[OpenAFS] Token Lifetime
Kevin Coffman
kwc@citi.umich.edu
Mon, 30 Sep 2002 17:30:19 -0400
The windows client requests a "MAX_LIFETIME" ticket lifetime by
default. It looks like you are using an MIT K5 KDC? If so, then there
is a mismatch between the lifetime values that AFS uses and what that
the MIT KDC uses. (MIT code uses a straight 5 minutes per "tick" while
the AFS code uses a graduated scale where values past 0x7f increase the
lifetime by more than 5 minutes.)
Note that the windows client talks directly to the K4 KDC via UDP,
while most Unix clients use the RX protocol for AFS authentication.
(Unless you are using aklog. In that case, you're not really using the
K4 code within the KDC.)
We've made mods to the K4 code within the MIT code we run here to
expect the AFS lifetime values since we migrated from a kaserver
environment where all our clients were already using AFS lifetime
values.
One other problem we have seen is that the max lifetime for the
afs@REALM service was out of whack after migrating a kaserver database.
For some reason, this only affected Windows clients. Setting the
afs@REALM maxlife fixed up the windows clients.
HTH,
K.C.
>On Mon, Sep 30, 2002 at 10:23:18AM -0500, Neulinger, Nathan wrote:
>> What do you have set for the lifetime of the "afs" principal? That
will
>> also limit the max life.
>>
>> usable life by user < max life for user < max life of afs@REALM < max
>> lifetime allow by kdc
>maxlife-kdc: 1d 0h 0m 0s
>maxlife-afs@REALM: 2d 0h 0m 0s
>maxlife-my_principal: 1d 0h 0m 0s
>
>If I use kinit or "kinit -l 24h", I always get a
>10-hours-ticket.
>
>As long as maxlife-my_principal is higher than
>10h, openafs-win32 doesn't like me
>(expiration date 01.01.1601 ...) :-( .
>
>FBO
>_______________________________________________
>OpenAFS-info mailing list
>OpenAFS-info@openafs.org
>https://lists.openafs.org/mailman/listinfo/openafs-info