[OpenAFS] OpenAFS implementation questions.

Frank Burkhardt fbo2@gmx.net
Fri, 26 May 2006 10:31:13 +0200


On Thu, May 25, 2006 at 12:23:01PM -0700, Brady Catherman wrote:
> I am currently considering moving our environment to OpenAFS but before I
> can switch I need to make sure a few things are going to keep working..
> We have users that use or systems for months on end without logging off
> and I am concerned that the kerberos ticket they are being issued will
> expire. Having them log back into kerberos/openafs isn't really a good
> option for us (I am having a hard enough time selling even the basic
> conversion, let alone anything that requires user action!)

Use some kind of reauthentication. On one of my AFS-clients there are 4
processes running *always* (->they start when the computer boots up, they
terminate only, when the computer is going to reboot). I'm using a
self-written tool "tokenmgr" which knows how to execute kinit, aklog and
some other programs in the right way to ensure that a valid token is always
available. In most cases, I'm using keytabs to provide the necessary
Kerberos credentials.

A different method can be used for interactive or "semi-interactive"
sessions. When someone logs in by ssh, he would just type 'tokenmgr -R' (and
enter his passwort twice) to get an arbitrary number of virtual terminals
(using the almighty 'screen' command). All programs run in those terminals
will always have a valid token.