[OpenAFS] token lifetime
Richard Wallace
rwallace@a--i--m.com
12 Jul 2003 11:40:07 -0700
Hello all,
I'm about ready to switch my home network over to using OpenAFS instead
of NFS for sharing files. I've got it working happily with mit-krb5 and
ldap and things are running pretty smoothly in the tests I've run.
Since it is a home network I wanted to lengthen the lifetime of the krb5
tickets and afs tokens. Just to have a nice round number, I went with a
year for now. I made the modifications to the kdc.conf file so max_life
and max_renewable_life are both "365d 0h 0m 0s". I set the lifetime on
all the principals in the krb5 database and changed the configuration of
pam_krb5afs in the krb5.conf file to reflect these changes.
The krb5 ticket I get has the right lifetime of 1 year, but the krb4
tickets don't and neither do the afs tokens. I'm not concerned about
the krb4 tickets cause they're not used except during the initial token
grabbing, AFAIK. At least, I can 'kdestroy -4' and nothing bad seems to
happen.
Here's the output of klist and tokens.
klist:
Ticket cache: FILE:/tmp/krb5cc_1000_mNdEgh
Default principal: rwallace@HABITAT.THEWALLACEPACK.NET
Valid starting Expires Service principal
07/12/03 11:24:32 07/11/04 11:24:32
krbtgt/HABITAT.THEWALLACEPACK.NET@HABITAT.THEWALLACEPACK.NET
renew until 07/11/04 11:24:32
Kerberos 4 ticket cache: /tmp/tkt1000_ZNAuPj
Principal: rwallace@HABITAT.THEWALLACEPACK.NET
Issued Expires Principal
07/12/03 11:24:32 07/13/03 08:39:32
krbtgt.HABITAT.THEWALLACEPACK.NET@HABITAT.THEWALLACEPACK.NET
07/12/03 11:24:32 07/13/03 03:24:32
afs.habitat.thewallacepack.net@HABITAT.THEWALLACEPACK.NET
tokens:
Tokens held by the Cache Manager:
Tokens for afs@habitat.thewallacepack.net [Expires Aug 11 11:24]
--End of list--
Its seems the afs token has a max life of a month, but I haven't found
anywhere that this is set. Any ideas?
Thanks bunches,
Rich