1. Forum
  2. Usenet
  3. COMP.PROTOCOLS.KERBEROS

  • renew ticket failed

    From Dong Ye@21:1/5 to All on Wed Nov 8 13:13:08 2023
    Hi, All:


    we encountered an issue where we can't renew the ticket before the
    ticket expires. Seems the ticket is renewable but its renew_till time is
    before its end_time. How is it possible? How to fix that. The relevant logs
    are :


    WARN | 27 Sep 2023 12:59:52,009 |
    org.apache.hadoop.security.UserGroupInformation | Exception encountered
    while running the renewal command for hive/ip-10-54-57-56.us-west-2.compute.internal@us-west-2.compute.internal. (TGT end time:1695825352000, renewalFailures: org.apache.hadoop.metrics2.lib.MutableGaugeInt@298f6c8,renewalFailuresTotal: org.apache.hadoop.metrics2.lib.MutableGaugeLong@1093bbfd) org.apache.hadoop.util.Shell$ExitCodeException: kinit: Ticket expired
    while renewing credentials

    at org.apache.hadoop.util.Shell.runCommand(Shell.java:998) ~[hadoop-common-2.10.1-amzn-4.jar:?]
    at org.apache.hadoop.util.Shell.run(Shell.java:884) ~[hadoop-common-2.10.1-amzn-4.jar:?]
    at org.apache.hadoop.util.Shell$ShellCommandExecutor.execute(Shell.java:1216) ~[hadoop-common-2.10.1-amzn-4.jar:?]
    at org.apache.hadoop.util.Shell.execCommand(Shell.java:1310) ~[hadoop-common-2.10.1-amzn-4.jar:?]
    at org.apache.hadoop.util.Shell.execCommand(Shell.java:1292) ~[hadoop-common-2.10.1-amzn-4.jar:?]
    at org.apache.hadoop.security.UserGroupInformation$1.run(UserGroupInformation.java:1003)
    [hadoop-common-2.10.1-amzn-4.jar:?]
    at java.lang.Thread.run(Thread.java:750) [?:1.8.0_382]


    Note the TGT end time 1695825352000 is 27 September 2023 14:35:52 which is
    in the future of the logging time 27 Sep 2023 12:59:52,009.

    Thanks.

    Have a nice day.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Greg Hudson@21:1/5 to Dong Ye on Thu Nov 9 18:52:33 2023
    To: kerberos@mit.edu

    On 11/8/23 16:13, Dong Ye wrote:
    we encountered an issue where we can't renew the ticket before the ticket expires. Seems the ticket is renewable but its renew_till time is before its end_time. How is it possible?

    It's possible if the ticket was requested that way ("kinit -l 2h -r 1h"
    for instance). For a period of time (1.12 through 1.15) the MIT krb5
    KDC issued non-renewable tickets for such requests, but that was found
    to be disruptive to scripts, so it once again issues renewable tickets
    whose end times can't be extended.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)