[OpenAFS] default token lifetime in Windows OpenAFS client

Dj Merrill deej@thayer.dartmouth.edu
Mon, 10 Oct 2005 15:30:04 -0400


Jeffrey Altman wrote:

> The lifetime of the AFS tokens is equivalent to the lifetime of the
> Kerberos 5 TGT that you obtain from the KDC.   If you use Leash to
> obtain your Kerberos 5 TGT, then you can specify the lifetime you
> want for that TGT and all service tickets obtained with it.
> 
> The OpenAFS System Tray Tool (afscreds.exe) does not have any user
> interface for specifying the lifetime of tickets or tokens.  The
> lifetime used for Kerberos 5 TGTs and service tickets are those set by
> Leash in the registry.   See the KFW Release Notes for details.
> 
> Jeffrey Altman

Hi Jeffrey,
	Thanks for the assist!

The Release notes claim:

Leash32 DLL
default lifetime ( minutes )

   1. Use LIFETIME environment value if defined.
   2. Otherwise, use value from registry
      (HKCU\Software\MIT\Leash,lifetime) if present.
   3. Otherwise, use value from registry
      (HKLM\Software\MIT\Leash,lifetime) if present.
   4. Otherwise, use Kerberos 5 profile if present
   5. Otherwise, use resource string if present.
   6. Otherwise, default to 0.


	In our environment, the LIFETIME variable is not set.
The HKCU\Software\MIT\Leash,lifetime is present, and is set to
1500, which the notes say is minutes, so 25 hours.
The HKLM\Software\MIT\Leash,lifetime is not present.

	Accordingly, we should be getting 25 hour tokens, correct?
Is anyone else seeing this with OpenAFS 1.4 rc6 for Windows
and MIT KFW 2.6.5?

	Note that if I open the Leash GUI, it tells me that
I do not have any Kerberos 4 or 5 tickets, just the
AFS tokens.  Do I have a configuration issue perhaps?
Other than the AFS token lifetime, the rest seems to be working
exactly as we want, I believe.

	Interestingly enough, if I open the OpenAFS tray tool, and
manually discard tokens, then obtain new tokens, I get a token
lifetime of 5 days, 5 hours (125 hours, or 7500 minutes).
I can't figure out where this value is coming from at all.
Why would this get a different token lifetime than the
integrated login?

	If I manually Initialize Tickets from within the
Leash GUI, I get a Krb 5 ticket good for 21 hours, and I get an
AFS token that has a lifetime of 21 hours (not 25).

	I'm getting a bit confused.  I'm aiming for a configuration
where people are able to login at the Windows login prompt,
and automatically get an AFS token (integrated login) with a
default lifetime of 25 hours, without ever having to type their
password a second time.

-Dj