https://web.mit.edu/kerberos/krb5-1.12/doc/admin/conf_files/krb5_conf.html#libdefaults
does not show "renewable" action. Is this setting deprecated? My krb5.conf
already has renew_lifetime = 7d but the tickets are still not renewable:
[hdfs@test-namenode ~]$ klist -f
Ticket cache: KEYRING:persistent:1012:1012
Default principal: hdfs-spark_cluster@test_kdc.com
Valid starting Expires Service principal
05/05/2018 16:36:45 05/06/2018 16:36:45 HTTP/
test-namenode.subnet1.hadoop.oraclevcn.com@test_kdc.com
Flags: FT
05/05/2018 16:36:45 05/06/2018 16:36:45 krbtgt/test_kdc.com@test_kdc.com
Flags: FI
Any idea? Thanks.
On Fri, May 4, 2018 at 10:58 PM, Lian Jiang <[email protected]> wrote:
> Hi,
>
> I got GSSException when using hdfs command in my kerberonized HDP2.6
> cluster.
>
> java.io.IOException: Failed on local exception: java.io.IOException:
> javax.security.sasl.SaslException: GSS initiate failed [Caused by
> GSSException: No valid credentials provided (Mechanism level: Failed to
> find any Kerberos tgt)]; Host Details : local host is: "
> test-namenode.subnet1.hadoop.oraclevcn.com/10.0.1.68"; destination host
> is: "test-namenode.subnet1.hadoop.oraclevcn.com":8020;
>
> According to https://www.cloudera.com/documentation/enterprise/5-8-
> x/topics/cm_sg_sec_troubleshooting.html, it is because the initial
> tickets generated by kerberos >= 1.8.1 do not work for Oracle JDK 6 Update
> 26 and earlier.
>
> Is this still an issue for java1.8 used in my cluster? Do I still need
> "renewable = true" in my krb5.conf to generate renewable initial tickets
> and then manually renew them to work with java 1.8?
>
> Thanks for any hint.
>
