Kerberos Series – Part II (Renewable Tickets)

The following instructions will help in configuring the Kerberos tickets as renewable.

On KDC server node modify /etc/krb5.conf file add the property max_renewable_life as shown following

admin_server =
kdc =
max_renewable_life = 7d

Restart KDC server daemon

service krb5kdc restart

On Kerberos client nodes, modify the /etc/krb5.conf file modify the default value for renew_lifetime. If the property is missing add it.

renew_lifetime = 7d
forwardable = true
default_realm = DOMAIN.COM
dns_lookup_realm = false
dns_lookup_kdc = false

Login to kadmin or kadmin.local and modify the max renew life property for the required principals and krbtgt service principal

kadmin -p root/admin

kadmin: modprinc -maxrenewlife “20days” krbtgt/DOMAIN.COM
Principal “krbtgt/DOMAIN.COM@DOMAIN.COM” modified.
kadmin: modprinc -maxrenewlife “20days” hdfs/DOMAIN.COM

Congratulations you have successfully made your Kerberos tickets renewable

How to renew the tickets.

Tickets are allowed to be renewed within their renewable lifetime using the following command

kinit -R hdfs/DOMAIN.COM

Notice we are not passing any keytab nor we enter any passwords while renewing the tickets ,this is the advantage with renewable tickets .

Additional Information

Renewing tickets does not extend renewable lifetime of tickets but only the ticket lifetime

If you want to set the renewable lifetime of ticket different from default renewable life time set in /etc/krb5.conf , pass the parameter -r to kinit command

kinit -r “5d” -kt /etc/security/keytabs/hdfs.service.keytab hdfs@DOMAIN.COM

This sets the renew lifetime to 5 days instead of configured default 7 .

Please note : once the tickets are made renewable , renew life time cannot be set less than ticket expiration life time. By default renew life time will be set same as ticket expiration time.
For example,
In following kinit I have specified renew life time to be 1 day and ticket life time to be 2 days , kerberos ignores my renew time and instead sets it to same as expiration time.

kinit -l”2d” -r”1d” -kt /etc/security/keytabs/hdfs.service.keytab hdfs/DOMAIN.COM
Ticket cache: FILE:/tmp/krb5cc_2824
Default principal: hdfs/DOMAIN.COM

Valid starting Expires Service principal
05/22/16 20:36:19 05/24/16 20:36:19 krbtgt/DOMAIN.COM@DOMAIN.COM
renew until 05/24/16 20:36:19


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s