Hi, As far as I remember, that error may be linked to the duration of ticket renewability. Just check that "renew_lifetime" is the same for every configuration linked to Kerberos (krb5.conf & krb5kdc.conf for example). I think if they don't match, the system assume there is a mistake somewhere and therefore tickets should not be renewable for a wrong period. Hope this helps, and good luck to you with Kerberos.
Regards, Loïc Loïc CHANEL System Big Data engineer Vision 360 Degrés (Lyon, France) 2018-05-06 3:46 GMT+02:00 Lian Jiang <jiangok2...@gmail.com>: > https://web.mit.edu/kerberos/krb5-1.12/doc/admin/conf_ > files/krb5_conf.html#libdefaults does not show "renewable" action. Is > this setting deprecated? My krb5.conf already has renew_lifetime = 7d but > the tickets are still not renewable: > > [hdfs@test-namenode ~]$ klist -f > Ticket cache: KEYRING:persistent:1012:1012 > Default principal: hdfs-spark_cluster@test_kdc.com > > Valid starting Expires Service principal > 05/05/2018 16:36:45 05/06/2018 16:36:45 HTTP/test-namenode.subnet1. > hadoop.oraclevcn.com@test_kdc.com > Flags: FT > 05/05/2018 16:36:45 05/06/2018 16:36:45 krbtgt/test_kdc.com@test_kdc.com > Flags: FI > > Any idea? Thanks. > > On Fri, May 4, 2018 at 10:58 PM, Lian Jiang <jiangok2...@gmail.com> wrote: > >> Hi, >> >> I got GSSException when using hdfs command in my kerberonized HDP2.6 >> cluster. >> >> java.io.IOException: Failed on local exception: java.io.IOException: >> javax.security.sasl.SaslException: GSS initiate failed [Caused by >> GSSException: No valid credentials provided (Mechanism level: Failed to >> find any Kerberos tgt)]; Host Details : local host is: " >> test-namenode.subnet1.hadoop.oraclevcn.com/10.0.1.68"; destination host >> is: "test-namenode.subnet1.hadoop.oraclevcn.com":8020; >> >> According to https://www.cloudera.com/documentation/enterprise/5-8-x/ >> topics/cm_sg_sec_troubleshooting.html, it is because the initial tickets >> generated by kerberos >= 1.8.1 do not work for Oracle JDK 6 Update 26 and >> earlier. >> >> Is this still an issue for java1.8 used in my cluster? Do I still need >> "renewable = true" in my krb5.conf to generate renewable initial tickets >> and then manually renew them to work with java 1.8? >> >> Thanks for any hint. >> > >