Created on 08-25-2015 04:09 AM - edited 09-16-2022 02:39 AM
Renewing kerberos ticket to work around kerberos 1.8.1: /usr/bin/kinit -R -c /tmp/hue_krb5_ccache
Aug 24, 2:43:16 PM ERROR kt_renewer
Couldn't renew kerberos ticket in order to work around Kerberos 1.8.1 issue. Please check that the ticket for 'hue/ngs-poc2.tcshydnextgen.com@TCSHYDNEXTGEN.COM' is still renewable:
$ kinit -f -c /tmp/hue_krb5_ccache
If the 'renew until' date is the same as the 'valid starting' date, the ticket cannot be renewed. Please check your KDC configuration, and the ticket renewal policy (maxrenewlife) for the 'hue/ngs-poc2.tcshydnextgen.com@TCSHYDNEXTGEN.COM' and `krbtgt' principals.
Created 08-25-2015 04:11 AM
please find the krb5.conf configuration
cat: /etc/krb5.: No such file or directory
[root@ngs-poc1 ~]# cat /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = TCSHYDNEXTGEN.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
TCSHYDNEXTGEN.COM = {
kdc = ngs-poc1.tcshydnextgen.com
admin_server = ngs-poc1.tcshydnextgen.com
}
[domain_realm]
.tcshydnextgen.com = TCSHYDNEXTGEN.COM
tcshydnextgen.com = TCSHYDNEXTGEN.COM
Created 08-25-2015 04:36 AM
When you kinit and then run
klist -f
Do you see a R flag? Are your expiration time and renew until time same on your ticket? If so have you configured ticket renewal on the KDC side?
If you are using MIT KDC in your kdc.conf you'll need something like
max_renewable_life = 7d
Created 08-26-2015 10:39 PM
Thanks for the timely support Mkazia.
The issue is still not resolved.
As suggested we made the chnages in KDC.conf
======================================
[kdcdefaults]
kdc_ports = 88
kdc_tcp_ports = 88
[realms]
TCSHYDNEXTGEN.COM = {
#master_key_type = aes256-cts
max_renewable_life = 7d 0h 0m 0s
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
default_principal_flags = +renewable
}
max_life = 24h
max_renewable_life = 7d
===================================
After modification of KDC.conf file we have reasted the below service
service krb5kdc restart
service kadmin restart
and restarted the Hue servcie from CM.
Created 08-27-2015 06:23 AM
If you generated the principals before the property was added, you would either have to modify your principals or regenerate them.
You can check if your principals have been setup with right renewable parameters by launching kadmin[.local] and running getprinc on a principal
You should see
Maximum renewable life: 7 days 00:00:00
Created 08-27-2015 09:14 PM
thanks for the support mkazia
I have regenerated the keys and restared the services but still the issue is not resolved
Please find the sample output of getprinc for hue service
kadmin.local: getprinc hue/ngs-poc1.tcshydnextgen.com@TCSHYDNEXTGEN.COM
Principal: hue/ngs-poc1.tcshydnextgen.com@TCSHYDNEXTGEN.COM
Expiration date: [never]
Last password change: Fri Aug 28 08:42:05 IST 2015
Password expiration date: [none]
Maximum ticket life: 1 day 00:00:00
Maximum renewable life: 5 days 00:00:00
Last modified: Fri Aug 28 08:42:05 IST 2015 (cloudera-scm/admin@TCSHYDNEXTGEN.COM)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 6
Key: vno 5, aes256-cts-hmac-sha1-96, no salt
Key: vno 5, aes128-cts-hmac-sha1-96, no salt
Key: vno 5, des3-cbc-sha1, no salt
Key: vno 5, arcfour-hmac, no salt
Key: vno 5, des-hmac-sha1, no salt
Key: vno 5, des-cbc-md5, no salt
MKey: vno 1
Attributes:
Policy: [none]
kadmin.local:
Here i see the maximum renewal life is 5 days but i have configured as 7d in kdc.conf
[root@ngs-poc1 init.d]# cat /var/kerberos/krb5kdc/kdc.conf
[kdcdefaults]
kdc_ports = 88
kdc_tcp_ports = 88
[realms]
TCSHYDNEXTGEN.COM = {
#master_key_type = aes256-cts
max_renewable_life = 7d 0h 0m 0s
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
default_principal_flags = +renewable
}
max_life = 24h
max_renewable_life = 7d
Created 08-28-2015 04:00 PM
On the node that is running hue/kerberos ticket renewer, can you restart hue service and run the following and reply with the output?
KRB5CCNAME=/tmp/hue_krb5_ccache klist -fe
Created 08-30-2015 10:06 PM
please find the requested output for the below
KRB5CCNAME=/tmp/hue_krb5_ccache klist -fe
=============
[root@ngs-poc2 ~]# KRB5CCNAME=/tmp/hue_krb5_ccache klist -fe
Ticket cache: FILE:/tmp/hue_krb5_ccache
Default principal: hue/ngs-poc2.tcshydnextgen.com@TCSHYDNEXTGEN.COM
Valid starting Expires Service principal
08/31/15 09:48:03 09/01/15 09:48:03 krbtgt/TCSHYDNEXTGEN.COM@TCSHYDNEXTGEN.COM
renew until 08/31/15 09:48:03, Flags: FRI
Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
[root@ngs-poc2 ~]#
=============
Created 09-01-2015 09:13 AM
Your renew until timestamp is same as Valid starting. This confirms that your TGT is not renewable. There could be two reasons for this.
1. Your principal in kdc is still being created without the correct max_renewable_life
You can check this from kadmin by doing a getprinc on hue/ngs-poc2.tcshydnextgen.com@TCSHYDNEXTGEN.COM. If it is incorrect then you have to delete these principals and recreate.
2. Your krb5.conf does not have the right renew_lifetime, you should set it to match the max_renewable_life in kdc.conf. For compatability with MIT KDC client libraries and Java you should set it in seconds. So for example if your max_renewable_life is 7d then set
renew_lifetime = 604800
Also make sure that in the CM Kerberos configuration "Kerberos Renewable Lifetime" and "Kerberos Ticket Lifetime" are set to match what you have set in kdc.conf
Created 09-03-2015 05:59 AM
Thanks for the support
we just followed the below steps which we got from cloudera .com and the issue is now fixed
Troubleshooting the Kerberos Ticket Renewer: