Kerberos Series – Part II (Renewable Tickets)

The following instructions will help in configuring the Kerberos tickets as renewable.

On KDC server node modify /etc/krb5.conf file add the property max_renewable_life as shown following

[realms]
DOMAIN.COM = {
admin_server = kdcserver.domain.com
kdc = kdcserver.domain.com
max_renewable_life = 7d
}

Restart KDC server daemon

service krb5kdc restart

On Kerberos client nodes, modify the /etc/krb5.conf file modify the default value for renew_lifetime. If the property is missing add it.

[libdefaults]
renew_lifetime = 7d
forwardable = true
default_realm = DOMAIN.COM
dns_lookup_realm = false
dns_lookup_kdc = false

Login to kadmin or kadmin.local and modify the max renew life property for the required principals and krbtgt service principal

kadmin -p root/admin

kadmin: modprinc -maxrenewlife “20days” krbtgt/DOMAIN.COM
Principal “krbtgt/DOMAIN.COM@DOMAIN.COM” modified.
kadmin: modprinc -maxrenewlife “20days” hdfs/DOMAIN.COM

Congratulations you have successfully made your Kerberos tickets renewable

How to renew the tickets.

Tickets are allowed to be renewed within their renewable lifetime using the following command

kinit -R hdfs/DOMAIN.COM

Notice we are not passing any keytab nor we enter any passwords while renewing the tickets ,this is the advantage with renewable tickets .

Additional Information

Renewing tickets does not extend renewable lifetime of tickets but only the ticket lifetime

If you want to set the renewable lifetime of ticket different from default renewable life time set in /etc/krb5.conf , pass the parameter -r to kinit command

kinit -r “5d” -kt /etc/security/keytabs/hdfs.service.keytab hdfs@DOMAIN.COM

This sets the renew lifetime to 5 days instead of configured default 7 .

Please note : once the tickets are made renewable , renew life time cannot be set less than ticket expiration life time. By default renew life time will be set same as ticket expiration time.
For example,
In following kinit I have specified renew life time to be 1 day and ticket life time to be 2 days , kerberos ignores my renew time and instead sets it to same as expiration time.

kinit -l”2d” -r”1d” -kt /etc/security/keytabs/hdfs.service.keytab hdfs/DOMAIN.COM
Ticket cache: FILE:/tmp/krb5cc_2824
Default principal: hdfs/DOMAIN.COM

Valid starting Expires Service principal
05/22/16 20:36:19 05/24/16 20:36:19 krbtgt/DOMAIN.COM@DOMAIN.COM
renew until 05/24/16 20:36:19

Kerberos Series -Part I (Ticket Lifetime)

         Kerberos is an integral part of Bigdata cluster security infrastructure. Setting up and configuring Kerberos cluster can be overwhelming for beginners. Through this blog I am trying to simplify different administration tasks involved with Kerberos.
 Kerberos infrastructure consists of client and server components. Server consists of two parts daemons , KDC server whose job is to issue and validate tickets . Kadmin server which is used for administrating the KDC.
Modify the default life time (24hrs) of Kerberos ticketsIf for some reason you want to modify the default lifetime of Kerberos tickets, following steps will help

1. Edit the file /etc/krb5.conf on KDC server node, add max_life property for the domains you intend to modify the ticket lifetime ,

[realms]
DOMAIN.COM = {
admin_server = kdcserver.domain.com
kdc = kdcserver.domain.com
max_life = 180d
}
2. Restart kdc server, using following command
service krb5kdc restart
3. On Kerberos client machines modify default ticket lifetime , by modifying the /etc/krb5.conf file as following,
[libdefaults]
renew_lifetime = 7d
forwardable = true
default_realm = DOMAIN.COM
ticket_lifetime = 20d
dns_lookup_realm = false
dns_lookup_kdc = false
default_tgs_enctypes = aes des3-cbc-sha1 rc4 des-cbc-md5

This is optional step, if not specified default lifetime will be 24 hours , it has to be overridden from kinit command to modify the lifetime.

4. Login to kadmin or kadmin.local and modify the max life for principals and krbtgt service principal

kadmin -p root/admin

kadmin: modprinc -maxlife “20days” krbtgt/DOMAIN.COM
Principal “krbtgt/DOMAIN.COM@DOMAIN.COM” modified.

kadmin: modprinc -maxlife “20days” hdfs/DOMAIN.COM

Congratulations you have successfully extended lifetime of your Kerberos principal tickets.

Additional information: If you decide not to set the default lifetime of tickets on a client machine . Then Ignore step 3, instead pass the ticket lifetime as a parameter to kinit command as shwon following

kinit -l “10d” -kt /etc/security/keytabs/hdfs.keytabs hdfs/DOMAIN.COM