HUE+kerberos启动报错Couldn‘t renew kerberos ticket

环境信息

组件	版本
操作系统	centos6.9
CDH	5.13
kerberos	是

问题现象

HUE+kerberos启动报错Couldn't renew kerberos ticket解决方案，kt_renewer ERROR Couldn‘t renew kerberos ticket in order to work around Kerberos 1.8.1 issu

错误日志

日志如下：

Couldn't renew kerberos ticket in order to work around Kerberos 1.8.1 issue. Please check that the ticket for 'hue/dx-dev-test1027@RONG360.COM' is still renewable:
  $ klist -f -c /var/run/hue/hue_krb5_ccache
If the 'renew until' date is the same as the 'valid starting' date, the ticket cannot be renewed. Please check your KDC configuration, and the ticket renewal policy (maxrenewlife) for the 'hue/dx-dev-test1027@RONG360.COM' and `krbtgt' principals.
[24/Mar/2021 16:01:08 ] settings     INFO     Welcome to Hue 3.9.0

错误原因

错误原因：Kerberos Ticket过期

解决方案

1.修改/etc/krb5.conf

修改内容如下：

凭证生效时间
ticket_lifetime = 24d
凭证最大可以延期时间
renew_lifetime = 7d

2. 修改/var/kerberos/krb5kdc/kdc.conf

[realms]
 RONG360.COM = {
  #master_key_type = aes256-cts
  max_renewable_life = 7d 0h 0m 0s
  acl_file = /var/kerberos/krb5kdc/kadm5.acl
  dict_file = /usr/share/dict/words
  admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
  supported_enctypes = aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
}

3. 检查krbtgt用户的Maximum renewable life

kadmin.local -q 'getprinc krbtgt/RONG360.COM@RONG360.COM'

如下：

4. 重启kerberos

重启krb5kdc 和 kadmin服务

service krb5kdc start 或 systemctl start  krb5kdc
service kadmin start 或 systemctl start  kadmin

5.修改krbtgt的maxrenewlife

kadmin.local -q 'modprinc -maxrenewlife "7d" krbtgt/RONG360.COM'

6. 修改hue凭据的maxrenewlife

这里需要看自己的hue的用户主体是什么，换成自己的

 kadmin.local -q 'modprinc -maxrenewlife 7day +allow_renewable hue/dx-dev-test1027@RONG360.COM'

7. 删除cache

rm -rfv /var/run/hue/hue_krb5_ccache

8. 重启服务

重新启动Kerberos Ticket Renewer服务。

启动成功！

参考资料：http://t.zoukankan.com/wuning-p-11908861.html
参考资料：https://blog.csdn.net/vah101/article/details/79111585