Introduction

Kerberos authentication relies on Ticket Granting Tickets (TGTs) that have a limited lifetime. When a TGT expires, the user cannot obtain service tickets to access Kerberos-protected resources. While Kerberos supports TGT renewal, automatic renewal must be explicitly configured. Without it, users must manually re-authenticate, disrupting long-running sessions and automated service operations. This is particularly problematic for developers running long compilation jobs, database administrators maintaining persistent connections, and services like Hadoop or NFS that depend on continuous Kerberos authentication. When tickets expire mid-operation, data pipelines fail, file shares become inaccessible, and batch jobs abort without warning.

Symptoms

  • User cannot access Kerberos-protected services after extended login session
  • klist shows no valid TGT or expired ticket
  • Service requests fail with KRB5KDC_ERR_TGT_REVOKED or Credentials cache expired
  • Hadoop, NFS, or other Kerberos-authenticated services reject requests
  • Error message: kinit: KDC reply did not match expectations while getting initial credentials

Common Causes

  • TGT lifetime set too short for the user's typical session duration
  • Automatic TGT renewal not configured in the Kerberos client
  • Service running as a user without a valid TGT (daemon, cron job, systemd service)
  • Keytab file for the service account is outdated or missing
  • Kerberos KDC unreachable, preventing TGT renewal

Step-by-Step Fix

  1. 1.Check the current Kerberos ticket status: Verify TGT expiration.
  2. 2.```bash
  3. 3.klist
  4. 4.# Check:
  5. 5.# Default principal: user@EXAMPLE.COM
  6. 6.# Ticket cache: FILE:/tmp/krb5cc_1000
  7. 7.# Valid starting: ... Expires: ... (check if expired)
  8. 8.`
  9. 9.Renew the TGT manually: Re-authenticate to get a new ticket.
  10. 10.```bash
  11. 11.kinit user@EXAMPLE.COM
  12. 12.# Enter password when prompted
  13. 13.# Verify new ticket
  14. 14.klist
  15. 15.`
  16. 16.Enable automatic TGT renewal: Configure the client for renewable tickets.
  17. 17.```ini
  18. 18.# /etc/krb5.conf
  19. 19.[libdefaults]
  20. 20.default_realm = EXAMPLE.COM
  21. 21.renew_lifetime = 7d
  22. 22.forwardable = true

[realms] EXAMPLE.COM = { kdc = kdc1.example.com kdc = kdc2.example.com admin_server = kdc1.example.com }

# Renew existing ticket kinit -R ```

  1. 1.For services, use keytab-based authentication: Avoid interactive TGT dependency.
  2. 2.```bash
  3. 3.# Initialize with keytab
  4. 4.kinit -kt /etc/security/keytabs/service.keytab service/host.example.com@EXAMPLE.COM
  5. 5.# Verify
  6. 6.klist -kt /etc/security/keytabs/service.keytab
  7. 7.`
  8. 8.For systemd services, configure Kerberos credential management: Use systemd's built-in support.
  9. 9.```ini
  10. 10.# /etc/systemd/system/my-service.service
  11. 11.[Service]
  12. 12.ExecStartPre=/usr/bin/kinit -kt /etc/security/keytabs/my-service.keytab myservice@EXAMPLE.COM
  13. 13.ExecStart=/opt/my-service/bin/start
  14. 14.# Or use systemd's LoadCredential= for keytab files
  15. 15.`

Prevention

  • Set TGT renewable lifetime to at least 7 days for interactive user sessions
  • Configure automatic TGT renewal in the Kerberos client configuration
  • Use keytab-based authentication for services and automated processes
  • Monitor Kerberos ticket expiration and alert before TGTs expire
  • Implement Kerberos health checks that verify KDC connectivity and ticket validity
  • Document Kerberos ticket management procedures in the authentication runbook