Support Questions

Find answers, ask questions, and share your expertise

WARN security.UserGroupInformation: Exception encountered while running the renewal command. Aborting renew thread ExitCodeException exitCode=1: kinit: Ticket expired while renewing credentials

avatar
Rising Star

Hi Folks ,

Appreciate your help here!!

I have a secured cluster with Kerberos where I am using root user and performing TGT with hive keytab and hive principal .

even I am having the proper TGT session when I am doing hadoop fs -ls / , I am getting the WARN

WARN security.UserGroupInformation: Exception encountered while running the renewal command. Aborting renew thread. ExitCodeException exitCode=1: kinit: Ticket expired while renewing credentials

and resulting hadoop files .

I want to know why the warning is coming even TGT session exist.

Thanks,

JAvvaji

4 REPLIES 4

avatar

How are you obtaining the ticket? 'kinit -R'? If you run the 'klist' command does the ticket have same values for its "valid starting" and "renew until" times? If so, the ticket is non-renewable. The warning might be indicating that.

Note that whether or not you can obtain renewable tickets depends on a KDC-wide setting, as well as a per-principal setting for both the principal in question and the Ticket Granting Ticket (TGT) service principal for the realm.

For example, for a MIT KDC, there is krb5.conf setting:

https://docs.hortonworks.com/HDPDocuments/Ambari-2.1.2.1/bk_Ambari_Security_Guide/content/_optional_...

avatar
Rising Star

Thanks Ameet for the info !!

To obtain ticket i will go with kinit -kt <keytab> <principal> . What is this "Kinit -R "

Yes , Klist for me giving both same values for "valid starting" and "renew until" times . so the ticket is non -renewable and to get rid of the above warn , what configuraion should I add to Krb5.conf . please let me know this

renew_lifetime = 7d

forwardable = true

ticket_lifetime = 24h

above are mine configuration krb5.conf and i don't see the setting "renewable = true" .

so based on my conf , ticket session last for 24hrs and what exactly that renew_lifetime = 7 days ??

I simply do kinit once 24 hrs completes for a ticket .

avatar

@hari Kishore javvaji,

The kinit command can renew and/or obtain the Kerberos ticket. I believe the warning is telling the ticket is expired and can't be renewed even if you wanted to. Try a

kdestroy

to prior to

kinit -kt <keytab> <prin.>

see if the warning goes away.

Regarding your question about ticket lifetime vs ticket renewable, here's how I'd summarize it:

The ticket cannot be used at the end of the ticket lifetime. If the renewable lifetime is longer than ticket lifetime (like yours), the user holding the ticket, can renew the ticket before the ticket lifetime or renewal time expires. If renewed, the fresh ticket will have a new lifetime dating to the current time but renewals are constrained by renew lifetime.

avatar
Rising Star

@Ameet :

I am not seeing the warning when I do kinit -kt <keytab> <princ> which means when I renew the ticket lifetime for next 24 Hrs .

But within the ticket lifetime I am seeing the WARN and hadoop Dirs when I try to access hadoop fs -ls / So I don't understand why this WARN coming .

My tickets are non renewable , and I am not doing Kinit -R but when I try to access hadoop fs -ls / I am seeing WARN .

Anything related to Delegation token refresh ??