[OpenAFS] default token lifetime in Windows OpenAFS client

Dj Merrill deej@thayer.dartmouth.edu
Mon, 10 Oct 2005 14:06:29 -0400

scorch wrote:

> hi Dj,
> I'm not too clear on whether its the krb token that needs a longer
> lifetime, or the afs token that is different to the krb one. on this
> cell, they are the same.

Hi there,
	Specifically, I am referring to the AFS token default lifetime,
not the Krb5 or 4 ticket lifetime on the Windows client.

> in which case, perhaps is this what you are looking for?
> leash -> options -> kerberos properties -> ticket lifetime.

	I tried messing with that prior to posting, but it does not seem
to have any effect at all on the AFS token lifetime.  The AFS token
lifetime gets set to whatever the maximum lifetime is set to,
rather than the default of 25 hours like my Linux machines.
To clarify, I think it seems to get set to the value of "max_life"
within the [realms] section of my kdc.conf.

	The Leash software shows no Krb5 ticket, and says Krb4
is not available, which I believe is correct for our environment
(we are using only Krb5, not Krb4, and we are not using Kerberos
for logins on the Windows clients.  We have the OpenAFS client set
for integrated logins, and in this case the Windows login acct/password
and the Kerberos acct/password have the same values).  It shows the
correct AFS token, but it is for 27 days, 23 hours if I did the math
correctly (login at 1:35pm on 10 Oct 2005, AFS token expiration of 12:35 pm
07 Nov 2005).  The AFS client software shows the same thing with regards
to the AFS token.

	Where does the default AFS token lifetime get set with
the OpenAFS for Windows client software?

	I feel like I might be overlooking something obvious somewhere...