in DevOps, Hadoopery

Followup on Cloudera HUE’s Kerberos kt_renewer

Just a short followup about the HUE kt_renewer issue I discovered. It turns out that the issue was me and not HUE.

The fix turned out to be pretty simple once I saw the clue in a related issue. It seems like Cloudera Manager had the same issue.

The problem ended up being a missing “renew_lifetime” setting in [libdefaults] section of my krb5.conf files.

Without renew_lifetime set:

   $ kinit
   Password for me@EXAMPLE.NET:
   $ klist
   Ticket cache: FILE:/tmp/krb5cc_2108
   Default principal: me@EXAMPLE.NET

   Valid starting     Expires            Service principal
   04/17/14 14:50:58  04/20/14 14:50:58  krbtgt/EXAMPLE.NET@EXAMPLE.NET
   $ kdestroy

With renew_lifetime set:

   $ kinit
   Password for me@EXAMPLE.NET:
   $ klist
   Ticket cache: FILE:/tmp/krb5cc_2108
   Default principal: me@EXAMPLE.NET

   Valid starting     Expires            Service principal
   04/17/14 14:51:19  04/20/14 14:51:19  krbtgt/EXAMPLE.NET@EXAMPLE.NET
      renew until 04/24/14 14:51:19

I think what happened was that I was expecting max_renewable_lifetime to do the renewal auto-request. I had tried just renewal, but that seems like it’s not valid for Linux MIT Kerberos (although it appears fine for Solaris).

Ultimately, my [libdefaults] now looks like this:

[libdefaults]
    ticket_lifetime = 3d
    max_renewable_life = 7d
    renewal_lifetime = 7d
Travis Campbell
Staff Systems Engineer at ghostar
Travis Campbell is a seasoned Linux Systems Engineer with nearly two decades of experience, ranging from dozens to tens of thousands of systems in the semiconductor industry, higher education, and high volume sites on the web. His current focus is on High Performance Computing, Big Data environments, and large scale web architectures.