Talk about Kerberos kinit command and ccache mechanism

1. Introduction

Hello everyone, I recently encountered a kerberos-related problem, "Executing the kinit -R command on the client node reports an error: KDC can't fulfill requested option while renewing credentials". This time I would like to share with you the solution to the problem and the related knowledge points behind it, which mainly involves the kerberos kinit command and ccache mechanism.

2. Problem symptoms and problem logs

• Symptom: When the client executes the kinit -R command, an error message is displayed: "KDC can't fulfill requested option while renewing credentials";
• Problem log: Checking the KDC server log /var/log/krb5kdc.log, we can see that the request corresponding to the above error is TGS_REQ, and the details are liming@TEST.COM for krbtgt/TEST.COM@TEST.COM. The error reason is ticket not renewable, that is, the ticket cannot be refreshed;

3. Cause of the problem

So what are the reasons for "ticket not renewable"? The main reasons are as follows:

• The corresponding realms section in the server configuration file /var/kerberos/krb5kdc/kdc.conf or /etc/krb5.conf does not allow ticket renewal ;
• When the server generates the krbtgt principal, it does not configure the maxrenewlife parameter, that is, it does not specify the maximum refresh life of its ticket .
• When the server generates the user's principal, the maxrenewlife parameter is not configured, that is, the maximum refresh life of the ticket is not specified (such as liming@TEST.COM in the error log) ;
• After the client successfully logged in last time, the refresh time of the service principal krbtgt has expired. The reason for the expiration is that it exceeds the maxrenewlife configured on the server (such as krbtgt/TEST.COM@TEST.COM in the error log) ;
• After the client successfully logged in last time, the ticket of the user principal has expired. The reason for the expiration is that the ticket_lifetime configured on the server has exceeded. This parameter is generally configured to 24 hours (such as liming@TEST.COM in the error log) ;

4. Problem Solution and Operation Steps

Through the above analysis, we know that in order to solve the problem, we need to change the server configuration parameter max_renewable_life, change the maxrenewlife of the two principals on the server, and ensure that krbtgt has not expired when the client specifies kinit -R to ensure successful task execution.

• On the server side, change or confirm the configuration file /var/kerberos/krb5kdc/kdc.conf or /etc/krb5.conf. In the corresponding realms section, you need to configure the parameter to allow refresh: max_renewable_life;
• The server updates or confirms the maxrenewlife parameter of the above two principals. The sample command is as follows:

modprinc -maxrenewlife "1 week" +allow_renewable limbing@TEST.COM

modprinc -maxrenewlife "1 week" +allow_renewable krbtgt/TEST.COM@TEST.COM

kadmin.local -q "getprinc krbtgt/TEST.COM@TEST.COM" | grep -i life

kadmin.local -q "getprinc liming@TEST.COM" | grep -i life

• After modifying or confirming the above configuration, you need to log in again to generate a new ticket so that the subsequent kinit -R command can be successfully executed ;
• At the same time, we can see that before changing the maxrenewlife parameter of principal, klist does not prompt "renew until...", but after changing the maxrenewlife parameter of principal, klist will prompt "renew until...", which means that kinit -R can be used to refresh the ticket before the next date .

5. Background knowledge: kinit command and ccache mechanism

• After the user successfully logs in to Kerberos through kinit on the client, the obtained ticket-granting ticket will be cached in the client's ccache (credentail cache) file ;
• The ccache file address is configured by the parameter default_ccache_name in the configuration file /etc/krb5.conf. In the Linux operating system, it is generally configured as FILE:/tmp/krb5cc_%{uid}, and the actual corresponding file is /tmp/krb5cc_0 , etc.
• The "kinit -R" command can be used to refresh the ticket-granting ticket, i.e. tgt ;
• The "kinit -R" command can only refresh the ticket before it expires and before the krbtgt refresh time .
• After "kinit -R" successfully refreshes the ticket, the ccache (credentail cache) file will be updated. You can confirm this by checking the ctime of this file in Linux using the ls -al command .
• kinit login corresponds to AS_REQ, which requires the Authentication Server (AS) in the KDC to verify the user's identity. The result is krbtgt, which corresponds to the kerberos log: liming@TEST.COM for krbtgt/TEST.COM@TEST.COM ;
• After kinit authentication is completed, the subsequent use of services protected by kerberos, such as logging in to hiveserver2, the command format is: beeline -u "jdbc:hive2://uf30-2:10000/default;principal=hive/_HOST@TEST.COM", at this time, the bottom layer is a TGS_REQ, corresponding to the kerberos log: liming@TEST.COM for hive/cdp2@TEST.COM ;
• kinit -R renews tgt, which corresponds to TGS_REQ, and requires the response of Ticket Granting Server (TGS) in KDC. Its effect is to refresh krbtgt and update ccache files such as /tmp/krb5cc_0, which corresponds to liming@TEST.COM for krbtgt/TEST.COM@TEST.COM in the kerberos log;

 [ root @ uf30-1 ~ ] #klist
 Ticket cache : FILE : / tmp / krb5cc_0
 Default principal : admin / admin@CDH .COM
 Valid starting Expires Service principal
 11/13/2020 13:08:27 11/14/2020 13:08:27 krbtgt / CDH.COM @ CDH.COM ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​
 renew until 11/20/2020 13:08:27 ​ ​ ​ ​ ​ ​
 [ root@uf30 - 1 ~ ] # kinit - R
 [ root @ uf30-1 ~ ] #klist
 Ticket cache : FILE : / tmp / krb5cc_0
 Default principal : admin / admin@CDH .COM
 Valid starting Expires Service principal
 11/13/2020 19:38:15 11/14/2020 19 : 38 : 15krbtgt / CDH.COM @ CDH.COM ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​
 renew until 11/20/2020 13:08:27 ​ ​ ​ ​ ​ ​