If you’re testing a Kerberos enabled hadoop cluster and want to make sure that ticket renewal is working as expected, you’ll probably want to change the ticket renewal time so that you don’t have to wait 24 hours for each test.
Using a “krb5-server” as an authentication source for a Hadoop Cluster. You can run the following commands to change the default ticket lifespan.
kadmin.local: getprinc krbtgt/EXAMPLE.COM@EXAMPLE.COM
Principal: krbtgt/EXAMPLE.COM@EXAMPLE.COM Expiration date: [never] Last password change: [never] Password expiration date: [none] Maximum ticket life: 1 days 00:00:00 Maximum renewable life: 365 days 00:00:00 Last modified: Wed Nov 19 00:09:37 UTC 2014 (quick/admin@EXAMPLE.COM) Last successful authentication: [never] Last failed authentication: [never] Failed password attempts: 0 Number of keys: 7 Key: vno 1, aes256-cts-hmac-sha1-96, no salt Key: vno 1, aes128-cts-hmac-sha1-96, no salt Key: vno 1, des3-cbc-sha1, no salt Key: vno 1, arcfour-hmac, no salt Key: vno 1, des-hmac-sha1, no salt Key: vno 1, des-cbc-md5, no salt Key: vno 1, des-cbc-crc, no salt MKey: vno 1 Attributes: Policy: [none]
To change the default ticket expiration from 1 day to 30 minutes, issue the following command:
kadmin.local: modprinc -maxlife “30 minutes” krbtgt/EXAMPLE.COM@EXAMPLE.COM
You should then be able to verify that the settings have taken effect:
[root@host ~]# kinit -k -t hdfs.keytab hdfs [root@host ~]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: hdfs@EXAMPLE.COM Valid starting Expires Service principal 08/22/16 20:24:18 08/22/16 20:54:18 krbtgt/EXAMPLE.COM@EXAMPLE.COM renew until 08/29/16 20:24:18
You should see that the “Expires” time is 30 minutes in the future. This keytab will be renewed every 30 minutes for 7 days.
The interesting point that isn’t well documented is that there is a hierarchy to the settings in Kerberos. You can modify each individual principle’s maxlife and maxrenewlife, but if a higher level principle has stricter settings then they will be used. The krbtgt principle is the top level principle. Changes made here will apply to all other principles.