Renewing kerberos ticket to work around kerberos 1.8.1: /usr/bin/kinit -R -c /tmp/hue_krb5_ccache
Aug 24, 2:43:16 PM ERROR kt_renewer
Couldn't renew kerberos ticket in order to work around Kerberos 1.8.1 issue. Please check that the ticket for 'hue/ngs-poc2.tcshydnextgen.com@TCSHYDNEXTGEN.COM' is still renewable: $ kinit -f -c /tmp/hue_krb5_ccache If the 'renew until' date is the same as the 'valid starting' date, the ticket cannot be renewed. Please check your KDC configuration, and the ticket renewal policy (maxrenewlife) for the 'hue/ngs-poc2.tcshydnextgen.com@TCSHYDNEXTGEN.COM' and `krbtgt' principals.
I have regenerated the keys and restared the services but still the issue is not resolved
Please find the sample output of getprinc for hue service
kadmin.local: getprinc hue/ngs-poc1.tcshydnextgen.com@TCSHYDNEXTGEN.COM Principal: hue/ngs-poc1.tcshydnextgen.com@TCSHYDNEXTGEN.COM Expiration date: [never] Last password change: Fri Aug 28 08:42:05 IST 2015 Password expiration date: [none] Maximum ticket life: 1 day 00:00:00 Maximum renewable life: 5 days 00:00:00 Last modified: Fri Aug 28 08:42:05 IST 2015 (cloudera-scm/admin@TCSHYDNEXTGEN.COM) Last successful authentication: [never] Last failed authentication: [never] Failed password attempts: 0 Number of keys: 6 Key: vno 5, aes256-cts-hmac-sha1-96, no salt Key: vno 5, aes128-cts-hmac-sha1-96, no salt Key: vno 5, des3-cbc-sha1, no salt Key: vno 5, arcfour-hmac, no salt Key: vno 5, des-hmac-sha1, no salt Key: vno 5, des-cbc-md5, no salt MKey: vno 1 Attributes: Policy: [none] kadmin.local:
Here i see the maximum renewal life is 5 days but i have configured as 7d in kdc.conf
Your renew until timestamp is same as Valid starting. This confirms that your TGT is not renewable. There could be two reasons for this.
1. Your principal in kdc is still being created without the correct max_renewable_life
You can check this from kadmin by doing a getprinc on hue/ngs-poc2.tcshydnextgen.com@TCSHYDNEXTGEN.COM. If it is incorrect then you have to delete these principals and recreate.
2. Your krb5.conf does not have the right renew_lifetime, you should set it to match the max_renewable_life in kdc.conf. For compatability with MIT KDC client libraries and Java you should set it in seconds. So for example if your max_renewable_life is 7d then set
renew_lifetime = 604800
Also make sure that in the CM Kerberos configuration "Kerberos Renewable Lifetime" and "Kerberos Ticket Lifetime" are set to match what you have set in kdc.conf
If the Hue Kerberos Ticket Renewer does not start, check your KDC configuration and the ticket renewal property, maxrenewlife, for the hue/<hostname> and krbtgt principals to ensure they are renewable. If not, running the following commands on the KDC will enable renewable tickets for these principals.