Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

hi, I have changed the krb5.conf ticket expiration and renewal time both to 30 second. Now if i create a ticket using kinit, it gets expired in 30 sec while if I write a java program and provide userPrincipal and keytab there, it wont expire in 30 sec.

avatar
author-rank priyanshu770bin
Explorer

Created ‎12-22-2016 05:16 AM

Kindly help me to understand the logic.

8,362 Views
0 Kudos
1 ACCEPTED SOLUTION

avatar
author-rank jsensharma author-rank
Master Mentor

Created ‎12-22-2016 05:23 AM

@priyanshu bindal

Can you please check if your Java Program is pointing to the correct krb5.conf? Normally in Linux environment it's value is "/etc/krb5.conf". However we can locate it as per "Locating the krb5.conf Configuration File" : https://docs.oracle.com/javase/8/docs/technotes/guides/security/jgss/tutorials/KerberosReq.html

Usually we set the path for this file using java property: "-Djava.security.krb5.conf"

- Also we can debug what's going on using the "-Dsun.security.krb5.debug=true" Java option.

.

View solution in original post

6,147 Views
0 Kudos
4 REPLIES 4

avatar
author-rank jsensharma author-rank
Master Mentor

Created ‎12-22-2016 05:23 AM

@priyanshu bindal

Can you please check if your Java Program is pointing to the correct krb5.conf? Normally in Linux environment it's value is "/etc/krb5.conf". However we can locate it as per "Locating the krb5.conf Configuration File" : https://docs.oracle.com/javase/8/docs/technotes/guides/security/jgss/tutorials/KerberosReq.html

Usually we set the path for this file using java property: "-Djava.security.krb5.conf"

- Also we can debug what's going on using the "-Dsun.security.krb5.debug=true" Java option.

.

6,148 Views
0 Kudos

avatar
author-rank priyanshu770bin
Explorer

Created ‎12-22-2016 06:57 AM

Hi Jay, after adding these 2 properties, my program is reading from /etc/krb5.conf but it is creating a ticket for 24 hour instead of 30 sec. Following is the debug message:

Found ticket for hbase/ip@domain to go to krbtgt/domain@REALM expiring on Fri Dec 23 12:00:07 IST 2016 Entered Krb5Context.initSecContext with state=STATE_NEW Found ticket for hbase/ip@REALM to go to krbtgt/domain@REALM expiring on Fri Dec 23 12:00:07 IST 2016 Service ticket not found in the subject >>> Credentials acquireServiceCreds: same realm Using builtin default etypes for default_tgs_enctypes default etypes for default_tgs_enctypes: 18 17 16 23 1 3. >>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType >>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType >>> KrbKdcReq send: kdc=kdc.domain UDP:88, timeout=30000, number of retries =3, #bytes=714 >>> KDCCommunication: kdc=kdc.domain UDP:88, timeout=30000,Attempt =1, #bytes=714 >>> KrbKdcReq send: #bytes read=725 >>> KdcAccessibility: remove kdc.domain >>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType >>> KrbApReq: APOptions are 00100000 00000000 00000000 00000000 >>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType.

Please let me know from where it is reading to create a ticket for 24 hour

6,147 Views
0 Kudos

avatar
author-rank jsensharma author-rank
Master Mentor

Created ‎12-22-2016 07:21 AM

@priyanshu bindal

In your "krb5.conf" how have you defined the expiration?

I can see it working like following in /etc/krb5.conf:

[libdefaults]
  renew_lifetime = 7d
  forwardable = true
  default_realm = EXAMPLE.COM
  ticket_lifetime = 30m

- See here i am setting [ticket_lifetime = 30m] 30 minute and i can see the following in/etc/krb5.conf

:

[root@kjss1 ~]# kdestroy
[root@kjss1 ~]# kinit -kt /etc/security/keytabs/hdfs.headless.keytab hdfs-JoyCluster@EXAMPLE.COM 
[root@kjss1 ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: hdfs-JoyCluster@EXAMPLE.COM

Valid starting     Expires            Service principal
12/22/16 07:18:12  12/22/16 07:48:12  krbtgt/EXAMPLE.COM@EXAMPLE.COM
    renew until 12/22/16 07:18:12

.

Similarly for 30 seconds i did the following [ticket_lifetime = 30s] in /etc/krb5.conf

[root@kjss1 ~]# kdestroy
[root@kjss1 ~]# kinit -kt /etc/security/keytabs/hdfs.headless.keytab hdfs-JoyCluster@EXAMPLE.COM 
[root@kjss1 ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: hdfs-JoyCluster@EXAMPLE.COM

Valid starting     Expires            Service principal
12/22/16 07:22:12  12/22/16 07:22:42  krbtgt/EXAMPLE.COM@EXAMPLE.COM
    renew until 12/22/16 07:22:12

-

http://web.mit.edu/Kerberos/krb5-1.12/doc/basic/date_format.html#duration

.

6,147 Views
0 Kudos

avatar
author-rank iusepython
New Contributor

Created ‎01-15-2018 09:07 AM

Hi, this is a Java bug, and fixed in Java 9

see:

https://stackoverflow.com/questions/38555244/how-do-you-set-the-kerberos-ticket-lifetime-from-java

https://bugs.java.com/bugdatabase/view_bug.do?bug_id=8044500

6,147 Views
0 Kudos
Announcements
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
What's New @ Cloudera
Get the list of supported instance types in the Cloudera Ope...
View More Announcements