[OpenAFS] Questions regarding AFS ticket lifetime
Arne Wiebalck
Arne.Wiebalck@cern.ch
Fri, 20 Apr 2012 08:22:05 +0000
--Apple-Mail=_145A1D3D-CD9E-455A-B7C3-AB5BBCE61784
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
charset=iso-8859-1
On Apr 20, 2012, at 9:35 AM, Lars Schimmer wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>=20
> On 2012-04-20 07:52, Anders Nordin wrote:
>> Ok,
>>=20
>> Bear with me because I might not have formulated the questions
>> correctly, I'm mostly a Windows admin and not entirely up to speed
>> on the AFS/Kerberos lingo.
>>=20
>> Environment:
>>=20
>> Windows 7 x64 Enterprise OpenAFS 1.7.1000 (64-bit) Network Identity
>> Manager 2.0.1.903 MIT Kerberos for Windows (64-bit) 3.2.2
>>=20
>> 1)
>>=20
>> Why do you need to renew the credentials manually? =46rom what I
>> understand Network Identity Manager should handle this (until the
>> end of the renewable lifetime ofcourse). Please see the two
>> attached images.
>>=20
>> http://staff.www.ltu.se/~kex/renew1.jpg=20
>> http://staff.www.ltu.se/~kex/renew2.jpg
>>=20
>> 2)
>>=20
>> =46rom memory, during our Windows XP days (different OS, different
>> OpenAFS, different Network Identity Manager, different MIT Kerberos
>> for Windows), just locking and unlocking the computer refreshed the
>> AFS ticket.
>>=20
>> How has this changed for Windows 7 and our current setup, as this
>> no longer seems to be working?
>=20
> Remember the 2 different credential caches of windows - one of system
> at login and one for NetworkID Manager.
>=20
> On Login you get a ticket/token with the Windows Builtin credential
> cache which CANNOT be accessed by Network ID Manager.
Sorry if that has been discussed before, but could you remind me what
the technical reason was?=20
I would guess that other kerberized applications on Windows would need=20=
to access that too, no? (If I am not mistaken, we have tweaked putty, =
for=20
instance, to do exactly that).
> Only after you obtained a token manual in NetworkID manager it renews
> the token automatic and you can set the token lifetime with Network ID
> manager.
>=20
> On logon you can set ticket lifetime in AD controller.
>=20
>> MVH
>>=20
>> Anders Nordin IT-Service
>=20
>=20
> MfG,
> Lars Schimmer
> - --=20
> - -------------------------------------------------------------
> TU Graz, Institut f=FCr ComputerGraphik & WissensVisualisierung
> Tel: +43 316 873-5405 E-Mail: l.schimmer@cgv.tugraz.at
> Fax: +43 316 873-5402 PGP-Key-ID: 0x4A9B1723
>=20
>=20
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>=20
> iEYEARECAAYFAk+REcsACgkQmWhuE0qbFyPSTwCaAn7A/pLfvD/6pgUzVWdQbfhQ
> dwIAnjo15Pa24Pc3G44pepVjj+qK3k3M
> =3Dq4Eb
> -----END PGP SIGNATURE-----
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info
--Apple-Mail=_145A1D3D-CD9E-455A-B7C3-AB5BBCE61784
Content-Disposition: attachment; filename="smime.p7s"
Content-Type: application/pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIINuDCCBi4w
ggUWoAMCAQICCmEPqkwAAAAAAAMwDQYJKoZIhvcNAQEFBQAwQTESMBAGCgmSJomT8ixkARkWAmNo
MRQwEgYKCZImiZPyLGQBGRYEY2VybjEVMBMGA1UEAxMMQ0VSTiBSb290IENBMB4XDTA2MTAwMzA5
MzYxM1oXDTE2MTAwMzA5NDYxM1owWTESMBAGCgmSJomT8ixkARkWAmNoMRQwEgYKCZImiZPyLGQB
GRYEY2VybjEtMCsGA1UEAxMkQ0VSTiBUcnVzdGVkIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIIB
IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwdFGqthhWlgUOSZ6C6hReNEVGzbjf2IQgxo7
/rOfOQHZH3krQPQ37fqFroEr46PrruymZ/U+QAzmESZQ4Z+nCfBhm7cEi0TIhihHd4cEPaPxawGR
T9Ck7BBk9za8TUljF6c/JodnIcmIrpbazEbSAS1KEXwETHDsTrQ7lJ+6SzDP4/oOwrHrgJx+tKsm
gOsFSbBEK4OYx1UYQpYS9OJQk2Sc0q4a/SCSu+xbN8ppmgV3WFytN8NW20n3NpCCWYPzo9rXmPRA
7a/c6mf+RV5gPCnUqeW6KUvix5kz9+X8/4SQV/fU12OPdRvtkqcC+PpiePK7bjMLQJEYwvchJrSz
AwIDAQABo4IDDjCCAwowDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUmMyS0EYwNoyw7ZgNclGp
R0zdviEwCwYDVR0PBAQDAgGGMBAGCSsGAQQBgjcVAQQDAgECMCMGCSsGAQQBgjcVAgQWBBT/Rljl
vgfrVK8GmAaYe+TbiXbJ7DBRBgNVHSAESjBIMEYGCisGAQQBYAoCAQEwODA2BggrBgEFBQcCARYq
aHR0cDovL2NhLmNlcm4uY2gvY2EvY3JsL3BvbGljeS9jcC1jcHMucGRmMBkGCSsGAQQBgjcUAgQM
HgoAUwB1AGIAQwBBMB8GA1UdIwQYMBaAFJgK9+w+7FnWHa2ZvLUBPt7spudQMIH8BgNVHR8EgfQw
gfEwge6ggeuggeiGLWh0dHA6Ly9jYS5jZXJuLmNoL2NhL2NybC9DRVJOJTIwUm9vdCUyMENBLmNy
bIaBtmxkYXA6Ly8vQ049Q0VSTiUyMFJvb3QlMjBDQSxDTj1jZXJucm9vdGNhLENOPUNEUCxDTj1Q
dWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0aW9uLERDPWNl
cm4sREM9Y2g/Y2VydGlmaWNhdGVSZXZvY2F0aW9uTGlzdD9iYXNlP29iamVjdENsYXNzPWNSTERp
c3RyaWJ1dGlvblBvaW50MIIBBAYIKwYBBQUHAQEEgfcwgfQwRAYIKwYBBQUHMAKGOGh0dHA6Ly9j
YS5jZXJuLmNoL2NhL2NybC9jZXJucm9vdGNhX0NFUk4lMjBSb290JTIwQ0EuY3J0MIGrBggrBgEF
BQcwAoaBnmxkYXA6Ly8vQ049Q0VSTiUyMFJvb3QlMjBDQSxDTj1BSUEsQ049UHVibGljJTIwS2V5
JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJhdGlvbixEQz1jZXJuLERDPWNoP2NB
Q2VydGlmaWNhdGU/YmFzZT9vYmplY3RDbGFzcz1jZXJ0aWZpY2F0aW9uQXV0aG9yaXR5MA0GCSqG
SIb3DQEBBQUAA4IBAQAfEzvOeYohKndmJqnVdiCqZ38tSBxOOPsKUHW4UY1jBfYMXbnZ9keFQFlK
/g5X4aZPNBEHXw0eKpQVsMhEPWQrvx8T/f7GwtU+JNQhkgK9tnezmHxYzWgEC9MXZhfYzFSwMIF6
kSKllmUTnN35uF1EnT8+64daje+yEVcpmM34p8Fw125/WpKnRmwNp0YkUk6uMti6Y6vOTHttzIN5
P6elGoat8sadMqrVnaMNzG8hGUvSkYivYBs7msAPuwmXgLvIkXWPW+MDFs+x5Kzx75ZHv3c2WoKg
UxL5KZH9QqiR7t8P6YBfYW6SpzyGRi4QHN/iOLhXZ06R6aPljLEOn41JMIIHgjCCBmqgAwIBAgIK
YzqFEAACAAENvzANBgkqhkiG9w0BAQUFADBZMRIwEAYKCZImiZPyLGQBGRYCY2gxFDASBgoJkiaJ
k/IsZAEZFgRjZXJuMS0wKwYDVQQDEyRDRVJOIFRydXN0ZWQgQ2VydGlmaWNhdGlvbiBBdXRob3Jp
dHkwHhcNMTIwNDE3MTIxMDA4WhcNMTMwNDE3MTIxMDA4WjCBjjESMBAGCgmSJomT8ixkARkWAmNo
MRQwEgYKCZImiZPyLGQBGRYEY2VybjEWMBQGA1UECxMNT3JnYW5pYyBVbml0czEOMAwGA1UECxMF
VXNlcnMxETAPBgNVBAMTCHdpZWJhbGNrMQ8wDQYDVQQDEwY1NTg1MTAxFjAUBgNVBAMTDUFybmUg
V2llYmFsY2swggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC+eSSmi75wuMUvz6dHDk2B
C1Aisu0bE1jljNu7BF7QOIO0yJWEKEuKOPAL6WuYP64mirDx//Rt+UaX0cXcRT5teeSKt5dowLVB
Rn9mZkt7yvrL7a8L8/vbHvPN4nX9MUhMRd2S7YyFwwanKtX1E/Mdje3i2EH63eGgiWlVIhnNeVYX
4FvHHy/86huvOnPaeN+Vf/ZEwAhrOtKa+o/F6oFQy+X2ToCJ4RI46llPNuXf9sJh3XNUj454cs6b
SMDHIpJoKkDohG+H387QSpVpZ5I/gNeD+hRt1FwKAbf5+YRcr5xGCPuc1wfkS9rhr/BakD+hTW4Q
GX35NpDIZA5iqvb7AgMBAAGjggQUMIIEEDAdBgNVHQ4EFgQUln7waQJt4ho9ImMzUABZ4NxDMFMw
HwYDVR0jBBgwFoAUmMyS0EYwNoyw7ZgNclGpR0zdviEwggEyBgNVHR8EggEpMIIBJTCCASGgggEd
oIIBGYZHaHR0cDovL2NhLmNlcm4uY2gvY2EvY3JsL0NFUk4lMjBUcnVzdGVkJTIwQ2VydGlmaWNh
dGlvbiUyMEF1dGhvcml0eS5jcmyGgc1sZGFwOi8vL0NOPUNFUk4lMjBUcnVzdGVkJTIwQ2VydGlm
aWNhdGlvbiUyMEF1dGhvcml0eSxDTj1DRVJOUEtJLENOPUNEUCxDTj1QdWJsaWMlMjBLZXklMjBT
ZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0aW9uLERDPWNlcm4sREM9Y2g/Y2VydGlm
aWNhdGVSZXZvY2F0aW9uTGlzdD9iYXNlP29iamVjdENsYXNzPWNSTERpc3RyaWJ1dGlvblBvaW50
MIIBLwYIKwYBBQUHAQEEggEhMIIBHTCBxQYIKwYBBQUHMAKGgbhsZGFwOi8vL0NOPUNFUk4lMjBU
cnVzdGVkJTIwQ2VydGlmaWNhdGlvbiUyMEF1dGhvcml0eSxDTj1BSUEsQ049UHVibGljJTIwS2V5
JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJhdGlvbixEQz1jZXJuLERDPWNoP2NB
Q2VydGlmaWNhdGU/YmFzZT9vYmplY3RDbGFzcz1jZXJ0aWZpY2F0aW9uQXV0aG9yaXR5MFMGCCsG
AQUFBzAChkdodHRwOi8vY2EuY2Vybi5jaC9jYS9jcmwvQ0VSTiUyMFRydXN0ZWQlMjBDZXJ0aWZp
Y2F0aW9uJTIwQXV0aG9yaXR5LmNydDAOBgNVHQ8BAf8EBAMCBaAwPQYJKwYBBAGCNxUHBDAwLgYm
KwYBBAGCNxUIg73QCYLtjQ2G7Ysrgd71N4WA0GIehb+6A4TEzEwCAWQCAQowKQYDVR0lBCIwIAYI
KwYBBQUHAwIGCCsGAQUFBwMEBgorBgEEAYI3CgMEMCUGA1UdIAQeMBwwDAYKKwYBBAFgCgIBAjAM
BgoqhkiG90wFAgIBMDUGCSsGAQQBgjcVCgQoMCYwCgYIKwYBBQUHAwIwCgYIKwYBBQUHAwQwDAYK
KwYBBAGCNwoDBDBHBgNVHREEQDA+oCUGCisGAQQBgjcUAgOgFwwVYXJuZS53aWViYWxja0BjZXJu
LmNogRVBcm5lLldpZWJhbGNrQGNlcm4uY2gwRAYJKoZIhvcNAQkPBDcwNTAOBggqhkiG9w0DAgIC
AIAwDgYIKoZIhvcNAwQCAgCAMAcGBSsOAwIHMAoGCCqGSIb3DQMHMA0GCSqGSIb3DQEBBQUAA4IB
AQATA0AoRbhVa6EbbSqnOUvTNX0A67wgKZgDE3Vpypn0OFqUHcoRm0ewR416VicsrZOe/6t/4DS2
mjGLmzoeGXAjbg9L12A3OQDpV9ZwOBfDUHpxebh8qFLA7gCbFHq5L6qsQnJQvFbON2cpYxNRjH2P
KQAAt2m0wEo/lFT3urnjsgTp8xS8QYvaRg/xfPwoFxZMiy01Y0jj9QjDF9JojAk9PaGvjTAOYg4A
7SsOJUy8rKCxHdmk7sOJvEj/+g/OPWReHc685i5RKXjrUgUQl7hrFFZuMCP6Oo5uOUaiDITpspcR
EI3uyxXypit7XUnt/q3APnggMPFy6ltZ8y7jcJhgMYIC4TCCAt0CAQEwZzBZMRIwEAYKCZImiZPy
LGQBGRYCY2gxFDASBgoJkiaJk/IsZAEZFgRjZXJuMS0wKwYDVQQDEyRDRVJOIFRydXN0ZWQgQ2Vy
dGlmaWNhdGlvbiBBdXRob3JpdHkCCmM6hRAAAgABDb8wCQYFKw4DAhoFAKCCAU8wGAYJKoZIhvcN
AQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMTIwNDIwMDgyMjA3WjAjBgkqhkiG9w0B
CQQxFgQUD9eXyiB/LR9/jC6v0axG0enRSqIwdgYJKwYBBAGCNxAEMWkwZzBZMRIwEAYKCZImiZPy
LGQBGRYCY2gxFDASBgoJkiaJk/IsZAEZFgRjZXJuMS0wKwYDVQQDEyRDRVJOIFRydXN0ZWQgQ2Vy
dGlmaWNhdGlvbiBBdXRob3JpdHkCCmM6hRAAAgABDb8weAYLKoZIhvcNAQkQAgsxaaBnMFkxEjAQ
BgoJkiaJk/IsZAEZFgJjaDEUMBIGCgmSJomT8ixkARkWBGNlcm4xLTArBgNVBAMTJENFUk4gVHJ1
c3RlZCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eQIKYzqFEAACAAENvzANBgkqhkiG9w0BAQEFAASC
AQAtOrsf9bwlS63H8PyV/V+OzBFx54blB2Phj5iE0fJss4O96uxqulUnSSw1cuubfqtHE9wpALA7
YPYrHr6OzBbMTKxUcfKFmZ7pbmsq/GJqEFndSw05wINPW/wAOFLT76F9iH/wXbnUF70VNfEJ3Ve6
PmR76F9jiZ6EmPWBblINXyWWqDCuuVImyj7yo2HNNAw0wIdjWAorpSNMiZUCulzdELyhtsCMVNFj
ooQvfdlDsIA2ZUueHu6+WOy9KUsAE4S0bTqQK8BGorffGHQYY0/X4xaB/qa6Z7etPkuUlredKrSI
DkInIjiwHtrUJ3IuEjGOFAFB0YxLnnyPhxdcXVcOAAAAAAAA
--Apple-Mail=_145A1D3D-CD9E-455A-B7C3-AB5BBCE61784--