[OpenAFS-devel] AFS + Heimdal "afs" principal question
Alf Wachsmann
alfw@SLAC.Stanford.EDU
Mon, 09 Dec 2002 12:41:18 -0800 (PST)
Hi,
I am experimenting a little with converting an AFS cell from kaserver
to Heimdal Krb5 authentication.
In my AFS cell I had a max ticket lifetime of 25 hours.
The "afs" principal in that cell had a max ticket lifetime of 100 hours.
Then I converted my kaserver DB with Heimdal's "hprop" to a Krb5 KDC DB.
The default max ticket life in my Krb5 realm is again 25 hours.
When I do (as normal user) a "kinit" followed by an "afslog" I get a
Krb5 TGT and AFS token with lifetime 25 hours (as expected).
But when I am using AFS' "klog" directly against my Heimdal KDC compiled
with Krb4 and kaserver support I get an AFS token that is valid 100 hours.
I would like to understand the following two things:
- Why does the "afs" principal in AFS need a 100 hour ticket lifetime?
- What will/can go wrong in my converted cell when I set the ticket
lifetime by hand down to 25 hours?
Many thanks,
Alf.
In case it matters: Heimdal-0.5.1, kth-krb4-1.2.1, IBM/Transarc AFS
afs3.6 2.39, KDCs run on sun4x_58.
-----------------------------------------------------------------------
Alf Wachsmann | e-mail: alfw@slac.stanford.edu
SLAC Computing Service | Phone: +1-650-926-4802
2575 Sand Hill Road, M/S 97 | FAX: +1-650-926-3329
Menlo Park, CA 94025, USA | Office: Bldg. 50/323
-----------------------------------------------------------------------
http://www.slac.stanford.edu/~alfw (PGP)
-----------------------------------------------------------------------