[OpenAFS-devel] Re: Hack Kerberos / AFS
Harald Barth
haba@kth.se
Tue, 29 Sep 2009 12:12:18 +0200 (CEST)
> > - the client SSH onto a machine and is granted an AFS Token obtained with aklog.
I'd recommend SSH with GSSAPIKeyExchange and forwarded credentials.
> > At this very step, the user have the Ticket Granting Ticket
> > krbtgt/REALM@REALM ticket and the afs/cell@REALM Ticket Granting
> > Service. It also have an AFS Token obtained with aklog.
> > - the user will then submit a job to our Batch system.
> > - the job will be processed X hours/minutes later and could last a long time.
> > Our problem is that some jobs could last more than the AFS token lifetime.
> > Once this lifetime is expired, jobs could not access AFS filesystems anymore and will abort.
I'd give the principal a long renewable-life and use kinit --renew at
job start. If the ticket can not be renewed it is either because you
have exceeded the renewable-life (misconfiguration) or because some
admin has turned off that principal (for example for security reasons
which have turned up between ticket issue point and renew point).
Harald.