1、更新系统ipa-v01,ipa-v02 不单独说明就是在两个节点上面安装
yum -y install epel-release
yum -y update
yum -y install bind-utils vim
yum -y install python-pip
pip install --upgrade pip
2、cat /etc/resolv.conf
# Generated by NetworkManager
search
tianlingqun.com
nameserver 8.8.8.8
3、安装ipa服务
yum -y install ipa-server
yum -y install ipa-server-dns bindipa-server bind-dyndb-ldap
4、pip -V # 查看 pip 版本
5、设置net.ipv6.conf.lo.disable_ipv6 = 0
cat /etc/sysctl.conf |grep ipv6 # 我的服务器无结果
echo "net.ipv6.conf.all.disable_ipv6 = 1" >> /etc/sysctl.conf
echo "net.ipv6.conf.default.disable_ipv6 = 1" >> /etc/sysctl.conf
echo "net.ipv6.conf.lo.disable_ipv6 = 0" >> /etc/sysctl.conf
cat /etc/sysctl.conf
cd ~/scripts
sh ./sync_to_all_node.sh /etc/sysctl.conf /etc/
sh ./ssh_to_all_node.sh "sysctl -p"
6、安装 ipa server
ipa-server-install --setup-dns --allow-zone-overlap
7、备份cacert.p12
cdate=$(date '+%Y%m%d'); cp /root/cacert.p12 /root/cacert.p12.bak.${cdate};
ls -l /root/ |grep cacert;
8、查看状态
9、resolv.conf的nameserver被修改为127.0.0.1
10、验证admin密码
11、查询Zone name
12、设置 dnszone 的 allow-sync-ptr 属性
ipa dnszone-mod ipa-v01 --allow-sync-ptr=true
ipa dnszone-mod X.168.192.in-addr.arpa --allow-sync-ptr=true
13、打开IPA Web UI
https://ipa-v01/ipa/ui
14、修改resolv.conf ipa-v02
vi /etc/resolv.conf
# Generated by NetworkManager
search
tianlingqun.com
nameserver 192.168.0.189
cat /etc/resolv.conf
15、注释以后能ping通 ipa-v02
16、安装 ipa-server 包
yum -y install ipa-server ipa-server-dns
17、安装 ipa 客户端
ipa-client-install
18、ipa-v02 服务器配置FreeIPA 主从同步,在 alybjf-hdp-ipa-v02 服务器安装 ipa-replica-install 安装过程,将 ipa-v02 服务器添加到 ipaservers
kinit admin
ipa hostgroup-add-member ipaservers --hosts
ipa-v02.tianlingqun.com
ipa-replica-install --setup-dns --auto-forwarders --allow-zone-overlap
执行:ipa-ca-install
19、用 ipactl status 查看各组件的壮态
20、执行 ipa-replica-manage list 命令,检查主从配置是否成功
21、两台 ipa 服务器修改 /etc/krb5.conf 文件并
分发到其它节点
修改:
default_ccache_name = FILE:/tmp/krb5cc_%{uid}
添加:
kdc =
ipa-v01:88
master_kdc =
ipa-v01:88
admin_server =
ipa-v01:749
22、用 ipa host-find 可以查到两台 ipa 服务器
kinit admin
23、修改票据的默认生命周期:ipa pwpolicy-mod --maxlife=0 --minlife=0 global_policy
24、创建相关账号:
ipa user-add hadoopadmin --first=Hadoop --last=Admin
ipa group-add-member admins --users=hadoopadmin
创建密码:ipa passwd hadoopadmin
登录测试:kinit hadoopadmin
ipa group-add ambari-managed-principals
ipa permission-add "Set User Password Expiration" --permissions=write --type=user --attrs=krbpasswordexpiration
ipa permission-add "Set Service Password Expiration" --permissions=write --type=service --
attrs=krbpasswordexpiration
ipa privilege-add "Krbpass admin"
ipa privilege-add-permission "Krbpass admin" --permissions="Set User Password Expiration"
ipa privilege-add-permission "Krbpass admin" --permissions="Set Service Password Expiration"
ipa role-add-privilege "Security Architect" --privileges="Krbpass admin"
ipa role-add-member "Security Architect" --groups=admins
25、ambari安装ipa客户端
yum -y install freeipa-client
sh ~/scripts/ssh_to_all_node.sh "yum -y install freeipa-client"
26、配置ifcfg-enp0s3文件
sh ~/scripts/ssh_to_cluster_node.sh 'echo "DNS1=192.168.0.189" >> /etc/sysconfig/network-scripts/ifcfg-enp0s3'
sh ~/scripts/ssh_to_cluster_node.sh 'echo "DNS2=192.168.0.190" >> /etc/sysconfig/network-scripts/ifcfg-enp0s3'
sh ~/scripts/ssh_to_cluster_node.sh "cat /etc/sysconfig/network-scripts/ifcfg-enp0s3|grep 'DNS'"
27、ipa-client 安装所有节点
ipa-client-install --domain=wan --server=
ipa-v01 --server=
ipa-v02 --realm=
WAN --principal=
hadoopadmin@xxx
28、验证客户端是否全部安装
29、用 ipa host-find |grep "Host name:" 命令验证
