Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

renewable ticket is set to false in tomcat

Highlighted

renewable ticket is set to false in tomcat

New Contributor

hi, i have deployed my application in tomcat and used a userPrincipal named newprinc. I set lifeTime for this user 15 minutes and renewal life 30 minutes in kdc using following command

modprinc -maxlife 15minutes -maxrenewlife 30minutes +allow_renewable newprinc@REALM

but my ticket is not renewing and in tomcat logs, debug logs is showing following:

Client Principal = newprinc@REALM Server Principal = hbase/hdp006.domain@REALM Session Key = EncryptionKey: keyType=18 keyBytes (hex dump)= 0000: 95 D4 01 47 C5 21 E0 94 A7 A8 61 8F DC AC 6E 36 ...G.!....a...n6 0010: 9A 1B F9 2B D8 F3 0D AC 77 E4 9D 6D 92 89 04 07 ...+....w..m.... Forwardable Ticket true Forwarded Ticket false Proxiable Ticket false Proxy Ticket false Postdated Ticket false Renewable Ticket false Initial Ticket false Auth Time = Mon Jan 09 20:18:31 IST 2017 Start Time = Mon Jan 09 20:29:39 IST 2017 End Time = Mon Jan 09 20:33:31 IST 2017 Renew Till = null Client Addresses Null >>> KrbApReq: APOptions are 00100000 00000000 00000000 00000000 >>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType Krb5Context setting mySeqNumber to: 36204827 Created InitSecContextToken:

Please let me know why Renewable Ticket is set to false

1 REPLY 1

Re: renewable ticket is set to false in tomcat

Guru

Hello @priyanshu bindal,

The renewable flag and renewable time is the function of :

1. User principal's renewable flag

2. krbtgt (or service) principal's renewable flag

3. KDC's global renewable setting in kdc.conf file

From the output above, you have given renewable permission to 'newprinc'. But the output describes a service ticket (TGS) not initial ticket (TGT).

Can you please run the following and paste the output here:

1. kdestroy

2. kinit newprinc

3. klist -eaf

Above should tell more clearly about state of your newprinc.

Hope this helps !