"KDC can't fulfill requested option while renewing credentials" errors when running Db2 Big SQL statements on a Kerberized cluster

When running Db2® Big SQL statements on a Kerberized cluster, you might encounter Kerberos key distribution center (KDC) errors about credentials renewal in the bigsql.log file.

Symptoms

The following exception is an example of the type of error that you might encounter:

WARN org.apache.hadoop.security.UserGroupInformation [TGT Renewer 
for bigsql/bigaperf061.svl.ibm.com@IBM.COM] : Exception encountered while running the renewal command 
for bigsql/bigaperf061.svl.ibm.com@IBM.COM. (TGT end time:1537469365000, renewalFailures: 
org.apache.hadoop.metrics2.lib.MutableGaugeInt@d5c962e6,renewalFailuresTotal: 
org.apache.hadoop.metrics2.lib.MutableGaugeLong@abc4d818)
ExitCodeException exitCode=1: kinit: KDC can't fulfill requested option while renewing credentials

Causes

This error occurs when the KDC fails to generate a renewable ticket-granting ticket (TGT).

Resolving the problem

  1. To ensure that a TGT is generated and renewed appropriately while Db2 Big SQL processes are running, set up the max_renewable_life parameter appropriately in the realms section of the /var/kerberos/krb5kdc/kdc.conf file on the Kerberos server. This step is not required on the client side.
    In the following example max_renewable_life is set to 7 days:
    max_renewable_life = 7d
    For the renewal policy to work, you must also run the following command on the KDC host:
    kadmin.local -q "modprinc -maxrenewlife max_renewable_life_value krbtgt/<REALM_in_CAPS>"
  2. Specify or modify the maximum renewable life of tickets (maxrenewlife) parameter for the service principals to enable long running processes (such as LOAD) to run and complete.
    The following example shows how to modify maxrenewlife for the bigsql and hive service principals on node bdavm750.svl.ibm.com from the kadmin command line prompt. Be sure to modify maxrenewlife for the bigsql and hive service principals on all nodes.
    
modprinc -maxrenewlife "1 week" +allow_renewable bigsql/bdavm750.ibm.com@IBM.COM
modprinc -maxrenewlife "1 week" +allow_renewable hive/bdavm750.ibm.com@IBM.COM