Free ipa-install on ubuntu 16.04
apt-get install freeipa-server
realm is all uppercase version of local dns domain
kdc and admin servers are hostname (kdc1)
sudo ipa-server-install
$Directory Manager pass hadoop12345
admin hadoop12345
setup with ipaddress 192.168.10.63
fix hostname in /etc/hosts to resolve to ipadder
wait long time for entropy
setup client on everyone
sudo DEBIAN_FRONTEND=noninteractive apt-get -y install freeipa-client
http://www.therebel.eu/2015/08/setting-password-expiry-in-ipa/
https://www.ibm.com/support/knowledgecenter/en/SSPT3X_4.2.5/com.ibm.swg.im.infosphere.biginsights.admin.doc/doc/admin_kerb_kdc_ipa.html
ipa permission-add "Set User Password Expiration" --permissions=write --type=user --attrs=krbpasswordexpiration
ipa permission-add "Set Service Password Expiration" --permissions=write --type=service --attrs=krbpasswordexpiration
ipa privilege-add "Krbpass admin"
ipa privilege-add-permission "Krbpass admin" --permissions="Set User Password Expiration"
ipa privilege-add-permission "Krbpass admin" --permissions="Set Service Password Expiration"
create hadoop admin in IPA
https://community.hortonworks.com/articles/59645/ambari-24-kerberos-with-freeipa.html
Changed password for "hadoopadmin@AEGISDOCTRINE.LOCAL"
kinit admin@EXAMPLE.DOMAIN.COM
ipa user-add hadoopadmin --first=Hadoop --last=Admin
ipa group-add-member admins --users=hadoopadmin
ipa passwd hadoopadmin
ipa group-add ambari-managed-principals
Because of the way FreeIPA automatically expires the new password, it is necessary to kinit as hadoopadmin and change the initial password. The password can be set to the same password unless the password policy prohibits password reuse:
The KDC administrator credentials must be set as a persisted or temporary credential resource.This may be done by issuing a POST to the /api/v1/clusters/:clusterName/credentials/kdc.admin.credential API entry point with the following payload:
ambari-server setup-security
curl -u admin:admin -H 'X-Requested-By: ambari' -X POST http://master1.aegisdoctrine.local:8080/api/v1/clusters/c1/credentials/kdc.admin.credential -d '{
"Credential" : {
"principal" : "hadoopadmin@AEGISDOCTRINE.LOCAL", "key" : "hadoop12345", "type" : "persisted"
}
}
curl -v -H "X-Requested-By: ambari" -u admin:admin -X DELETE http://master1.aegisdoctrine.local:8080/api/v1/clusters/c1/credentials/kdc.admin.credential
on ambari-sever
sudo apt-get install freeipa-admintools
ON all nodes brun ipa-client-install before trying to perform kerb.
sudo ipa-client-install --domain=aegisdoctrine.local \
--server=kdc1.aegisdoctrine.local \
--realm=AEGISDOCTRINE.LOCAL \
--principal=admin@AEGISDOCTRINE.LOCAL \
--password=hadoop12345 \
--no-dns-sshfp \
--fixed-primary \
-U -f --force-join