环境信息
| 组件 | 版本 |
|---|---|
| 操作系统 | centos6.9 |
| CDH | 5.13 |
| kerberos | 是 |
问题现象
HUE+kerberos启动报错Couldn't renew kerberos ticket解决方案,kt_renewer ERROR Couldn‘t renew kerberos ticket in order to work around Kerberos 1.8.1 issu
错误日志
日志如下:
Couldn't renew kerberos ticket in order to work around Kerberos 1.8.1 issue. Please check that the ticket for 'hue/dx-dev-test1027@RONG360.COM' is still renewable:
$ klist -f -c /var/run/hue/hue_krb5_ccache
If the 'renew until' date is the same as the 'valid starting' date, the ticket cannot be renewed. Please check your KDC configuration, and the ticket renewal policy (maxrenewlife) for the 'hue/dx-dev-test1027@RONG360.COM' and `krbtgt' principals.
[24/Mar/2021 16:01:08 ] settings INFO Welcome to Hue 3.9.0
错误原因
错误原因:Kerberos Ticket过期
解决方案
1.修改/etc/krb5.conf
修改内容如下:
凭证生效时间
ticket_lifetime = 24d
凭证最大可以延期时间
renew_lifetime = 7d
2. 修改/var/kerberos/krb5kdc/kdc.conf
[realms]
RONG360.COM = {
#master_key_type = aes256-cts
max_renewable_life = 7d 0h 0m 0s
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
supported_enctypes = aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
}
3. 检查krbtgt用户的Maximum renewable life
kadmin.local -q 'getprinc krbtgt/RONG360.COM@RONG360.COM'
如下:
4. 重启kerberos
重启krb5kdc 和 kadmin服务
service krb5kdc start 或 systemctl start krb5kdc
service kadmin start 或 systemctl start kadmin
5.修改krbtgt的maxrenewlife
kadmin.local -q 'modprinc -maxrenewlife "7d" krbtgt/RONG360.COM'
6. 修改hue凭据的maxrenewlife
这里需要看自己的hue的用户主体是什么,换成自己的
kadmin.local -q 'modprinc -maxrenewlife 7day +allow_renewable hue/dx-dev-test1027@RONG360.COM'
7. 删除cache
rm -rfv /var/run/hue/hue_krb5_ccache
8. 重启服务
重新启动Kerberos Ticket Renewer服务。
启动成功!
参考资料:http://t.zoukankan.com/wuning-p-11908861.html
参考资料:https://blog.csdn.net/vah101/article/details/79111585