Support Questions

Find answers, ask questions, and share your expertise
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

Hue Kerberos Ticket Renewer error

avatar
Contributor

Hi,

 

I just kerberized my cluster and hue kerberos ticket renewer is throwing below error

 

 

Couldn't renew kerberos ticket in order to work around Kerberos 1.8.1 issue. Please check that the ticket for 'hue/fqdn@EQ.COM' is still renewable:
$ kinit -f -c /tmp/hue_krb5_ccache
If the 'renew until' date is the same as the 'valid starting' date, the ticket cannot be renewed. Please check your KDC configuration, and the ticket renewal policy (maxrenewlife) for the 'hue/fqdn@EQ.COM' and `krbtgt' principals.

 

If I run the command, its prompting for password which I don't know for hue. I am not able to see renew time from below command either.

 

 

[root@-hue-KT_RENEWER]# KRB5CCNAME=/tmp/hue_krb5_ccache klist -fe
Ticket cache: FILE:/tmp/hue_krb5_ccache
Default principal: hue/fqdn@EQ.COM

Valid starting Expires Service principal
06/30/2017 00:34:39 07/01/2017 00:34:39 krbtgt/EQ.COM@EQ.COM
Flags: FI, Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96

 

 

my conf files is like below:

 

 

[root@259-hue-KT_RENEWER]# cat /etc/krb5.conf
# Configuration snippets may be placed in this directory as well
includedir /etc/krb5.conf.d/

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
default_realm = EQ.COM
default_ccache_name = KEYRING:persistent:%{uid}
default_tgs_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 arcfour-hmac-md5
default_tkt_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 arcfour-hmac-md5
permitted_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 arcfour-hmac-md5

[realms]
EQ.COM = {
kdc = fqdn
admin_server = fqdn
}

 

 

[root]# cat /var/kerberos/krb5kdc/kdc.conf
[kdcdefaults]
kdc_ports = 88
kdc_tcp_ports = 88

[realms]
EQ.COM = {
#master_key_type = aes256-cts
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
supported_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 arcfour-hmac-md5
max_renewable_life = 7d 0h 0m 0s
default_principal_flags = +renewable
}

 

 

while I was kerberizing the cluster, it was starting the service one by one. Impala failed before Hue. So it never got to the point of starting hue. Since all services were running except for Impala and Hue. I proceeded with error, thinking I will start hue separately, perhaps it was a dumb move but the installation was stuck at that point so I had to move forward with error. Ever since that, I am seeing the error for hue. I removed Impala completely from cluster. 

 

Removed and added hue in different nodes, still KTR fails. Is there a way to solve this ?

1 REPLY 1

avatar
Rising Star

Hello,

 

If the Hue Kerberos Ticket Renewer does not start, check your KDC configuration and the ticket renewal property, maxrenewlife, for the hue/<hostname> and krbtgt principals to ensure they are renewable. If not, running the following commands on the KDC will enable renewable tickets for these principals:

 

kadmin.local: modprinc -maxrenewlife 90day krbtgt/MY.REALM
kadmin.local: modprinc -maxrenewlife 90day +allow_renewable hue/my-hostname@MY.REALM

Thanks!

Laith