[OpenAFS] Questions regarding AFS ticket lifetime

Jeffrey Altman jaltman@secure-endpoints.com
Fri, 20 Apr 2012 23:42:13 -0400

This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

Automatic renewal in NIM is used at many sites so I think you need
to figure out what tickets you have and what cache is being used.
kinit -R does exactly the same thing that NIM does.

Of course, I don't know why the configuration is set to renew when=20
there is 1 minute left.
You want to renew when there is much more than one minute.  I think=20
default is 30 minutes.

On Friday, April 20, 2012 10:25:55 AM, Anders Magnusson wrote:
> Thanks Jeffrey, now lot of things became clearer :-)
> But to solve this incident; since automatic renew in NiM do not work
> but kinit -R && aklog does work for the API cache, we are planning to
> add this to the Task Scheduler.  Do you see any problem with doing it
> like this?
> -- Ragge
> On 04/20/2012 03:40 PM, Jeffrey Altman wrote:
>> Anders:
>> If you configure the default credential cache to be MSLSA: then the LS=
>> credentials will be used.
>> The functionality (an explorer shell logon hook) that was used to copy=

>> credentials at logon no longer exists on Vista and later versions of
>> the operating system.  Since the functionality does not exist, the
>> functions exported from kfwlogon.dll do not get executed and no
>> Kerberos tickets can be copied in to the API: credential cache.
>> I have plans to build a new in kernel credential cache mechanism using=

>> the AFS Authentication Groups available in the 1.7.x series.  I have n=
>> available resources at the moment to implement it and I can't make a
>> commitment as to when I will.
>> At the moment afslogon.dll will obtain a new AFS token at logon, but i=
>> will not be renewable.
>> Jeffrey Altman
>> On Friday, April 20, 2012 9:25:13 AM, Anders Magnusson wrote:
>>> Yes, I have seen that, but that do not explain the behaviour since I
>>> have no wish to fetch thingd from MSLSA.
>>> Integrated logon works, but fetching new krbtgt at unlock of the logi=
>>> window does not.
>>> And BTW, importing tickets from MSLSA to API seems to work (pressing
>>> import button).
>>> -- Ragge
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info

Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

Version: GnuPG v1.4.9 (MingW32)