jeongho · February 25, 2016 17:56
diff --git a/kerberos_kadmin_hack.txt b/kerberos_kadmin_hack.txt
 -----
 for p in `kadmin.local -q listprincs` ; do kadmin.local -q "modprinc -maxrenewlife 1000days $p" ; done
 -----

 kadmin.local -q "getprincs" > principals.txt

 vi principals.txt
 reemove the non-Hadoop principals from the principals.txt file, and then run this small script to update the existing principals: 
 for princ in `cat principals.txt`; do kadmin.local -q "modprinc -maxrenewlife 7day $princ"; done;
 service krb5kdc restart
 service kadmin restart
 
 /var/kerberos/krb5kdc/kdc.conf 
 [kdcdefaults]
 kdc_ports = 88
 kdc_tcp_ports = 88
 
 [realms]
 CLOUDERA = {
  #master_key_type = aes256-cts
  acl_file = /var/kerberos/krb5kdc/kadm5.acl
  dict_file = /usr/share/dict/words
  admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
  default_principal_flags = renewable
  max_renewable_life = 7d
 
  # WARNING: aes256-ct:normal is disabled to simplify testing, since it
  # requires the enhanced security JCE policy file to be installed. You should
  # NOT run with this configuration in production or any real environment. You
  # have been warned.
  supported_enctypes = aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
 }
 
 
 /etc/krb5.conf
 [logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log
 
 [libdefaults]
 default_realm = CLOUDERA
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 
 [realms]
 CLOUDERA = {
  kdc = alice-1.vpc.wonderland.com
  admin_server = alice-1.vpc.wonderland.com
 }
 
 [domain_realm]
 .vpc.wonderland.com = CLOUDERA
 alice-1.vpc.wonderland.com = CLOUDERA
	-----
	for p in `kadmin.local -q listprincs` ; do kadmin.local -q "modprinc -maxrenewlife 1000days $p" ; done
	-----

	kadmin.local -q "getprincs" > principals.txt

	vi principals.txt
	reemove the non-Hadoop principals from the principals.txt file, and then run this small script to update the existing principals:
	for princ in `cat principals.txt`; do kadmin.local -q "modprinc -maxrenewlife 7day $princ"; done;
	service krb5kdc restart
	service kadmin restart

	/var/kerberos/krb5kdc/kdc.conf
	[kdcdefaults]
	kdc_ports = 88
	kdc_tcp_ports = 88

	[realms]
	CLOUDERA = {
	#master_key_type = aes256-cts
	acl_file = /var/kerberos/krb5kdc/kadm5.acl
	dict_file = /usr/share/dict/words
	admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
	default_principal_flags = renewable
	max_renewable_life = 7d

	# WARNING: aes256-ct:normal is disabled to simplify testing, since it
	# requires the enhanced security JCE policy file to be installed. You should
	# NOT run with this configuration in production or any real environment. You
	# have been warned.
	supported_enctypes = aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
	}


	/etc/krb5.conf
	[logging]
	default = FILE:/var/log/krb5libs.log
	kdc = FILE:/var/log/krb5kdc.log
	admin_server = FILE:/var/log/kadmind.log

	[libdefaults]
	default_realm = CLOUDERA
	dns_lookup_realm = false
	dns_lookup_kdc = false
	ticket_lifetime = 24h
	renew_lifetime = 7d
	forwardable = true

	[realms]
	CLOUDERA = {
	kdc = alice-1.vpc.wonderland.com
	admin_server = alice-1.vpc.wonderland.com
	}

	[domain_realm]
	.vpc.wonderland.com = CLOUDERA
	alice-1.vpc.wonderland.com = CLOUDERA