FreeIPASetupTest


        
            
                Markdown 2.90 KB
                                    
                        | None                    
                
                                        |
    0    0                            

            
                
                                    raw
                    download
                    clone
                    embed
                    print
                
                                    report
                
                
                            
        
        
            Free ipa-install on ubuntu 16.04
apt-get install freeipa-server
realm is all uppercase version of local dns domain
kdc and admin servers are hostname (kdc1)
sudo ipa-server-install

$Directory Manager pass hadoop12345
admin hadoop12345
setup with ipaddress 192.168.10.63
fix hostname in /etc/hosts to resolve to ipadder
wait long time for entropy
setup client on everyone
sudo DEBIAN_FRONTEND=noninteractive apt-get -y install freeipa-client
http://www.therebel.eu/2015/08/setting-password-expiry-in-ipa/
https://www.ibm.com/support/knowledgecenter/en/SSPT3X_4.2.5/com.ibm.swg.im.infosphere.biginsights.admin.doc/doc/admin_kerb_kdc_ipa.html
ipa permission-add "Set User Password Expiration" --permissions=write --type=user --attrs=krbpasswordexpiration

ipa permission-add "Set Service Password Expiration" --permissions=write --type=service --attrs=krbpasswordexpiration

ipa privilege-add "Krbpass admin"

ipa privilege-add-permission "Krbpass admin" --permissions="Set User Password Expiration"

ipa privilege-add-permission "Krbpass admin" --permissions="Set Service Password Expiration"
create hadoop admin in IPA
https://community.hortonworks.com/articles/59645/ambari-24-kerberos-with-freeipa.html
Changed password for "hadoopadmin@AEGISDOCTRINE.LOCAL"
kinit admin@EXAMPLE.DOMAIN.COM

ipa user-add hadoopadmin --first=Hadoop --last=Admin

ipa group-add-member admins --users=hadoopadmin

ipa passwd hadoopadmin
ipa group-add ambari-managed-principals
Because of the way FreeIPA automatically expires the new password, it is necessary to kinit as hadoopadmin and change the initial password. The password can be set to the same password unless the password policy prohibits password reuse:
The KDC administrator credentials must be set as a persisted or temporary credential resource.This may be done by issuing a POST to the /api/v1/clusters/:clusterName/credentials/kdc.admin.credential API entry point with the following payload:
ambari-server setup-security

curl -u admin:admin -H 'X-Requested-By: ambari'  -X POST http://master1.aegisdoctrine.local:8080/api/v1/clusters/c1/credentials/kdc.admin.credential -d '{

  "Credential" : {

    "principal" : "hadoopadmin@AEGISDOCTRINE.LOCAL", "key" : "hadoop12345", "type" : "persisted"

  }

}
curl -v -H "X-Requested-By: ambari" -u admin:admin -X DELETE http://master1.aegisdoctrine.local:8080/api/v1/clusters/c1/credentials/kdc.admin.credential
on ambari-sever
sudo apt-get install freeipa-admintools
ON all nodes brun ipa-client-install before trying to perform kerb.
sudo ipa-client-install --domain=aegisdoctrine.local \

--server=kdc1.aegisdoctrine.local \

--realm=AEGISDOCTRINE.LOCAL \

--principal=admin@AEGISDOCTRINE.LOCAL \

--password=hadoop12345 \

--no-dns-sshfp \

--fixed-primary \

-U -f --force-join
maake sure all hosts report back that they have renrolled