Thanks Bobby for your time. We cannot disable kerberos authentication, will have re-look the krb5.conf of both KDC & client machines, to check if anything suspicious.
Will get back if any queries, thanks Regards, Prakash R On Sat, Jan 13, 2018 at 2:15 AM, Bobby Evans <bo...@apache.org> wrote: > If you don't need kerberos authentication in your worker you can just > remove AutoTGT from the topology.auto-credentials list. It is the one that > is blowing up with issues. > > If you do need TGT creds there is no way to configure that check off. > This is because without the renewal it is likely that you will need to push > a new TGT to your topology every few hours instead of once a day, but all > fo that depends on how you have configured your krb5.conf both locally on > your box and also on the kdc. > > How to fix the issue is hard to tell, because the kerberos configuration > is not always simple. One issue that we have run into similar to this was > that we had been using 'yes' in our krb5.conf in some places instead of > 'true'. Apparently the mit command line tools and libraries accept both, > but java parses yes as a boolean and turns it into a false. You might want > to check there. > > Beyond that I really don't know what it could be. > > Thanks, > > Bobby > > > On Thu, Jan 11, 2018 at 4:47 PM prakash r <rprakashd...@gmail.com> wrote: > >> Thanks Ethan >> >> Yes i have verified the ticket used one is correct. >> >> If you can recollect the fix, please share us. >> >> Regards, >> Prakash R >> >> On Fri, Jan 12, 2018 at 9:42 AM, Ethan Li <ethanopensou...@gmail.com> >> wrote: >> >>> Hi Prakash, >>> >>> It might sound silly but did you check if the ticket you think you are >>> using is the one that’s actually being used. I fixed the “The TGT found is >>> not renewable” problem in my use case before but sorry I couldn’t remember >>> the details. >>> >>> Best, >>> Ethan >>> >>> On Jan 11, 2018, at 3:10 PM, prakash r <rprakashd...@gmail.com> wrote: >>> >>> Hello All, >>> >>> Any suggestion on this ? >>> >>> *Is there anyway we can avoid this TGT Renewal check or how to resolve.* >>> >>> Regards, >>> Prakash R >>> >>> On Tue, Jan 9, 2018 at 3:31 PM, prakash r <rprakashd...@gmail.com> >>> wrote: >>> >>>> Hello, >>>> >>>> We are facing issue with starting a topology when Storm is kerberosed. >>>> >>>> 1189 [main] INFO o.a.s.s.a.AuthUtils - Got AutoCreds >>>> [org.apache.storm.security.auth.kerberos.AutoTGT@129b4fe2] >>>> >>>> 1189 [main] INFO o.a.s.StormSubmitter - Running >>>> org.apache.storm.security.auth.kerberos.AutoTGT@129b4fe2 >>>> Exception in thread "main" java.lang.RuntimeException: >>>> java.lang.RuntimeException: The TGT found is not renewable >>>> at >>>> org.apache.storm.security.auth.kerberos.AutoTGT.populateCredentials(AutoTGT.java:103) >>>> at >>>> org.apache.storm.StormSubmitter.populateCredentials(StormSubmitter.java:94) >>>> at >>>> org.apache.storm.StormSubmitter.submitTopologyAs(StormSubmitter.java:214) >>>> at >>>> org.apache.storm.StormSubmitter.submitTopology(StormSubmitter.java:310) >>>> at >>>> org.apache.storm.StormSubmitter.submitTopology(StormSubmitter.java:157) >>>> at storm.starter.WordCountTopology.main(WordCountTopology.java:77) >>>> Caused by: java.lang.RuntimeException: The TGT found is not renewable >>>> at >>>> org.apache.storm.security.auth.kerberos.AutoTGT.populateCredentials(AutoTGT.java:94) >>>> >>>> ... 5 more >>>> >>>> When we check the Keberos Principal which as R Flag as well. >>>> >>>> We tried even regenerating the keytabs, this problem is not resolved. >>>> >>>> When we submit from new keytab principal, this is working fine. >>>> >>>> *Can you please suggest, is there anyway we can avoid this TGT Renewal >>>> check or how to resolve.* >>>> >>>> *OS version :* >>>> Red Hat Enterprise Linux Server release 7.4 (Maipo) >>>> >>>> >>>> *Problematic principal details :* >>>> [storm@cbro-test-stm1 ~]$ klist -f >>>> Ticket cache: FILE:/tmp/krb5cc_1021 >>>> Default principal: storm-xxxx_mas...@xxxxxx.com >>>> >>>> Valid starting Expires Service principal >>>> 01/06/2018 22:30:40 01/07/2018 08:30:40 krbtgt/xxxxxx....@xxxxxx.com >>>> renew until 01/12/2018 13:54:47, Flags: FRIAT >>>> >>>> >>>> >>>> *Working principal details :* >>>> [metron@cbro-test-edg4 ~]$ klist -f >>>> Ticket cache: FILE:/tmp/krb5cc_1024 >>>> Default principal: met...@xxxxxx.com >>>> >>>> Valid starting Expires Service principal >>>> 01/09/2018 15:28:47 01/10/2018 01:28:47 krbtgt/xxxxxx....@xxxxxx.com >>>> renew until 01/16/2018 15:28:47, Flags: FRIA >>>> >>>> >>>> Regards, >>>> Prakash R >>>> >>> >>> >>> >>
