https://community.cloudera.com/t5/Archives-of-Support-Questions/hi-I-have-changed-the-krb5-conf-ticket-expiration-and/m-p/167557#M49805 <P><A rel="user" href="https://community.cloudera.com/users/14572/priyanshu770bindal.html" nodeid="14572">@priyanshu bindal</A></P><P>In your "krb5.conf" how have you defined the expiration?</P><P>I can see it working like following <EM>in <STRONG>/etc/krb5.conf</STRONG></EM><STRONG></STRONG>:</P><PRE>[libdefaults] renew_lifetime = 7d forwardable = true default_realm = EXAMPLE.COM ticket_lifetime = 30m </PRE><P>- See here i am setting<EM><STRONG> [ticket_lifetime = 30m] </STRONG></EM>30 minute and i can see the following <EM>in<STRONG>/etc/krb5.conf</STRONG></EM></P><P>:</P><PRE>[root@kjss1 ~]# kdestroy [root@kjss1 ~]# kinit -kt /etc/security/keytabs/hdfs.headless.keytab hdfs-JoyCluster@EXAMPLE.COM [root@kjss1 ~]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: hdfs-JoyCluster@EXAMPLE.COM Valid starting Expires Service principal 12/22/16 07:18:12 12/22/16 07:48:12 krbtgt/EXAMPLE.COM@EXAMPLE.COM renew until 12/22/16 07:18:12</PRE><P>.</P><P>Similarly for 30 seconds i did the following<EM><STRONG> [ticket_lifetime = 30s]</STRONG> in<STRONG> </STRONG><STRONG>/etc/krb5.conf</STRONG></EM></P><PRE>[root@kjss1 ~]# kdestroy [root@kjss1 ~]# kinit -kt /etc/security/keytabs/hdfs.headless.keytab hdfs-JoyCluster@EXAMPLE.COM [root@kjss1 ~]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: hdfs-JoyCluster@EXAMPLE.COM Valid starting Expires Service principal 12/22/16 07:22:12 12/22/16 07:22:42 krbtgt/EXAMPLE.COM@EXAMPLE.COM renew until 12/22/16 07:22:12</PRE><P>- </P><P><A href="http://web.mit.edu/Kerberos/krb5-1.12/doc/basic/date_format.html#duration" target="_blank">http://web.mit.edu/Kerberos/krb5-1.12/doc/basic/date_format.html#duration</A></P><P>.</P> Thu, 22 Dec 2016 15:21:48 GMT jsensharma 2016-12-22T15:21:48Z https://community.cloudera.com/t5/Archives-of-Support-Questions/hi-I-have-changed-the-krb5-conf-ticket-expiration-and/m-p/167554#M49802 <P>Kindly help me to understand the logic.</P> Thu, 22 Dec 2016 13:16:54 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/hi-I-have-changed-the-krb5-conf-ticket-expiration-and/m-p/167554#M49802 priyanshu770bin 2016-12-22T13:16:54Z https://community.cloudera.com/t5/Archives-of-Support-Questions/hi-I-have-changed-the-krb5-conf-ticket-expiration-and/m-p/167555#M49803 <P><A rel="user" href="https://community.cloudera.com/users/14572/priyanshu770bindal.html" nodeid="14572">@priyanshu bindal</A></P><P>Can you please check if your Java Program is pointing to the correct krb5.conf? Normally in Linux environment it's value is "/etc/krb5.conf". However we can locate it as per "Locating the krb5.conf Configuration File" : <A href="https://docs.oracle.com/javase/8/docs/technotes/guides/security/jgss/tutorials/KerberosReq.html" target="_blank">https://docs.oracle.com/javase/8/docs/technotes/guides/security/jgss/tutorials/KerberosReq.html</A></P><P>Usually we set the path for this file using java property: <EM><STRONG>"-Djava.security.krb5.conf" </STRONG></EM></P><P>- Also we can debug what's going on using the <EM><STRONG>"-Dsun.security.krb5.debug=true</STRONG></EM>" Java option.</P><P>. <STRONG></STRONG></P> Thu, 22 Dec 2016 13:23:17 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/hi-I-have-changed-the-krb5-conf-ticket-expiration-and/m-p/167555#M49803 jsensharma 2016-12-22T13:23:17Z https://community.cloudera.com/t5/Archives-of-Support-Questions/hi-I-have-changed-the-krb5-conf-ticket-expiration-and/m-p/167556#M49804 <P>Hi Jay, after adding these 2 properties, my program is reading from /etc/krb5.conf but it is creating a ticket for 24 hour instead of 30 sec. Following is the debug message:</P><P> Found ticket for hbase/ip@domain to go to krbtgt/domain@REALM expiring on Fri Dec 23 12:00:07 IST 2016 Entered Krb5Context.initSecContext with state=STATE_NEW Found ticket for hbase/ip@REALM to go to krbtgt/domain@REALM expiring on Fri Dec 23 12:00:07 IST 2016 Service ticket not found in the subject &gt;&gt;&gt; Credentials acquireServiceCreds: same realm Using builtin default etypes for default_tgs_enctypes default etypes for default_tgs_enctypes: 18 17 16 23 1 3. &gt;&gt;&gt; CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType &gt;&gt;&gt; EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType &gt;&gt;&gt; KrbKdcReq send: kdc=kdc.domain UDP:88, timeout=30000, number of retries =3, #bytes=714 &gt;&gt;&gt; KDCCommunication: kdc=kdc.domain UDP:88, timeout=30000,Attempt =1, #bytes=714 &gt;&gt;&gt; KrbKdcReq send: #bytes read=725 &gt;&gt;&gt; KdcAccessibility: remove kdc.domain &gt;&gt;&gt; EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType &gt;&gt;&gt; KrbApReq: APOptions are 00100000 00000000 00000000 00000000 &gt;&gt;&gt; EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType.</P><P> Please let me know from where it is reading to create a ticket for 24 hour</P> Thu, 22 Dec 2016 14:57:05 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/hi-I-have-changed-the-krb5-conf-ticket-expiration-and/m-p/167556#M49804 priyanshu770bin 2016-12-22T14:57:05Z https://community.cloudera.com/t5/Archives-of-Support-Questions/hi-I-have-changed-the-krb5-conf-ticket-expiration-and/m-p/167557#M49805 <P><A rel="user" href="https://community.cloudera.com/users/14572/priyanshu770bindal.html" nodeid="14572">@priyanshu bindal</A></P><P>In your "krb5.conf" how have you defined the expiration?</P><P>I can see it working like following <EM>in <STRONG>/etc/krb5.conf</STRONG></EM><STRONG></STRONG>:</P><PRE>[libdefaults] renew_lifetime = 7d forwardable = true default_realm = EXAMPLE.COM ticket_lifetime = 30m </PRE><P>- See here i am setting<EM><STRONG> [ticket_lifetime = 30m] </STRONG></EM>30 minute and i can see the following <EM>in<STRONG>/etc/krb5.conf</STRONG></EM></P><P>:</P><PRE>[root@kjss1 ~]# kdestroy [root@kjss1 ~]# kinit -kt /etc/security/keytabs/hdfs.headless.keytab hdfs-JoyCluster@EXAMPLE.COM [root@kjss1 ~]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: hdfs-JoyCluster@EXAMPLE.COM Valid starting Expires Service principal 12/22/16 07:18:12 12/22/16 07:48:12 krbtgt/EXAMPLE.COM@EXAMPLE.COM renew until 12/22/16 07:18:12</PRE><P>.</P><P>Similarly for 30 seconds i did the following<EM><STRONG> [ticket_lifetime = 30s]</STRONG> in<STRONG> </STRONG><STRONG>/etc/krb5.conf</STRONG></EM></P><PRE>[root@kjss1 ~]# kdestroy [root@kjss1 ~]# kinit -kt /etc/security/keytabs/hdfs.headless.keytab hdfs-JoyCluster@EXAMPLE.COM [root@kjss1 ~]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: hdfs-JoyCluster@EXAMPLE.COM Valid starting Expires Service principal 12/22/16 07:22:12 12/22/16 07:22:42 krbtgt/EXAMPLE.COM@EXAMPLE.COM renew until 12/22/16 07:22:12</PRE><P>- </P><P><A href="http://web.mit.edu/Kerberos/krb5-1.12/doc/basic/date_format.html#duration" target="_blank">http://web.mit.edu/Kerberos/krb5-1.12/doc/basic/date_format.html#duration</A></P><P>.</P> Thu, 22 Dec 2016 15:21:48 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/hi-I-have-changed-the-krb5-conf-ticket-expiration-and/m-p/167557#M49805 jsensharma 2016-12-22T15:21:48Z https://community.cloudera.com/t5/Archives-of-Support-Questions/hi-I-have-changed-the-krb5-conf-ticket-expiration-and/m-p/167558#M49806 <P>Hi, this is a Java bug, and fixed in Java 9</P><P>see:</P><P><A href="https://stackoverflow.com/questions/38555244/how-do-you-set-the-kerberos-ticket-lifetime-from-java" target="_blank">https://stackoverflow.com/questions/38555244/how-do-you-set-the-kerberos-ticket-lifetime-from-java</A></P><P><A href="https://bugs.java.com/bugdatabase/view_bug.do?bug_id=8044500" target="_blank">https://bugs.java.com/bugdatabase/view_bug.do?bug_id=8044500</A></P> Mon, 15 Jan 2018 17:07:42 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/hi-I-have-changed-the-krb5-conf-ticket-expiration-and/m-p/167558#M49806 iusepython 2018-01-15T17:07:42Z