You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@storm.apache.org by prakash r <rp...@gmail.com> on 2018/01/09 04:31:40 UTC
Storm Kerberos starting topology fails with "The TGT found is not renewable"
Hello,
We are facing issue with starting a topology when Storm is kerberosed.
1189 [main] INFO o.a.s.s.a.AuthUtils - Got AutoCreds
[org.apache.storm.security.auth.kerberos.AutoTGT@129b4fe2]
1189 [main] INFO o.a.s.StormSubmitter - Running
org.apache.storm.security.auth.kerberos.AutoTGT@129b4fe2
Exception in thread "main" java.lang.RuntimeException:
java.lang.RuntimeException: The TGT found is not renewable
at org.apache.storm.security.auth.kerberos.AutoTGT.populateCredentials(AutoTGT.java:103)
at org.apache.storm.StormSubmitter.populateCredentials(StormSubmitter.java:94)
at org.apache.storm.StormSubmitter.submitTopologyAs(StormSubmitter.java:214)
at org.apache.storm.StormSubmitter.submitTopology(StormSubmitter.java:310)
at org.apache.storm.StormSubmitter.submitTopology(StormSubmitter.java:157)
at storm.starter.WordCountTopology.main(WordCountTopology.java:77)
Caused by: java.lang.RuntimeException: The TGT found is not renewable
at org.apache.storm.security.auth.kerberos.AutoTGT.populateCredentials(AutoTGT.java:94)
... 5 more
When we check the Keberos Principal which as R Flag as well.
We tried even regenerating the keytabs, this problem is not resolved.
When we submit from new keytab principal, this is working fine.
*Can you please suggest, is there anyway we can avoid this TGT Renewal
check or how to resolve.*
*OS version :*
Red Hat Enterprise Linux Server release 7.4 (Maipo)
*Problematic principal details :*
[storm@cbro-test-stm1 ~]$ klist -f
Ticket cache: FILE:/tmp/krb5cc_1021
Default principal: storm-xxxx_master@XXXXXX.COM
Valid starting Expires Service principal
01/06/2018 22:30:40 01/07/2018 08:30:40 krbtgt/XXXXXX.COM@XXXXXX.COM
renew until 01/12/2018 13:54:47, Flags: FRIAT
*Working principal details :*
[metron@cbro-test-edg4 ~]$ klist -f
Ticket cache: FILE:/tmp/krb5cc_1024
Default principal: metron@XXXXXX.COM
Valid starting Expires Service principal
01/09/2018 15:28:47 01/10/2018 01:28:47 krbtgt/XXXXXX.COM@XXXXXX.COM
renew until 01/16/2018 15:28:47, Flags: FRIA
Regards,
Prakash R
Storm Kerberos starting topology fails with "The TGT found is not renewable"
Posted by prakash r <rp...@gmail.com>.
Hello,
We are facing issue with starting a topology when Storm is kerberosed.
1189 [main] INFO o.a.s.s.a.AuthUtils - Got AutoCreds
[org.apache.storm.security.auth.kerberos.AutoTGT@129b4fe2]
1189 [main] INFO o.a.s.StormSubmitter - Running
org.apache.storm.security.auth.kerberos.AutoTGT@129b4fe2
Exception in thread "main" java.lang.RuntimeException:
java.lang.RuntimeException: The TGT found is not renewable
at org.apache.storm.security.auth.kerberos.AutoTGT.populateCred
entials(AutoTGT.java:103)
at org.apache.storm.StormSubmitter.populateCredentials(StormSub
mitter.java:94)
at org.apache.storm.StormSubmitter.submitTopologyAs(StormSubmitter.java:214)
at org.apache.storm.StormSubmitter.submitTopology(StormSubmitter.java:310)
at org.apache.storm.StormSubmitter.submitTopology(StormSubmitter.java:157)
at storm.starter.WordCountTopology.main(WordCountTopology.java:77)
Caused by: java.lang.RuntimeException: The TGT found is not renewable
at org.apache.storm.security.auth.kerberos.AutoTGT.populateCred
entials(AutoTGT.java:94)
... 5 more
When we check the Keberos Principal which as R Flag as well.
We tried even regenerating the keytabs, this problem is not resolved.
When we submit from new keytab principal, this is working fine.
*Can you please suggest, is there anyway we can avoid this TGT Renewal
check or how to resolve.*
*OS version :*
Red Hat Enterprise Linux Server release 7.4 (Maipo)
*Problematic principal details :*
[storm@cbro-test-stm1 ~]$ klist -f
Ticket cache: FILE:/tmp/krb5cc_1021
Default principal: *storm-xxxx_master@XXXXXX.COM*
<st...@XXXXXX.COM>
Valid starting Expires Service principal
01/06/2018 22:30:40 01/07/2018 08:30:40 krbtgt/*XXXXXX.COM@XXXXXX.COM*
<XX...@XXXXXX.COM>
renew until 01/12/2018 13:54:47, Flags: FRIAT
*Working principal details :*
[metron@cbro-test-edg4 ~]$ klist -f
Ticket cache: FILE:/tmp/krb5cc_1024
Default principal: *metron@XXXXXX.COM* <me...@XXXXXX.COM>
Valid starting Expires Service principal
01/09/2018 15:28:47 01/10/2018 01:28:47 krbtgt/*XXXXXX.COM@XXXXXX.COM*
<XX...@XXXXXX.COM>
renew until 01/16/2018 15:28:47, Flags: FRIA
Regards,
Prakash R
Re: Storm Kerberos starting topology fails with "The TGT found is not renewable"
Posted by prakash r <rp...@gmail.com>.
Thanks Bobby for your time.
We cannot disable kerberos authentication, will have re-look the krb5.conf
of both KDC & client machines, to check if anything suspicious.
Will get back if any queries, thanks
Regards,
Prakash R
On Sat, Jan 13, 2018 at 2:15 AM, Bobby Evans <bo...@apache.org> wrote:
> If you don't need kerberos authentication in your worker you can just
> remove AutoTGT from the topology.auto-credentials list. It is the one that
> is blowing up with issues.
>
> If you do need TGT creds there is no way to configure that check off.
> This is because without the renewal it is likely that you will need to push
> a new TGT to your topology every few hours instead of once a day, but all
> fo that depends on how you have configured your krb5.conf both locally on
> your box and also on the kdc.
>
> How to fix the issue is hard to tell, because the kerberos configuration
> is not always simple. One issue that we have run into similar to this was
> that we had been using 'yes' in our krb5.conf in some places instead of
> 'true'. Apparently the mit command line tools and libraries accept both,
> but java parses yes as a boolean and turns it into a false. You might want
> to check there.
>
> Beyond that I really don't know what it could be.
>
> Thanks,
>
> Bobby
>
>
> On Thu, Jan 11, 2018 at 4:47 PM prakash r <rp...@gmail.com> wrote:
>
>> Thanks Ethan
>>
>> Yes i have verified the ticket used one is correct.
>>
>> If you can recollect the fix, please share us.
>>
>> Regards,
>> Prakash R
>>
>> On Fri, Jan 12, 2018 at 9:42 AM, Ethan Li <et...@gmail.com>
>> wrote:
>>
>>> Hi Prakash,
>>>
>>> It might sound silly but did you check if the ticket you think you are
>>> using is the one that’s actually being used. I fixed the “The TGT found is
>>> not renewable” problem in my use case before but sorry I couldn’t remember
>>> the details.
>>>
>>> Best,
>>> Ethan
>>>
>>> On Jan 11, 2018, at 3:10 PM, prakash r <rp...@gmail.com> wrote:
>>>
>>> Hello All,
>>>
>>> Any suggestion on this ?
>>>
>>> *Is there anyway we can avoid this TGT Renewal check or how to resolve.*
>>>
>>> Regards,
>>> Prakash R
>>>
>>> On Tue, Jan 9, 2018 at 3:31 PM, prakash r <rp...@gmail.com>
>>> wrote:
>>>
>>>> Hello,
>>>>
>>>> We are facing issue with starting a topology when Storm is kerberosed.
>>>>
>>>> 1189 [main] INFO o.a.s.s.a.AuthUtils - Got AutoCreds
>>>> [org.apache.storm.security.auth.kerberos.AutoTGT@129b4fe2]
>>>>
>>>> 1189 [main] INFO o.a.s.StormSubmitter - Running org.apache.storm.security.auth.kerberos.AutoTGT@129b4fe2
>>>> Exception in thread "main" java.lang.RuntimeException: java.lang.RuntimeException: The TGT found is not renewable
>>>> at org.apache.storm.security.auth.kerberos.AutoTGT.populateCredentials(AutoTGT.java:103)
>>>> at org.apache.storm.StormSubmitter.populateCredentials(StormSubmitter.java:94)
>>>> at org.apache.storm.StormSubmitter.submitTopologyAs(StormSubmitter.java:214)
>>>> at org.apache.storm.StormSubmitter.submitTopology(StormSubmitter.java:310)
>>>> at org.apache.storm.StormSubmitter.submitTopology(StormSubmitter.java:157)
>>>> at storm.starter.WordCountTopology.main(WordCountTopology.java:77)
>>>> Caused by: java.lang.RuntimeException: The TGT found is not renewable
>>>> at org.apache.storm.security.auth.kerberos.AutoTGT.populateCredentials(AutoTGT.java:94)
>>>>
>>>> ... 5 more
>>>>
>>>> When we check the Keberos Principal which as R Flag as well.
>>>>
>>>> We tried even regenerating the keytabs, this problem is not resolved.
>>>>
>>>> When we submit from new keytab principal, this is working fine.
>>>>
>>>> *Can you please suggest, is there anyway we can avoid this TGT Renewal
>>>> check or how to resolve.*
>>>>
>>>> *OS version :*
>>>> Red Hat Enterprise Linux Server release 7.4 (Maipo)
>>>>
>>>>
>>>> *Problematic principal details :*
>>>> [storm@cbro-test-stm1 ~]$ klist -f
>>>> Ticket cache: FILE:/tmp/krb5cc_1021
>>>> Default principal: storm-xxxx_master@XXXXXX.COM
>>>>
>>>> Valid starting Expires Service principal
>>>> 01/06/2018 22:30:40 01/07/2018 08:30:40 krbtgt/XXXXXX.COM@XXXXXX.COM
>>>> renew until 01/12/2018 13:54:47, Flags: FRIAT
>>>>
>>>>
>>>>
>>>> *Working principal details :*
>>>> [metron@cbro-test-edg4 ~]$ klist -f
>>>> Ticket cache: FILE:/tmp/krb5cc_1024
>>>> Default principal: metron@XXXXXX.COM
>>>>
>>>> Valid starting Expires Service principal
>>>> 01/09/2018 15:28:47 01/10/2018 01:28:47 krbtgt/XXXXXX.COM@XXXXXX.COM
>>>> renew until 01/16/2018 15:28:47, Flags: FRIA
>>>>
>>>>
>>>> Regards,
>>>> Prakash R
>>>>
>>>
>>>
>>>
>>
Re: Storm Kerberos starting topology fails with "The TGT found is not renewable"
Posted by Bobby Evans <bo...@apache.org>.
If you don't need kerberos authentication in your worker you can just
remove AutoTGT from the topology.auto-credentials list. It is the one that
is blowing up with issues.
If you do need TGT creds there is no way to configure that check off. This
is because without the renewal it is likely that you will need to push a
new TGT to your topology every few hours instead of once a day, but all fo
that depends on how you have configured your krb5.conf both locally on your
box and also on the kdc.
How to fix the issue is hard to tell, because the kerberos configuration is
not always simple. One issue that we have run into similar to this was
that we had been using 'yes' in our krb5.conf in some places instead of
'true'. Apparently the mit command line tools and libraries accept both,
but java parses yes as a boolean and turns it into a false. You might want
to check there.
Beyond that I really don't know what it could be.
Thanks,
Bobby
On Thu, Jan 11, 2018 at 4:47 PM prakash r <rp...@gmail.com> wrote:
> Thanks Ethan
>
> Yes i have verified the ticket used one is correct.
>
> If you can recollect the fix, please share us.
>
> Regards,
> Prakash R
>
> On Fri, Jan 12, 2018 at 9:42 AM, Ethan Li <et...@gmail.com>
> wrote:
>
>> Hi Prakash,
>>
>> It might sound silly but did you check if the ticket you think you are
>> using is the one that’s actually being used. I fixed the “The TGT found is
>> not renewable” problem in my use case before but sorry I couldn’t remember
>> the details.
>>
>> Best,
>> Ethan
>>
>> On Jan 11, 2018, at 3:10 PM, prakash r <rp...@gmail.com> wrote:
>>
>> Hello All,
>>
>> Any suggestion on this ?
>>
>> *Is there anyway we can avoid this TGT Renewal check or how to resolve.*
>>
>> Regards,
>> Prakash R
>>
>> On Tue, Jan 9, 2018 at 3:31 PM, prakash r <rp...@gmail.com> wrote:
>>
>>> Hello,
>>>
>>> We are facing issue with starting a topology when Storm is kerberosed.
>>>
>>> 1189 [main] INFO o.a.s.s.a.AuthUtils - Got AutoCreds
>>> [org.apache.storm.security.auth.kerberos.AutoTGT@129b4fe2]
>>>
>>> 1189 [main] INFO o.a.s.StormSubmitter - Running org.apache.storm.security.auth.kerberos.AutoTGT@129b4fe2
>>> Exception in thread "main" java.lang.RuntimeException: java.lang.RuntimeException: The TGT found is not renewable
>>> at org.apache.storm.security.auth.kerberos.AutoTGT.populateCredentials(AutoTGT.java:103)
>>> at org.apache.storm.StormSubmitter.populateCredentials(StormSubmitter.java:94)
>>> at org.apache.storm.StormSubmitter.submitTopologyAs(StormSubmitter.java:214)
>>> at org.apache.storm.StormSubmitter.submitTopology(StormSubmitter.java:310)
>>> at org.apache.storm.StormSubmitter.submitTopology(StormSubmitter.java:157)
>>> at storm.starter.WordCountTopology.main(WordCountTopology.java:77)
>>> Caused by: java.lang.RuntimeException: The TGT found is not renewable
>>> at org.apache.storm.security.auth.kerberos.AutoTGT.populateCredentials(AutoTGT.java:94)
>>>
>>> ... 5 more
>>>
>>> When we check the Keberos Principal which as R Flag as well.
>>>
>>> We tried even regenerating the keytabs, this problem is not resolved.
>>>
>>> When we submit from new keytab principal, this is working fine.
>>>
>>> *Can you please suggest, is there anyway we can avoid this TGT Renewal
>>> check or how to resolve.*
>>>
>>> *OS version :*
>>> Red Hat Enterprise Linux Server release 7.4 (Maipo)
>>>
>>>
>>> *Problematic principal details :*
>>> [storm@cbro-test-stm1 ~]$ klist -f
>>> Ticket cache: FILE:/tmp/krb5cc_1021
>>> Default principal: storm-xxxx_master@XXXXXX.COM
>>>
>>> Valid starting Expires Service principal
>>> 01/06/2018 22:30:40 01/07/2018 08:30:40 krbtgt/XXXXXX.COM@XXXXXX.COM
>>> renew until 01/12/2018 13:54:47, Flags: FRIAT
>>>
>>>
>>>
>>> *Working principal details :*
>>> [metron@cbro-test-edg4 ~]$ klist -f
>>> Ticket cache: FILE:/tmp/krb5cc_1024
>>> Default principal: metron@XXXXXX.COM
>>>
>>> Valid starting Expires Service principal
>>> 01/09/2018 15:28:47 01/10/2018 01:28:47 krbtgt/XXXXXX.COM@XXXXXX.COM
>>> renew until 01/16/2018 15:28:47, Flags: FRIA
>>>
>>>
>>> Regards,
>>> Prakash R
>>>
>>
>>
>>
>
Re: Storm Kerberos starting topology fails with "The TGT found is not renewable"
Posted by prakash r <rp...@gmail.com>.
Thanks Ethan
Yes i have verified the ticket used one is correct.
If you can recollect the fix, please share us.
Regards,
Prakash R
On Fri, Jan 12, 2018 at 9:42 AM, Ethan Li <et...@gmail.com> wrote:
> Hi Prakash,
>
> It might sound silly but did you check if the ticket you think you are
> using is the one that’s actually being used. I fixed the “The TGT found is
> not renewable” problem in my use case before but sorry I couldn’t remember
> the details.
>
> Best,
> Ethan
>
> On Jan 11, 2018, at 3:10 PM, prakash r <rp...@gmail.com> wrote:
>
> Hello All,
>
> Any suggestion on this ?
>
> *Is there anyway we can avoid this TGT Renewal check or how to resolve.*
>
> Regards,
> Prakash R
>
> On Tue, Jan 9, 2018 at 3:31 PM, prakash r <rp...@gmail.com> wrote:
>
>> Hello,
>>
>> We are facing issue with starting a topology when Storm is kerberosed.
>>
>> 1189 [main] INFO o.a.s.s.a.AuthUtils - Got AutoCreds
>> [org.apache.storm.security.auth.kerberos.AutoTGT@129b4fe2]
>>
>> 1189 [main] INFO o.a.s.StormSubmitter - Running org.apache.storm.security.auth.kerberos.AutoTGT@129b4fe2
>> Exception in thread "main" java.lang.RuntimeException: java.lang.RuntimeException: The TGT found is not renewable
>> at org.apache.storm.security.auth.kerberos.AutoTGT.populateCredentials(AutoTGT.java:103)
>> at org.apache.storm.StormSubmitter.populateCredentials(StormSubmitter.java:94)
>> at org.apache.storm.StormSubmitter.submitTopologyAs(StormSubmitter.java:214)
>> at org.apache.storm.StormSubmitter.submitTopology(StormSubmitter.java:310)
>> at org.apache.storm.StormSubmitter.submitTopology(StormSubmitter.java:157)
>> at storm.starter.WordCountTopology.main(WordCountTopology.java:77)
>> Caused by: java.lang.RuntimeException: The TGT found is not renewable
>> at org.apache.storm.security.auth.kerberos.AutoTGT.populateCredentials(AutoTGT.java:94)
>>
>> ... 5 more
>>
>> When we check the Keberos Principal which as R Flag as well.
>>
>> We tried even regenerating the keytabs, this problem is not resolved.
>>
>> When we submit from new keytab principal, this is working fine.
>>
>> *Can you please suggest, is there anyway we can avoid this TGT Renewal
>> check or how to resolve.*
>>
>> *OS version :*
>> Red Hat Enterprise Linux Server release 7.4 (Maipo)
>>
>>
>> *Problematic principal details :*
>> [storm@cbro-test-stm1 ~]$ klist -f
>> Ticket cache: FILE:/tmp/krb5cc_1021
>> Default principal: storm-xxxx_master@XXXXXX.COM
>>
>> Valid starting Expires Service principal
>> 01/06/2018 22:30:40 01/07/2018 08:30:40 krbtgt/XXXXXX.COM@XXXXXX.COM
>> renew until 01/12/2018 13:54:47, Flags: FRIAT
>>
>>
>>
>> *Working principal details :*
>> [metron@cbro-test-edg4 ~]$ klist -f
>> Ticket cache: FILE:/tmp/krb5cc_1024
>> Default principal: metron@XXXXXX.COM
>>
>> Valid starting Expires Service principal
>> 01/09/2018 15:28:47 01/10/2018 01:28:47 krbtgt/XXXXXX.COM@XXXXXX.COM
>> renew until 01/16/2018 15:28:47, Flags: FRIA
>>
>>
>> Regards,
>> Prakash R
>>
>
>
>
Re: Storm Kerberos starting topology fails with "The TGT found is not
renewable"
Posted by Ethan Li <et...@gmail.com>.
Hi Prakash,
It might sound silly but did you check if the ticket you think you are using is the one that’s actually being used. I fixed the “The TGT found is not renewable” problem in my use case before but sorry I couldn’t remember the details.
Best,
Ethan
> On Jan 11, 2018, at 3:10 PM, prakash r <rp...@gmail.com> wrote:
>
> Hello All,
>
> Any suggestion on this ?
>
> Is there anyway we can avoid this TGT Renewal check or how to resolve.
>
> Regards,
> Prakash R
>
> On Tue, Jan 9, 2018 at 3:31 PM, prakash r <rprakashdoss@gmail.com <ma...@gmail.com>> wrote:
> Hello,
>
> We are facing issue with starting a topology when Storm is kerberosed.
>
> 1189 [main] INFO o.a.s.s.a.AuthUtils - Got AutoCreds [org.apache.storm.security.auth.kerberos.AutoTGT@129b4fe2]
> 1189 [main] INFO o.a.s.StormSubmitter - Running org.apache.storm.security.auth.kerberos.AutoTGT@129b4fe2
> Exception in thread "main" java.lang.RuntimeException: java.lang.RuntimeException: The TGT found is not renewable
> at org.apache.storm.security.auth.kerberos.AutoTGT.populateCredentials(AutoTGT.java:103)
> at org.apache.storm.StormSubmitter.populateCredentials(StormSubmitter.java:94)
> at org.apache.storm.StormSubmitter.submitTopologyAs(StormSubmitter.java:214)
> at org.apache.storm.StormSubmitter.submitTopology(StormSubmitter.java:310)
> at org.apache.storm.StormSubmitter.submitTopology(StormSubmitter.java:157)
> at storm.starter.WordCountTopology.main(WordCountTopology.java:77)
> Caused by: java.lang.RuntimeException: The TGT found is not renewable
> at org.apache.storm.security.auth.kerberos.AutoTGT.populateCredentials(AutoTGT.java:94)
> ... 5 more
>
> When we check the Keberos Principal which as R Flag as well.
>
> We tried even regenerating the keytabs, this problem is not resolved.
>
> When we submit from new keytab principal, this is working fine.
>
> Can you please suggest, is there anyway we can avoid this TGT Renewal check or how to resolve.
>
> OS version :
> Red Hat Enterprise Linux Server release 7.4 (Maipo)
>
>
> Problematic principal details :
> [storm@cbro-test-stm1 ~]$ klist -f
> Ticket cache: FILE:/tmp/krb5cc_1021
> Default principal: storm-xxxx_master@XXXXXX.COM <ma...@XXXXXX.COM>
>
> Valid starting Expires Service principal
> 01/06/2018 22:30:40 01/07/2018 08:30:40 krbtgt/XXXXXX.COM@XXXXXX.COM <ma...@XXXXXX.COM>
> renew until 01/12/2018 13:54:47, Flags: FRIAT
>
>
>
> Working principal details :
> [metron@cbro-test-edg4 ~]$ klist -f
> Ticket cache: FILE:/tmp/krb5cc_1024
> Default principal: metron@XXXXXX.COM <ma...@XXXXXX.COM>
>
> Valid starting Expires Service principal
> 01/09/2018 15:28:47 01/10/2018 01:28:47 krbtgt/XXXXXX.COM@XXXXXX.COM <ma...@XXXXXX.COM>
> renew until 01/16/2018 15:28:47, Flags: FRIA
>
>
> Regards,
> Prakash R
>
Re: Storm Kerberos starting topology fails with "The TGT found is not renewable"
Posted by prakash r <rp...@gmail.com>.
Hello All,
Any suggestion on this ?
*Is there anyway we can avoid this TGT Renewal check or how to resolve.*
Regards,
Prakash R
On Tue, Jan 9, 2018 at 3:31 PM, prakash r <rp...@gmail.com> wrote:
> Hello,
>
> We are facing issue with starting a topology when Storm is kerberosed.
>
> 1189 [main] INFO o.a.s.s.a.AuthUtils - Got AutoCreds
> [org.apache.storm.security.auth.kerberos.AutoTGT@129b4fe2]
>
> 1189 [main] INFO o.a.s.StormSubmitter - Running org.apache.storm.security.auth.kerberos.AutoTGT@129b4fe2
> Exception in thread "main" java.lang.RuntimeException: java.lang.RuntimeException: The TGT found is not renewable
> at org.apache.storm.security.auth.kerberos.AutoTGT.populateCredentials(AutoTGT.java:103)
> at org.apache.storm.StormSubmitter.populateCredentials(StormSubmitter.java:94)
> at org.apache.storm.StormSubmitter.submitTopologyAs(StormSubmitter.java:214)
> at org.apache.storm.StormSubmitter.submitTopology(StormSubmitter.java:310)
> at org.apache.storm.StormSubmitter.submitTopology(StormSubmitter.java:157)
> at storm.starter.WordCountTopology.main(WordCountTopology.java:77)
> Caused by: java.lang.RuntimeException: The TGT found is not renewable
> at org.apache.storm.security.auth.kerberos.AutoTGT.populateCredentials(AutoTGT.java:94)
>
> ... 5 more
>
> When we check the Keberos Principal which as R Flag as well.
>
> We tried even regenerating the keytabs, this problem is not resolved.
>
> When we submit from new keytab principal, this is working fine.
>
> *Can you please suggest, is there anyway we can avoid this TGT Renewal
> check or how to resolve.*
>
> *OS version :*
> Red Hat Enterprise Linux Server release 7.4 (Maipo)
>
>
> *Problematic principal details :*
> [storm@cbro-test-stm1 ~]$ klist -f
> Ticket cache: FILE:/tmp/krb5cc_1021
> Default principal: storm-xxxx_master@XXXXXX.COM
>
> Valid starting Expires Service principal
> 01/06/2018 22:30:40 01/07/2018 08:30:40 krbtgt/XXXXXX.COM@XXXXXX.COM
> renew until 01/12/2018 13:54:47, Flags: FRIAT
>
>
>
> *Working principal details :*
> [metron@cbro-test-edg4 ~]$ klist -f
> Ticket cache: FILE:/tmp/krb5cc_1024
> Default principal: metron@XXXXXX.COM
>
> Valid starting Expires Service principal
> 01/09/2018 15:28:47 01/10/2018 01:28:47 krbtgt/XXXXXX.COM@XXXXXX.COM
> renew until 01/16/2018 15:28:47, Flags: FRIA
>
>
> Regards,
> Prakash R
>