[OpenAFS] refresh initial tokens
Brandon S. Allbery KF8NH
allbery@ece.cmu.edu
Fri, 2 Feb 2007 11:44:23 -0500
On Feb 2, 2007, at 8:16 , Ronny Blomme wrote:
> I am setting up openafs-1.4.2 client and server on FC4 with
> heimdal-0.7.2. I replaced the kas-server with kdc.
> When I login to this server with ssh, I get tickets/tokens (via /
> etc/pam.d/sshd).
> These initial tokens can be refreshed once with "kinit -R", but the
> new tickets have no "Flag=R" and so these tokens cannot be refreshed:
> # kinit -R
> kinit: krb5_get_kdc_cred: KDC can't fulfill requested option
>
> When I get renewable tokens with
> # kinit --renewable
> the "Flag=R" does not disapear, and I can "kinit -R" serveral times.
>
> I think something is wrong with my pam-setup, but I have no idea...
That has nothing to do with PAM; it's just that kinit defaults to not
getting renewable tickets --- even if you're renewing a renewable
ticket. We patched our kinit to default to renewable, since it's
apparently considered evil to make that configurable :/ (heimdal
used to make it configurable....)
--
brandon s. allbery [linux,solaris,freebsd,perl] allbery@kf8nh.com
system administrator [openafs,heimdal,too many hats] allbery@ece.cmu.edu
electrical and computer engineering, carnegie mellon university KF8NH