Search This Blog

Tuesday, January 28, 2014

kinit: Ticket expired while renewing credentials


Using Kerberos with Hadoop to enable HDFS Security, you should be familiar with the concept of a user being given a 'ticket' that has an expiration date.

The default configuration for kerberos is to set a 'Maximum Renewal Time' of 00:00:00.  This is the ammount of time that is 'added' to the time that the ticket was issued.  So if your ticket was issued on Jan 27 2014 15:25:38, then you will have (Jan 27 2014 15:25:38 + Renewal Time) until you cannot renew the ticket.  This default setting makes it impossible to renew any tickets granted, and instead they need to be kdestoryed and re-issued.

In order to fix this, you need to log into the kerberos principal database using kadmin or kadmin.local on the KDC.  Use the following command for a principal named, 'hdfs@EXAMPLE.COM'

modprinc -maxrenewlife 1week hdfs@EXAMPLE.COM
You will then be able to look at the principal's information:
kadmin.local:  getprinc hdfs@EXAMPLE.COM 
Principal: hdfs@EXAMPLE.COM
Expiration date: [never]
Last password change: Sat Jan 25 21:33:34 EST 2014
Password expiration date: [none]
Maximum ticket life: 1 day 00:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Tue Jan 28 11:19:59 EST 2014 (root/admin@EXAMPLE.COM)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 4
Key: vno 1, aes256-cts-hmac-sha1-96, no salt
Key: vno 1, aes128-cts-hmac-sha1-96, no salt
Key: vno 1, des3-cbc-sha1, no salt
Key: vno 1, arcfour-hmac, no salt
MKey: vno 1
You will still need to use 'kdestroy' and 'kinit' to get a new ticket, since the old one cannot be renewed.  However, your new ticket will be renewable for a week.  It should also be noted that when adding a new principal to the database, the default Renewal time will be obtained from the ticket granting server's Principal (krbtgt/EXAMPLE.COM@EXAMPLE.COM).  If you want all users added in the future to have a week long renewal period, you will need to modify that principal as well.


Posted by at
Labels: , , , , , ,

2 comments:

  1. UnknownOctober 31, 2018 at 5:05 AM

    Nice and good article. It is very useful for me to learn and understand easily. Thanks for sharing your valuable information and time. Please keep updating Hadoop Administration Online course Bangalore

    ReplyDelete
  2. vikkramblogtimesJune 14, 2024 at 10:50 PM

    we specialize in creating dynamic, responsive, and user-friendly WordPress websites with our custom WordPress Development Services

    ReplyDelete

Subscribe to: Post Comments (Atom)