Please check your KDC configuration, and the ticket renewal policy (maxrenewlife) for the 'hue/hadoop-pg-1.cluster' and `krbtgt' principals."" The logs of the KDC shows:""Feb 24 hadoop-pg-1 krb5kdc(info): AS_REQ (4 etypes ) 10.147.210.1: NEEDED_PREAUTH: hue/[email protected] for krbtgt/[email protected], Additional pre-authentication required Feb 24 hadoop-pg-1 krb5kdc(info): AS_REQ (4 etypes ) 10.147.210.1: ISSUE: authtime 1393252893, etypes , hue/[email protected] for krbtgt/[email protected] 24 hadoop-pg-1 krb5kdc(info): TGS_REQ (4 etypes ) 10.147.210.1: TICKET NOT RENEWABLE: authtime 0, hue/[email protected] for krbtgt/[email protected], KDC can't fulfill requested option Feb 24 hadoop-pg-1 krb5kdc(info): TGS_REQ (4 etypes ) 10.147.210.1: TICKET NOT RENEWABLE: authtime 0, hue/[email protected] for krbtgt/[email protected], KDC can't fulfill requested option"" The KDC config looks like:""[kdcdefaults]kdc_ports = 750,88[realms]HADOOP-PG = "" Additionally I set the following:""kadmin.local: modprinc -maxlife "1 day" -maxrenewlife "90 day" allow_renewable hue/[email protected]"" Some hints, where to investigate to resolve this issue?
In fact there are more like 10 different ways to do it all using a mix and match of different technologies. PBIS, while having a free version, was still proprietary. My Setup: Windows Domain Controller (2012R2) w/ DNS: Domain: loc.Computer Name: DC01IP Address: 192.168.200.100 (static) DNS Server: 192.168.200.100 Domain Admin Account Name: Administrator Second Domain Admin Account: jdoe Security Group: linuxadmins – jdoe belongs to this group Domain User Account: nbeam Security Group: linuxusers – nbeam belongs to this account As side note about the internal domain name I am using…Today we will be using a suite of tools called SSSD. Furthermore we will be using Realm D, which is a “wrapper” of sorts for SSSD that makes it easier to setup and configure. read this: How To Choose A Sensible Local Domain Name – There are really good reasons not to use a “fake” TLD or to use what are honestly often traditional Microsoft conventions like .local – I ran into a world of headache with Ubuntu using a .local TLD when I tried to do this the first time through!The service "Kerberos Ticket Renewer" doesn't start, the latest log entries are:""[24/Feb/2014 0000] settings INFO Welcome to Hue 2.5.0 [24/Feb/2014 0000] kt_renewer INFO Reinitting kerberos from keytab: /usr/bin/kinit -k -t /var/run/cloudera-scm-agent/process/1715-hue-KT_RENEWER/hue.keytab -c /tmp/hue_krb5_ccache hue/hadoop-pg-1.cluster [24/Feb/2014 0000] kt_renewer INFO Renewing kerberos ticket to work around kerberos 1.8.1: /usr/bin/kinit -R -c /tmp/hue_krb5_ccache [24/Feb/2014 0000] kt_renewer ERROR Couldn't renew kerberos ticket in order to work around Kerberos 1.8.1 issue.Please check that the ticket for 'hue/hadoop-pg-1.cluster' is still renewable: $ kinit -f -c /tmp/hue_krb5_ccache If the 'renew until' date is the same as the 'valid starting' date, the ticket cannot be renewed.Solution: You must type the principal and policy names in the Name field to work on them, or you need to log in with a principal that has the appropriate privileges.
Kerberos Troubleshooting Tips LDAP Troubleshooting Tips This section will help you troubleshoot Kerberos authentication problems in a heterogeneous UNIX and Microsoft® Windows® operating system environment.RU forwardable = yes ticket_lifetime = 7d renew_lifetime = 7d no-addresses = false renewable = true [domain_realm] .= SIBPTUS. This chapter provides resolutions for error messages that you might receive when you use the Kerberos service.If your company has already standardized on .local I will be writing something separate about how to handle it because Ubuntu Desktop has some issues with it and for good reason…An Ubuntu Desktop running 14.04 with Unity: Computer Name: nix01 IP Address: 192.168.200.101 (static/manual) DNS Server: 192.168.200.100 Search Domains: loc.Local Account Name: tester Tester is also in the “Sudo” Group The Goal Be able to login with jdoe and/or Administrator domain accounts on Ubuntu and have sudo rights.This chapter also provides some troubleshooting tips for various problems.