If you don't need kerberos authentication in your worker you can just remove AutoTGT from the topology.auto-credentials list.  It is the one that is blowing up with issues.

If you do need TGT creds there is no way to configure that check off.  This is because without the renewal it is likely that you will need to push a new TGT to your topology every few hours instead of once a day, but all fo that depends on how you have configured your krb5.conf both locally on your box and also on the kdc.

How to fix the issue is hard to tell, because the kerberos configuration is not always simple.  One issue that we have run into similar to this was that we had been using 'yes' in our krb5.conf in some places instead of 'true'.  Apparently the mit command line tools and libraries accept both, but java parses yes as a boolean and turns it into a false.  You might want to check there.

Beyond that I really don't know what it could be.



On Thu, Jan 11, 2018 at 4:47 PM prakash r <rprakashdoss@gmail.com> wrote:
Thanks Ethan

Yes i have verified the ticket used one is correct.

If you can recollect the fix, please share us.

Prakash R

On Fri, Jan 12, 2018 at 9:42 AM, Ethan Li <ethanopensource@gmail.com> wrote:
Hi Prakash,

It might sound silly but did you check if the ticket you think you are using is the one that’s actually being used. I fixed the “The TGT found is not renewable” problem in my use case before but sorry I couldn’t remember the details.


On Jan 11, 2018, at 3:10 PM, prakash r <rprakashdoss@gmail.com> wrote:

Hello All,

Any suggestion on this ?

Is there anyway we can avoid this TGT Renewal check or how to resolve.

Prakash R

On Tue, Jan 9, 2018 at 3:31 PM, prakash r <rprakashdoss@gmail.com> wrote:

We are facing issue with starting a topology when Storm is kerberosed.

1189 [main] INFO o.a.s.s.a.AuthUtils - Got AutoCreds [org.apache.storm.security.auth.kerberos.AutoTGT@129b4fe2]
1189 [main] INFO  o.a.s.StormSubmitter - Running org.apache.storm.security.auth.kerberos.AutoTGT@129b4fe2
Exception in thread "main" java.lang.RuntimeException: java.lang.RuntimeException: The TGT found is not renewable
	at org.apache.storm.security.auth.kerberos.AutoTGT.populateCredentials(AutoTGT.java:103)
	at org.apache.storm.StormSubmitter.populateCredentials(StormSubmitter.java:94)
	at org.apache.storm.StormSubmitter.submitTopologyAs(StormSubmitter.java:214)
	at org.apache.storm.StormSubmitter.submitTopology(StormSubmitter.java:310)
	at org.apache.storm.StormSubmitter.submitTopology(StormSubmitter.java:157)
	at storm.starter.WordCountTopology.main(WordCountTopology.java:77)
Caused by: java.lang.RuntimeException: The TGT found is not renewable
	at org.apache.storm.security.auth.kerberos.AutoTGT.populateCredentials(AutoTGT.java:94) 
 ... 5 more

When we check the Keberos Principal which as R Flag as well.

We tried even regenerating the keytabs, this problem is not resolved.

When we submit from new keytab principal, this is working fine.

Can you please suggest, is there anyway we can avoid this TGT Renewal check or how to resolve.

OS version : 
Red Hat Enterprise Linux Server release 7.4 (Maipo)

Problematic principal details :
[storm@cbro-test-stm1 ~]$ klist -f
Ticket cache: FILE:/tmp/krb5cc_1021
Default principal: storm-xxxx_master@XXXXXX.COM

Valid starting       Expires              Service principal
01/06/2018 22:30:40  01/07/2018 08:30:40  krbtgt/XXXXXX.COM@XXXXXX.COM
        renew until 01/12/2018 13:54:47, Flags: FRIAT

Working principal details :
[metron@cbro-test-edg4 ~]$ klist -f
Ticket cache: FILE:/tmp/krb5cc_1024
Default principal: metron@XXXXXX.COM

Valid starting       Expires              Service principal
01/09/2018 15:28:47  01/10/2018 01:28:47  krbtgt/XXXXXX.COM@XXXXXX.COM
        renew until 01/16/2018 15:28:47, Flags: FRIA

Prakash R