wfldap002.wanfeng.com
Realm: WANFENG.COM
DNS Domain: wanfeng.com
IPA Server: wfldap001.wanfeng.com
BaseDN: dc=wanfeng,dc=com

Continue to configure the system with these values? [no]: yes
Synchronizing time with KDC...
Attempting to sync time using ntpd. Will timeout after 15 seconds
User authorized to enroll computers: admin
Password for admin@WANFENG.COM:
Successfully retrieved CA cert
Subject: CN=Certificate Authority,O=WANFENG.COM
Issuer: CN=Certificate Authority,O=WANFENG.COM
Valid From: 2018-07-26 15:59:33
Valid Until: 2038-07-26 15:59:33

Enrolled in IPA realm WANFENG.COM
Created /etc/ipa/default.conf
New SSSD config will be created
Configured sudoers in /etc/nsswitch.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm WANFENG.COM
trying https://wfldap001.wanfeng.com/ipa/json
[try 1]: Forwarding 'ping' to json server 'https://wfldap001.wanfeng.com/ipa/json'
[try 1]: Forwarding 'ca_is_enabled' to json server 'https://wfldap001.wanfeng.com/ipa/json'
Systemwide CA database updated.
Hostname (wfldap002.wanfeng.com) does not have A/AAAA record.
Failed to update DNS records.
Missing A/AAAA record(s) for host wfldap002.wanfeng.com: 192.168.11.102, fda9:6414:af5c:0:a00:27ff:feac:8c0c.
Missing reverse record(s) for address(es): 192.168.11.102, fda9:6414:af5c:0:a00:27ff:feac:8c0c.
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
[try 1]: Forwarding 'host_mod' to json server 'https://wfldap001.wanfeng.com/ipa/json'
Could not update DNS SSHFP records.
SSSD enabled
Configured /etc/openldap/ldap.conf
No SRV records of NTP servers found. IPA server address will be used
NTP enabled
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Configuring wanfeng.com as NIS domain.
Client configuration complete.
The ipa-client-install command was successful

------------------------------------------------------------------------------------------------------
-- ################################################################################################ --
-- Step 5. 在 wfldap002 服务器安装 ipa-replica
-- ipa-replica 命令相关参数请参考 https://linux.die.net/man/1/ipa-replica-install

[root@wfldap002 ~]# ipa-replica-install --setup-dns --forwarder 192.168.11.101
WARNING: cannot check if port 443 is already configured
httpd returned error when checking: Command '/usr/sbin/httpd -t -D DUMP_VHOSTS' returned non-zero exit status 1
Password for admin@WANFENG.COM:
Checking DNS forwarders, please wait ...
Run connection check to master
Connection check OK
Configuring NTP daemon (ntpd)
[1/4]: stopping ntpd
[2/4]: writing configuration
[3/4]: configuring ntpd to start on boot
[4/4]: starting ntpd
Done configuring NTP daemon (ntpd).
Configuring directory server (dirsrv). Estimated time: 30 seconds
[1/42]: creating directory server instance
[2/42]: enabling ldapi
[3/42]: configure autobind for root
[4/42]: stopping directory server
[5/42]: updating configuration in dse.ldif
[6/42]: starting directory server
[7/42]: adding default schema
[8/42]: enabling memberof plugin
[9/42]: enabling winsync plugin
[10/42]: configuring replication version plugin
[11/42]: enabling IPA enrollment plugin
[12/42]: configuring uniqueness plugin
[13/42]: configuring uuid plugin
[14/42]: configuring modrdn plugin
[15/42]: configuring DNS plugin
[16/42]: enabling entryUSN plugin
[17/42]: configuring lockout plugin
[18/42]: configuring topology plugin
[19/42]: creating indices
[20/42]: enabling referential integrity plugin
[21/42]: configuring certmap.conf
[22/42]: configure new location for managed entries
[23/42]: configure dirsrv ccache
[24/42]: enabling SASL mapping fallback
[25/42]: restarting directory server
[26/42]: creating DS keytab
[27/42]: ignore time skew for initial replication
[28/42]: setting up initial replication
Starting replication, please wait until this has completed.
Update in progress, 3 seconds elapsed
Update succeeded

Global DNS configuration in LDAP server is empty
You can use 'dnsconfig-mod' command to set global DNS options that
would override settings in local named.conf files

-- 此时，用 ipa-replica-manage list 命令可以查到这两台机器了：

[root@wfldap002 ~]# ipa-replica-manage list
wfldap002.wanfeng.com: master
wfldap001.wanfeng.com: master

-- 注意
-- 01. 执行如上 ipa-replica-install 命令中,发现有 Command '/usr/sbin/httpd -t -D DUMP_VHOSTS' returned non-zero exit status 1
-- 那么：执行 /usr/sbin/httpd -t -D DUMP_VHOSTS 提示文件不存在。所以：从 wfldap001 copy 相关文件到相应位置即可解决问题
-- 02. 上面安装完成后还提示你可以配置 global DNS，那就配置一下

-- 此时你将发现 wfldap002 比 wfldap001 还是少了 pki-tomcatd 这个组件。
-- 好像是一个证书管理相关的组件，先忽略

[root@wfldap002 ~]# ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
ntpd Service: RUNNING
ipa-otpd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
ipa: INFO: The ipactl command was successful

------------------------------------------------------------------------------------------------------
-- ################################################################################################ --
-- Step 6. 在 win10 服务器安装 kerberos-client
-- 参考：https://imaidata.github.io/blog/kerberos_client/

------------------------------------------------------------------------------------------------------
-- Step 6.1 安装: 安装的默认目录是C:Program FilesMITKerberos

------------------------------------------------------------------------------------------------------
-- Step 6.2 将 wfldap001 服务器的 /etc/krb5.conf 复制到上述目录下，改名为krb5.ini( 并只保留以下配置)

[libdefaults]
default_realm = WANFENG.COM
dns_lookup_realm = false
dns_lookup_kdc = true
rdns = false
ticket_lifetime = 24h
forwardable = true
udp_preference_limit = 0

[domain_realm]
.wanfeng.com = WANFENG.COM
wanfeng.com = WANFENG.COM
wfldap002.wanfeng.com = WANFENG.COM

------------------------------------------------------------------------------------------------------
-- Step 6.3 在windows下添加两个环境变量，并开放 c:temp 目录写权限给当前用户

KRB5_CONFIG=C:Program FilesMITKerberoskrb5.ini
KRB5CCNAME=c:tempkrb5cache

------------------------------------------------------------------------------------------------------
-- Step 6.4 重启 windows, 然后初始化票据：
C:Program FilesMITKerberosbin>kinit admin@WANFENG.COM
Password for admin@WANFENG.COM:

C:Program FilesMITKerberosbin>klist
Ticket cache: FILE:C:tempkrb5cache
Default principal: admin@WANFENG.COM

Valid starting Expires Service principal
07/27/18 11:00:23 07/28/18 11:00:19 krbtgt/WANFENG.COM@WANFENG.COM

------------------------------------------------------------------------------------------------------
-- Step 6.5 Google chrome 浏览器测试：( chrome 浏览器好像不支持(放弃))
google-chrome --auth-server-whitelist="*wanfeng.com"

C:Userslym01AppDataLocalGoogleChromeApplicationchrome.exe --auth-server-whitelist="wanfeng.com"

------------------------------------------------------------------------------------------------------
-- Step 6.6 火狐浏览器测试
-- 在火狐中地址栏输入about:config并回车，然后搜索和设置下面的参数：
network.negotiate-auth.trusted-uris = .wanfeng.com
network.negotiate-auth.using-native-gsslib = false
network.negotiate-auth.gsslib = C:Program FilesMITKerberosbingssapi64.dll
network.auth.use-sspi = false
network.negotiate-auth.allow-non-fqdn = true

-- 然后登陆，搞定：
https://wfldap001.wanfeng.com/ipa/ui/

-- Step 7. 在 wfldap001 和 wfldap002 修改配置文件 (注意：default_ccache_name 参数有修改)

vi /etc/krb5.conf
------------------------------------------------------------------------------------------------------
includedir /etc/krb5.conf.d/
includedir /var/lib/sss/pubconf/krb5.include.d/

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = WANFENG.COM
dns_lookup_realm = false
dns_lookup_kdc = true
rdns = false
ticket_lifetime = 24h
forwardable = true
udp_preference_limit = 0
default_ccache_name = FILE:/tmp/krb5cc_%{uid}

[realms]
WANFENG.COM = {
kdc = wfldap001.wanfeng.com:88
kdc = wfldap002.wanfeng.com:88
master_kdc = wfldap001.wanfeng.com:88
master_kdc = wfldap002.wanfeng.com:88
admin_server = wfldap001.wanfeng.com:749
admin_server = wfldap002.wanfeng.com:749
default_domain = wanfeng.com
pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem
pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem
}

[domain_realm]
.wanfeng.com = WANFENG.COM
wanfeng.com = WANFENG.COM
wfldap002.wanfeng.com = WANFENG.COM

[dbmodules]
WANFENG.COM = {
db_library = ipadb.so
}

-- 篇章三 HDP Security-FreeIPA

-- 参考：https://github.com/emaxwell-hw/HDP-2.5-Security-FreeIPA

kinit admin@WANFENG.COM
ipa user-add hadoopadmin --first=Hadoop --last=Admin
ipa group-add-member admins --users=hadoopadmin
ipa passwd hadoopadmin
kinit hadoopadmin
ipa group-add ambari-managed-principals

-- 如果不将 hadoopadmin 用户添加到 admins 组，也可以通过以下授权
ipa role-add hadoopadminrole
ipa role-add-privilege hadoopadminrole --privileges="User Administrators"
ipa role-add-privilege hadoopadminrole --privileges="Service Administrators"

------------------------------------------------------------------------------------------------------
-- 具体命令操作输出如下：

[root@wfldap001 ~]# ipa user-add hadoopadmin --first=Hadoop --last=Admin
------------------------
Added user "hadoopadmin"
------------------------
User login: hadoopadmin
First name: Hadoop
Last name: Admin
Full name: Hadoop Admin
Display name: Hadoop Admin
Initials: HA
Home directory: /home/hadoopadmin
GECOS: Hadoop Admin
Login shell: /bin/sh
Principal name: hadoopadmin@WANFENG.COM
Principal alias: hadoopadmin@WANFENG.COM
Email address: hadoopadmin@wanfeng.com
UID: 1757400001
GID: 1757400001
Password: False
Member of groups: ipausers
Kerberos keys available: False

[root@wfldap001 ~]# ipa group-add-member admins --users=hadoopadmin
Group name: admins
Description: Account administrators group
GID: 1757400000
Member users: admin, hadoopadmin
-------------------------
Number of members added 1
-------------------------

[root@wfldap001 ~]# ipa passwd hadoopadmin
New Password: bee56915hdp
Enter New Password again to verify: bee56915hdp
----------------------------------------------
Changed password for "hadoopadmin@WANFENG.COM"
----------------------------------------------

[root@wfambari ~]# kinit hadoopadmin
Password for hadoopadmin@WANFENG.COM: bee56915hdp
Password expired. You must change it now.
Enter new password: bee56915hdp
Enter it again: bee56915hdp

[root@wfldap001 ~]# ipa group-add ambari-managed-principals
---------------------------------------
Added group "ambari-managed-principals"
---------------------------------------
Group name: ambari-managed-principals
GID: 1757400003

-- 查看 freeipa 版本：
[root@wfldap001 ~]# ipa --version
VERSION: 4.5.4, API_VERSION: 2.228

-- 注意： Centos7 freeipa 最新版本 ipa-admintools 已经没有了，所以以下命令不用执行
yum -y install ipa-admintools

-- 最后：添加集群的主机到 ipa

------------------------------------------------------------------------------------------------------
-- ################################################################################################ --
-- Step 2. 在 hdp 集群所有节点安装 ipa-client
-- All nodes in the HDP cluster must have the ipa-client software installed and be joined to the FreeIPA server:

------------------------------------------------------------------------------------------------------
-- 2.1 安装前，先修改 /etc/resolv.conf 和 /etc/krb5.conf 文件

-- wfldap001
[root@wfldap001 ~]# cat /etc/resolv.conf
search wanfeng.com
nameserver 127.0.0.1
nameserver 192.168.11.102
nameserver 192.168.11.1

-- wfldap002
[root@wfldap002 ~]# cat /etc/resolv.conf
search wanfeng.com
nameserver 127.0.0.1
nameserver 192.168.11.101
nameserver 192.168.11.1

-- 所有 hdp 节点
[root@wfambari ~]# cat /etc/resolv.conf
search wanfeng.com
nameserver 192.168.11.101
nameserver 192.168.11.102
nameserver 192.168.11.1

------------------------------------------------------------------------------------------------------
-- 2.2 所有 hdp 节点 disable chronyd

systemctl stop chronyd
systemctl disable chronyd

systemctl stop ntpd
systemctl disable ntpd

------------------------------------------------------------------------------------------------------
-- 2.3 在 hdp 集群所有节点安装 ipa-client
yum -y install ipa-client

ipa-client-install --uninstall

ipa-client-install --domain=wanfeng.com
--server=wfldap001.wanfeng.com
--server=wfldap002.wanfeng.com
--realm=WANFENG.COM
--principal=hadoopadmin@WANFENG.COM
--enable-dns-updates

[root@wfambari ~]# ipa-client-install --domain=wanfeng.com
> --server=wfldap001.wanfeng.com
> --server=wfldap002.wanfeng.com
> --realm=WANFENG.COM
> --principal=hadoopadmin@WANFENG.COM
> --enable-dns-updates
Autodiscovery of servers for failover cannot work with this configuration.
If you proceed with the installation, services will be configured to always access the discovered server for all operations and will not fail over to other servers in case of failure.
Proceed with fixed values and no DNS discovery? [no]: yes
Client hostname: wfambari.wanfeng.com
Realm: WANFENG.COM
DNS Domain: wanfeng.com
IPA Server: wfldap001.wanfeng.com, wfldap002.wanfeng.com
BaseDN: dc=wanfeng,dc=com

Continue to configure the system with these values? [no]: yes
Synchronizing time with KDC...
Attempting to sync time using ntpd. Will timeout after 15 seconds
Attempting to sync time using ntpd. Will timeout after 15 seconds
Password for hadoopadmin@WANFENG.COM:
Successfully retrieved CA cert
Subject: CN=Certificate Authority,O=WANFENG.COM
Issuer: CN=Certificate Authority,O=WANFENG.COM
Valid From: 2018-07-26 16:35:47
Valid Until: 2038-07-26 16:35:47

Enrolled in IPA realm WANFENG.COM
Created /etc/ipa/default.conf
New SSSD config will be created
Configured sudoers in /etc/nsswitch.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm WANFENG.COM
trying https://wfldap001.wanfeng.com/ipa/json
[try 1]: Forwarding 'schema' to json server 'https://wfldap001.wanfeng.com/ipa/json'
trying https://wfldap001.wanfeng.com/ipa/session/json
[try 1]: Forwarding 'ping' to json server 'https://wfldap001.wanfeng.com/ipa/session/json'
[try 1]: Forwarding 'ca_is_enabled' to json server 'https://wfldap001.wanfeng.com/ipa/session/json'
Systemwide CA database updated.
Hostname (wfambari.wanfeng.com) does not have A/AAAA record.
Missing reverse record(s) for address(es): fda9:6414:af5c:0:a00:27ff:fef3:7ec2.
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
[try 1]: Forwarding 'host_mod' to json server 'https://wfldap001.wanfeng.com/ipa/session/json'
SSSD enabled
Configured /etc/openldap/ldap.conf
NTP enabled
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Configuring wanfeng.com as NIS domain.
Client configuration complete.
The ipa-client-install command was successful

------------------------------------------------------------------------------------------------------
-- 2.4 验证是否安装成功
-- 此时在 wfldap001 或 wfldap002 执行 ipa host-find 就能找到该主机了

[root@wfldap001 ~]# ipa host-find wfambari.wanfeng.com
--------------
1 host matched
--------------
Host name: wfambari.wanfeng.com
Principal name: host/wfambari.wanfeng.com@WANFENG.COM
Principal alias: host/wfambari.wanfeng.com@WANFENG.COM
SSH public key fingerprint: SHA256:Miz4TWxXUNl6vUBHNPNjovyGi5DgGXzACndNxnMQgYI (ssh-rsa),
SHA256:7F/Az4A47NNJOiYddrWcIsJGJA47IfFUXrNjtr30sRg (ecdsa-sha2-nistp256),
SHA256:D0gGCAjO4BuYQZEsKfah3EKaCir8/FSa1ulmyJi+KSw (ssh-ed25519)
----------------------------
Number of entries returned 1
----------------------------

-- 说明安装成功

------------------------------------------------------------------------------------------------------
-- 2.5 在其他 hdp 集群节点重复操作 2.1 ~ 2.4 步，以继续安装 ipa-client

-- 最后：所有 hdp 节点修改 /etc/krb5.conf 中的 default_ccache_name
[root@wfambari ~]# vi /etc/krb5.conf

default_ccache_name = FILE:/tmp/krb5cc_%{uid}

------------------------------------------------------------------------------------------------------
-- 2.6 测试域名解析

---------------------------------------------------
-- 2.6.1 将 hdp 集群各节点的 /etc/hosts 文件中的主机信息注释掉，看是否还能 ping 同

[root@wfambari ~]# cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6

192.168.11.100 test.wanfeng.com test

# hdp3 cluster
# 192.168.11.101 wfldap001.wanfeng.com wfldap001
# 192.168.11.102 wfldap002.wanfeng.com wfldap002
# 192.168.11.103 wfambari.wanfeng.com wfambari
# 192.168.11.104 wfclient001.wanfeng.com wfclient001
# 192.168.11.105 wfnn001.wanfeng.com wfnn001
# 192.168.11.106 wfnn002.wanfeng.com wfnn002
# 192.168.11.107 wfdn001.wanfeng.com wfdn001
# 192.168.11.108 wfdn002.wanfeng.com wfdn002
# 192.168.11.109 wfdn003.wanfeng.com wfdn003

[root@wfambari ~]# ping wfdn003
PING wfdn003.wanfeng.com (192.168.11.109) 56(84) bytes of data.
64 bytes from wfdn003.wanfeng.com (192.168.11.109): icmp_seq=1 ttl=64 time=1.76 ms
64 bytes from wfdn003.wanfeng.com (192.168.11.109): icmp_seq=2 ttl=64 time=1.10 ms
64 bytes from wfdn003.wanfeng.com (192.168.11.109): icmp_seq=3 ttl=64 time=1.26 ms
^C
--- wfdn003.wanfeng.com ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2005ms
rtt min/avg/max/mdev = 1.104/1.377/1.760/0.280 ms

[root@wfambari ~]# ping wfdn002
PING wfdn002.wanfeng.com (192.168.11.108) 56(84) bytes of data.
64 bytes from wfdn002.wanfeng.com (192.168.11.108): icmp_seq=1 ttl=64 time=1.30 ms
64 bytes from wfdn002.wanfeng.com (192.168.11.108): icmp_seq=2 ttl=64 time=0.999 ms
^C
--- wfdn002.wanfeng.com ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 0.999/1.152/1.306/0.157 ms

---------------------------------------------------
-- 2.6.2 分别在 wfldap001 或者 wfldap002 关闭 ipa
-- 然后再在 hdp 节点 ping 测试

[root@wfldap001 ~]# ipactl stop
Stopping ipa-dnskeysyncd Service
Stopping ipa-otpd Service
Stopping pki-tomcatd Service
Stopping ntpd Service
Stopping ipa-custodia Service
Stopping httpd Service
Stopping named Service
Stopping kadmin Service
Stopping krb5kdc Service
Stopping Directory Service
ipa: INFO: The ipactl command was successful

[root@wfambari ~]# ping wfnn001
PING wfnn001.wanfeng.com (192.168.11.105) 56(84) bytes of data.
64 bytes from wfnn001.wanfeng.com (192.168.11.105): icmp_seq=1 ttl=64 time=1.24 ms
64 bytes from wfnn001.wanfeng.com (192.168.11.105): icmp_seq=2 ttl=64 time=0.804 ms
64 bytes from wfnn001.wanfeng.com (192.168.11.105): icmp_seq=3 ttl=64 time=0.439 ms
64 bytes from wfnn001.wanfeng.com (192.168.11.105): icmp_seq=4 ttl=64 time=0.521 ms
^C
--- wfnn001.wanfeng.com ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 7008ms
rtt min/avg/max/mdev = 0.439/0.751/1.243/0.316 ms

-- 结论：1. ipa 两台都关闭，hdp 主机之间将无法 ping 通；
-- 2. ipa 只要有一台是正常启动的，hdp 主机之间将均能 ping 通；

至此，一切貌似都是 “HA"，呵呵.....

-- 安装前先修改票据的默认生命周期：
ipa pwpolicy-mod --maxlife=0 --minlife=0 global_policy

-- 安装前先执行 ambari-server setup-security
-- 参考： https://community.hortonworks.com/articles/42927/adding-kdc-administrator-credentials-to-the-ambari.html

ambari-server setup-security

ipa_user_group=ambari-managed-principals
------------------------------------------------------------------------------------------------------
-- ################################################################################################ --
-- ################################################################################################ --
-- ################################################################################################ --

-- 篇章四遇到的报错及解决方法

------------------------------------------------------------------------------------------------------
-- 报错1 ：
Done configuring DNS (named).
Restarting the web server to pick up resolv.conf changes
Configuring DNS key synchronization service (ipa-dnskeysyncd)
[1/7]: checking status
[2/7]: setting up bind-dyndb-ldap working directory
[error] OSError: [Errno 2] No such file or directory: '/var/named/dyndb-ldap/ipa/'
ipa.ipapython.install.cli.install_tool(CompatServerMasterInstall): ERROR [Errno 2] No such file or directory: '/var/named/dyndb-ldap/ipa/'
ipa.ipapython.install.cli.install_tool(CompatServerMasterInstall): ERROR The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information
You have new mail in /var/spool/mail/root

-- 重新安装以下 bind-dyndb-ldap 就 OK 了 (就发现有该目录了)
yum -y reinstall bind-dyndb-ldap-11.1-4.el7.x86_64

------------------------------------------------------------------------------------------------------
-- 报错2. ambari-server.log

2018-07-27 15:30:47,763 ERROR [ambari-client-thread-144] CreateHandler:80 - Bad request received: Missing KDC administrator credentials.
The KDC administrator credentials must be set as a persisted or temporary credential resource.This may be done by issuing a POST to the /api/v1/clusters/:clusterName/credentials/kdc.admin.credential API entry point with the following payload:
{
"Credential" : {
"principal" : "(PRINCIPAL)", "key" : "(PASSWORD)", "type" : "(persisted|temporary)"}
}
}
2018-07-27 15:31:44,786 INFO [ambari-client-thread-39] AmbariManagementControllerImpl:4060 - Received action execution request, clusterName=wfambari, request=isCommand :true, action :null, command :KERBEROS_SERVICE_CHECK, inputs :{HAS_RESOURCE_FILTERS=true}, resourceFilters: [RequestResourceFilter{serviceName='KERBEROS', componentName='null', hostNames=[]}], exclusive: false, clusterName :wfambari
2018-07-27 15:31:55,610 ERROR [ambari-client-thread-39] IPAKerberosOperationHandler:323 - Failed to execute the following command:
/usr/bin/ipa user-show hadoopadmin
STDOUT:
STDERR: ipa: ERROR: Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credential cache is empty)

201

ipa servicedelegationrule-add-member ipa-http-delegation --principals=HTTP/webipa.example.com

ipa servicedelegationrule-add-member ipa-http-delegation --principals=HTTP/wfldap001.wanfeng.com@WANFENG.COM

-- 重启 ipa 问题消失

------------------------------------------------------------------------------------------------------

-- 一点遗憾：在启用 Enable kerberos 之前，Ambari-server and Ambari-agent 是以 "ambari" 普通操作系统安装启动的。
-- 但：发现在 Enable kerberos 的安装过程中死活报错。具体原因，查了很多日志，未果！
-- 故：回退到以 root 用户启动后，Enable kerberos 成功。