[
https://issues.apache.org/jira/browse/AMBARI-11001?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15051365#comment-15051365
]
Jeffrey E Rodriguez commented on AMBARI-11001:
-----------------------------------------------
Thanks again for your prompt reply. Reviewing Krb5LoginModule, my point is that
setting up renewTGT=false would disable renewing TGT in Krb5LoginModule.
Review
http://www.docjar.com/html/api/comy/sun/security/auth/module/Krb5LoginModule.java.html
Thus is that is the case then we must be renewing the TGT credential somehow,
other than manually? Right?
Even though there are no issue after first TGT, the TGT would expire by default
in 10 hours. So my concern is whether the TGT would be renewed and where is
done.
Thanks again for your help.
> Ambari uses users' interactive ticket cache
> -------------------------------------------
>
> Key: AMBARI-11001
> URL: https://issues.apache.org/jira/browse/AMBARI-11001
> Project: Ambari
> Issue Type: Bug
> Components: ambari-server
> Affects Versions: 2.1.0
> Reporter: Robert Levas
> Assignee: Robert Levas
> Priority: Critical
> Labels: JAAS
> Fix For: 2.1.0
>
> Attachments: AMBARI-11001_01.patch
>
>
> It appears that it is necessary to kinit prior to starting ambari-server,
> even after ambari-server setup-security (#3). It seems that this should be
> automatically handled by Ambari.
> Ambari-server should NOT use the same ticket cache as the interactive user.
> STR:
> 1. kinit
> 2. ambari-server start
> 3. verify that ambari-server can authenticate with ticket specified in #1
> 4. kdestroy
> 5. try to authenticate through Ambari again (it will not work)
> *Solution*
> Ensure JAAS Login works properly such that the Kerberos tickets for the
> account that executes Ambari is not relevant.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
