Support Questions

Find answers, ask questions, and share your expertise
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

Error on kerberos ticket renewer role startup

avatar
Contributor

Renewing kerberos ticket to work around kerberos 1.8.1: /usr/bin/kinit -R -c /tmp/hue_krb5_ccache

Aug 24, 2:43:16 PM     ERROR     kt_renewer     

Couldn't renew kerberos ticket in order to work around Kerberos 1.8.1 issue. Please check that the ticket for 'hue/ngs-poc2.tcshydnextgen.com@TCSHYDNEXTGEN.COM' is still renewable:
  $ kinit -f -c /tmp/hue_krb5_ccache
If the 'renew until' date is the same as the 'valid starting' date, the ticket cannot be renewed. Please check your KDC configuration, and the ticket renewal policy (maxrenewlife) for the 'hue/ngs-poc2.tcshydnextgen.com@TCSHYDNEXTGEN.COM' and `krbtgt' principals.

9 REPLIES 9

avatar
Contributor

please find the krb5.conf configuration  

cat: /etc/krb5.: No such file or directory
[root@ngs-poc1 ~]# cat /etc/krb5.conf
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = TCSHYDNEXTGEN.COM
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true

[realms]
 TCSHYDNEXTGEN.COM = {
  kdc = ngs-poc1.tcshydnextgen.com
  admin_server = ngs-poc1.tcshydnextgen.com
 }

[domain_realm]
 .tcshydnextgen.com = TCSHYDNEXTGEN.COM
 tcshydnextgen.com = TCSHYDNEXTGEN.COM

avatar
Cloudera Employee

When you kinit and then run

klist -f

Do you see a R flag? Are your expiration time and renew until time same on your ticket? If so have you configured ticket renewal on the KDC side?

If you are using MIT KDC in your kdc.conf you'll need something like

max_renewable_life = 7d

avatar
Contributor

Thanks for the timely support Mkazia.

 

The issue is still not resolved.

 

As suggested we made the chnages in KDC.conf

======================================

[kdcdefaults]
 kdc_ports = 88
 kdc_tcp_ports = 88

[realms]
 TCSHYDNEXTGEN.COM = {
  #master_key_type = aes256-cts
  max_renewable_life = 7d 0h 0m 0s
  acl_file = /var/kerberos/krb5kdc/kadm5.acl
  dict_file = /usr/share/dict/words
  admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
  supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
  default_principal_flags = +renewable
 }

max_life = 24h
max_renewable_life = 7d

===================================

 

After modification of KDC.conf file we have reasted the below service

 

service krb5kdc restart

service kadmin restart

 

and restarted the Hue servcie from CM.

 

avatar
Cloudera Employee

If you generated the principals before the property was added, you would either have to modify your principals or regenerate them.

 

You can check if your principals have been setup with right renewable parameters by launching kadmin[.local] and running getprinc on a principal

 

You should see 

Maximum renewable life: 7 days 00:00:00

avatar
Contributor

thanks for the support mkazia

 

I have regenerated the keys and restared the services but still the issue is not resolved

 

Please find the sample output of getprinc for hue service

 

kadmin.local:  getprinc hue/ngs-poc1.tcshydnextgen.com@TCSHYDNEXTGEN.COM
Principal: hue/ngs-poc1.tcshydnextgen.com@TCSHYDNEXTGEN.COM
Expiration date: [never]
Last password change: Fri Aug 28 08:42:05 IST 2015
Password expiration date: [none]
Maximum ticket life: 1 day 00:00:00
Maximum renewable life: 5 days 00:00:00
Last modified: Fri Aug 28 08:42:05 IST 2015 (cloudera-scm/admin@TCSHYDNEXTGEN.COM)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 6
Key: vno 5, aes256-cts-hmac-sha1-96, no salt
Key: vno 5, aes128-cts-hmac-sha1-96, no salt
Key: vno 5, des3-cbc-sha1, no salt
Key: vno 5, arcfour-hmac, no salt
Key: vno 5, des-hmac-sha1, no salt
Key: vno 5, des-cbc-md5, no salt
MKey: vno 1
Attributes:
Policy: [none]
kadmin.local:  

 

Here i see the maximum renewal life is 5 days but i have configured as 7d in kdc.conf

 

[root@ngs-poc1 init.d]# cat /var/kerberos/krb5kdc/kdc.conf
[kdcdefaults]
 kdc_ports = 88
 kdc_tcp_ports = 88

[realms]
 TCSHYDNEXTGEN.COM = {
  #master_key_type = aes256-cts
  max_renewable_life = 7d 0h 0m 0s
  acl_file = /var/kerberos/krb5kdc/kadm5.acl
  dict_file = /usr/share/dict/words
  admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
  supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
  default_principal_flags = +renewable
 }

max_life = 24h
max_renewable_life = 7d

avatar
Cloudera Employee

On the node that is running hue/kerberos ticket renewer, can you restart hue service and run the following and reply with the output?

 

KRB5CCNAME=/tmp/hue_krb5_ccache klist -fe

 

 

 

avatar
Contributor

please find the requested output for the below

 

KRB5CCNAME=/tmp/hue_krb5_ccache klist -fe

 

 

=============

[root@ngs-poc2 ~]# KRB5CCNAME=/tmp/hue_krb5_ccache klist -fe
Ticket cache: FILE:/tmp/hue_krb5_ccache
Default principal: hue/ngs-poc2.tcshydnextgen.com@TCSHYDNEXTGEN.COM

Valid starting     Expires            Service principal
08/31/15 09:48:03  09/01/15 09:48:03  krbtgt/TCSHYDNEXTGEN.COM@TCSHYDNEXTGEN.COM
    renew until 08/31/15 09:48:03, Flags: FRI
    Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
[root@ngs-poc2 ~]#

=============

avatar
Cloudera Employee

Your renew until timestamp is same as Valid starting. This confirms that your TGT is not renewable. There could be two reasons for this.

1. Your principal in kdc is still being created without the correct max_renewable_life

You can check this from kadmin by doing a getprinc on hue/ngs-poc2.tcshydnextgen.com@TCSHYDNEXTGEN.COM. If it is incorrect then you have to delete these principals and recreate.

2. Your krb5.conf does not have the right renew_lifetime, you should set it to match the max_renewable_life in kdc.conf. For compatability with MIT KDC client libraries and Java you should set it in seconds. So for example if your max_renewable_life is 7d then set 

renew_lifetime = 604800

 

Also make sure that in the CM Kerberos configuration "Kerberos Renewable Lifetime" and "Kerberos Ticket Lifetime" are set to match what you have set in kdc.conf

 

avatar
Contributor

Thanks for the support 

we just followed the below steps which we got from cloudera .com and the issue is now fixed

 

http://www.cloudera.com/content/cloudera/en/documentation/cloudera-manager/v5-1-x/Configuring-Hadoop...

 

 

Troubleshooting the Kerberos Ticket Renewer:

If the Hue Kerberos Ticket Renewer does not start, check your KDC configuration and the ticket renewal property, maxrenewlife, for the hue/<hostname> and krbtgt principals to ensure they are renewable. If not, running the following commands on the KDC will enable renewable tickets for these principals.
kadmin.local: modprinc -maxrenewlife 90day krbtgt/YOUR_REALM.COM
kadmin.local: modprinc -maxrenewlife 90day +allow_renewable hue/<hostname>@YOUR-REALM.COM