[OpenAFS] default token lifetime in Windows OpenAFS client

scorch scorch@muse.net.nz
Fri, 07 Oct 2005 23:05:50 +0200 

Dj Merrill said the following on 2005-10-07 22:43:

>Hi all,
>	I think I am just too close to this and am missing something
>obvious, and I'm hoping one of you can point me in the right direction.
>We have a completely working system under Linux - OpenAFS 1.2.13,
>Kerberos 5 auth, and when Linux clients login they get the appropriate
>Kerberos tickets and the AFS tokens are the default 25 hours.
>I have the maxlifetime set to 30 days for some of our more
>computationally intensive users that run jobs spanning several days,
>and they can obtain the extended life tokens just fine.
>	
>	We are incorporating Windows XP machines into the AFS system,
>and we've installed MIT Kerberos for Windows 2.6.5, and OpenAFS
>client 1.4 rc6.  Things seem to be working okay with integrated login,
>etc, however, the default lifetime of the AFS tokens are 30 days.
>How can I get the AFS tokens obtained from the Windows OpenAFS
>client to be 25 hours, with the option of the user getting an
>extended token of up to 30 days if they wish?
>
>Thanks,
>
>-Dj
>_______________________________________________
>OpenAFS-info mailing list
>OpenAFS-info@openafs.org
>https://lists.openafs.org/mailman/listinfo/openafs-info
>  
>
hi Dj,

I'm not too clear on whether its the krb token that needs a longer
lifetime, or the afs token that is different to the krb one. on this
cell, they are the same.

> A:\.muse.net.nz\home\wavey \\afs\all
> ::  klist
> Ticket cache: API:krb5cc
> Default principal: wavey@MUSE.NET.NZ
>
> Valid starting     Expires            Service principal
> 10/07/05 23:03:02  10/08/05 23:03:02  krbtgt/MUSE.NET.NZ@MUSE.NET.NZ
>         renew until 10/12/05 23:03:04
>
>
> Kerberos 4 ticket cache: API:krb4cc
> klist: No ticket file (tf_util)
>
> A:\.muse.net.nz\home\wavey \\afs\all
> ::


in which case, perhaps is this what you are looking for?

leash -> options -> kerberos properties -> ticket lifetime.

FYI these are stored in the user reg:
HKEY_CURRENT_USER\Software\MIT\Leash\
    life* and renew*
so it should be straightforward to roll out (or lock down) these
settings by default - regini works well for this @
http://support.microsoft.com/?kbid=237607 after a regdmp of a correctly
configured box.

cheers, scorch
--
out of the frying pan and into the fire