[OpenAFS] Questions regarding AFS ticket lifetime

Lars Schimmer l.schimmer@cgv.tugraz.at
Fri, 20 Apr 2012 09:35:39 +0200

Hash: SHA1

On 2012-04-20 07:52, Anders Nordin wrote:
> Ok,
> Bear with me because I might not have formulated the questions
> correctly, I'm mostly a Windows admin and not entirely up to speed
> on the AFS/Kerberos lingo.
> Environment:
> Windows 7 x64 Enterprise OpenAFS 1.7.1000 (64-bit) Network Identity
> Manager MIT Kerberos for Windows (64-bit) 3.2.2
> 1)
> Why do you need to renew the credentials manually? From what I
> understand Network Identity Manager should handle this (until the
> end of the renewable lifetime ofcourse). Please see the two
> attached images.
> http://staff.www.ltu.se/~kex/renew1.jpg=20
> http://staff.www.ltu.se/~kex/renew2.jpg
> 2)
> From memory, during our Windows XP days (different OS, different
> OpenAFS, different Network Identity Manager, different MIT Kerberos
> for Windows), just locking and unlocking the computer refreshed the
> AFS ticket.
> How has this changed for Windows 7 and our current setup, as this
> no longer seems to be working?

Remember the 2 different credential caches of windows - one of system
at login and one for NetworkID Manager.

On Login you get a ticket/token with the Windows Builtin credential
cache which CANNOT be accessed by Network ID Manager.
Only after you obtained a token manual in NetworkID manager it renews
the token automatic and you can set the token lifetime with Network ID

On logon you can set ticket lifetime in AD controller.

> Anders Nordin IT-Service

Lars Schimmer
- --=20
- -------------------------------------------------------------
TU Graz, Institut f=FCr ComputerGraphik & WissensVisualisierung
Tel: +43 316 873-5405       E-Mail: l.schimmer@cgv.tugraz.at
Fax: +43 316 873-5402       PGP-Key-ID: 0x4A9B1723

Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/