[OpenAFS] refresh initial tokens

Brandon S. Allbery KF8NH allbery@ece.cmu.edu
Fri, 2 Feb 2007 11:44:23 -0500

On Feb 2, 2007, at 8:16 , Ronny Blomme wrote:

> I am setting up openafs-1.4.2 client and server on FC4 with  
> heimdal-0.7.2. I replaced the kas-server with kdc.
> When I login to this server with ssh, I get tickets/tokens (via / 
> etc/pam.d/sshd).
> These initial tokens can be refreshed once with "kinit -R", but the  
> new tickets have no "Flag=R" and so these tokens cannot be refreshed:
> # kinit -R
> kinit: krb5_get_kdc_cred: KDC can't fulfill requested option
> When I get renewable tokens with
> # kinit --renewable
> the "Flag=R" does not disapear, and I can "kinit -R" serveral times.
> I think something is wrong with my pam-setup, but I have no idea...

That has nothing to do with PAM; it's just that kinit defaults to not  
getting renewable tickets --- even if you're renewing a renewable  
ticket.  We patched our kinit to default to renewable, since it's  
apparently considered evil to make that configurable :/  (heimdal  
used to make it configurable....)

brandon s. allbery    [linux,solaris,freebsd,perl]     allbery@kf8nh.com
system administrator [openafs,heimdal,too many hats] allbery@ece.cmu.edu
electrical and computer engineering, carnegie mellon university    KF8NH