Cloudera Community

Archives of Support Questions (Read Only)

This is an archived board for historical reference. Information and links may no longer be available or relevant
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Announcements
This board is archived and read-only for historical reference. To ask a new question, please post a new topic on the appropriate active board.
Solved Go to solution

hi, I have changed the krb5.conf ticket expiration and renewal time both to 30 second. Now if i create a ticket using kinit, it gets expired in 30 sec while if I write a java program and provide userPrincipal and keytab there, it wont expire in 30 sec.

avatar
author-rank priyanshu770bin
New Member

Created ‎12-22-2016 05:16 AM

Kindly help me to understand the logic.

11,193 Views
0 Kudos
1 ACCEPTED SOLUTION

avatar
author-rank jsensharma author-rank
Master Mentor

Created ‎12-22-2016 05:23 AM

@priyanshu bindal

Can you please check if your Java Program is pointing to the correct krb5.conf? Normally in Linux environment it's value is "/etc/krb5.conf". However we can locate it as per "Locating the krb5.conf Configuration File" : https://docs.oracle.com/javase/8/docs/technotes/guides/security/jgss/tutorials/KerberosReq.html

Usually we set the path for this file using java property: "-Djava.security.krb5.conf"

- Also we can debug what's going on using the "-Dsun.security.krb5.debug=true" Java option.

.

View solution in original post

8,978 Views
0 Kudos
4 REPLIES 4

avatar
author-rank jsensharma author-rank
Master Mentor

Created ‎12-22-2016 05:23 AM

@priyanshu bindal

Can you please check if your Java Program is pointing to the correct krb5.conf? Normally in Linux environment it's value is "/etc/krb5.conf". However we can locate it as per "Locating the krb5.conf Configuration File" : https://docs.oracle.com/javase/8/docs/technotes/guides/security/jgss/tutorials/KerberosReq.html

Usually we set the path for this file using java property: "-Djava.security.krb5.conf"

- Also we can debug what's going on using the "-Dsun.security.krb5.debug=true" Java option.

.

8,981 Views
0 Kudos

avatar
author-rank priyanshu770bin
New Member

Created ‎12-22-2016 06:57 AM

Hi Jay, after adding these 2 properties, my program is reading from /etc/krb5.conf but it is creating a ticket for 24 hour instead of 30 sec. Following is the debug message:

Found ticket for hbase/ip@domain to go to krbtgt/domain@REALM expiring on Fri Dec 23 12:00:07 IST 2016 Entered Krb5Context.initSecContext with state=STATE_NEW Found ticket for hbase/ip@REALM to go to krbtgt/domain@REALM expiring on Fri Dec 23 12:00:07 IST 2016 Service ticket not found in the subject >>> Credentials acquireServiceCreds: same realm Using builtin default etypes for default_tgs_enctypes default etypes for default_tgs_enctypes: 18 17 16 23 1 3. >>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType >>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType >>> KrbKdcReq send: kdc=kdc.domain UDP:88, timeout=30000, number of retries =3, #bytes=714 >>> KDCCommunication: kdc=kdc.domain UDP:88, timeout=30000,Attempt =1, #bytes=714 >>> KrbKdcReq send: #bytes read=725 >>> KdcAccessibility: remove kdc.domain >>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType >>> KrbApReq: APOptions are 00100000 00000000 00000000 00000000 >>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType.

Please let me know from where it is reading to create a ticket for 24 hour

8,978 Views
0 Kudos

avatar
author-rank jsensharma author-rank
Master Mentor

Created ‎12-22-2016 07:21 AM

@priyanshu bindal

In your "krb5.conf" how have you defined the expiration?

I can see it working like following in /etc/krb5.conf:

[libdefaults]
  renew_lifetime = 7d
  forwardable = true
  default_realm = EXAMPLE.COM
  ticket_lifetime = 30m

- See here i am setting [ticket_lifetime = 30m] 30 minute and i can see the following in/etc/krb5.conf

:

[root@kjss1 ~]# kdestroy
[root@kjss1 ~]# kinit -kt /etc/security/keytabs/hdfs.headless.keytab hdfs-JoyCluster@EXAMPLE.COM 
[root@kjss1 ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: hdfs-JoyCluster@EXAMPLE.COM

Valid starting     Expires            Service principal
12/22/16 07:18:12  12/22/16 07:48:12  krbtgt/EXAMPLE.COM@EXAMPLE.COM
    renew until 12/22/16 07:18:12

.

Similarly for 30 seconds i did the following [ticket_lifetime = 30s] in /etc/krb5.conf

[root@kjss1 ~]# kdestroy
[root@kjss1 ~]# kinit -kt /etc/security/keytabs/hdfs.headless.keytab hdfs-JoyCluster@EXAMPLE.COM 
[root@kjss1 ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: hdfs-JoyCluster@EXAMPLE.COM

Valid starting     Expires            Service principal
12/22/16 07:22:12  12/22/16 07:22:42  krbtgt/EXAMPLE.COM@EXAMPLE.COM
    renew until 12/22/16 07:22:12

-

http://web.mit.edu/Kerberos/krb5-1.12/doc/basic/date_format.html#duration

.

8,978 Views
0 Kudos

avatar
author-rank iusepython
New Member

Created ‎01-15-2018 09:07 AM

Hi, this is a Java bug, and fixed in Java 9

see:

https://stackoverflow.com/questions/38555244/how-do-you-set-the-kerberos-ticket-lifetime-from-java

https://bugs.java.com/bugdatabase/view_bug.do?bug_id=8044500

8,978 Views
0 Kudos
Announcements
What's New @ Cloudera
Cloudera Real time Monitoring for 7.1.9+ and 7.2.18+ with Cl...
What's New @ Cloudera
Announcing Cloudera Streaming Analytics 1.17: Python UDFs, S...
Community Announcements
Content Update: Evolving Our Community Content for Better, A...
Community Announcements
Product Name Updates — Community Label Changes & Notificatio...
What's New @ Cloudera
Announcing Cloudera Data Lineage for Trino
View More Announcements