Closed ChristopheLRTE closed 2 years ago
Hello, sorry to get back to you. Just to know if someone would have a solution please ?
Thank you all for your help !
Hi, PR https://github.com/TOSIT-IO/tdp-collection-prerequisites/pull/10 added LDAP and Kerberos deployment, ansible-ldap-kerberos
will be removed (see TOSIT-IO/tdp-collection-extras#53) and I didn't change the actual behaviour i.e. the renew_lifetime = 7d
is still present.
I transfer this issue to https://github.com/TOSIT-IO/tdp-collection-prerequisites repository and we will investigate.
Are you encountering this issue while using tdp-getting-started
with vagrant environment, or using your own environment ? If the later is the case, could provide your java vendor / version ?
Example:
java -version
openjdk version "1.8.0_342"
OpenJDK Runtime Environment (build 1.8.0_342-b07)
OpenJDK 64-Bit Server VM (build 25.342-b07, mixed mode)
I have been able to reproduce the issue.
The root cause is because of how rangeradmin
asks for tickets and a misconfiguration on the kdc. By default, the max renewable time is set to 0, and we don't configure it on the realm.
From here, you have 2 options to fix this situation:
Configure your kdc.conf as follow:
[realms]
{{ realm }} = {
kdc = {{ kerberos_server }}
admin_server = {{ kerberos_server }}
default_domain = {{ domain }}
default_principal_flags = +renewable
+ max_renewable_life = 7d # or any duration
database_module = openldap_ldapconf
}
And then redeploy everything.
kadmin
You still need to configure the kdc, if you want any new principal created renewable.
Then, you need to modify your existing principals to set them the max renewable time:
kadmin -p <admin_principal> -w <admin_password> -q "modprinc -maxrenewlife 7day krbtgt/BDP01.APPLISPFREF.SIPFREF.LOCAL"
kadmin -p <admin_principal> -w <admin_password> -q "modprinc -maxrenewlife 7day rangeradmin/master-03.applispfref.sipfref.local@BDP01.APPLISPFREF.SIPFREF.LOCAL"
Thank you very much @gboutry. We will try it 👍
Cheers
This issue was closed automatically by merging #12, re-opening and waiting on @ChristopheLRTE feedback
Considering this issue as solved since there is no feedback.
Hello all !
We encountered an issue with the
renew_lifetime = 7d
setting inkrb5.conf
(see conf. files below). Indeed, when we add first of all this setting inkrb5.conf
(without updatekdc.conf
), the ranger service doesn't start (please seecatalina.out
logs below too). We hoped that adding the settingdefault_principal_flags = +renewable
inkdc.conf
would make the things working well, but we finally observed the same behaviour.So as a workaround, we comment the
renew_lifetime = 7d
setting inkrb5.conf
and the ranger service started (after a manual restart ranger service command) !Would you know why this behaviour and how to configure a renewable kerberos token please ?
krb5.conf.j2
kdc.conf.j2
catalina.out logs