[OpenAFS] refresh initial tokens

Jeffrey Hutzelman jhutz@cmu.edu
Fri, 02 Feb 2007 11:54:52 -0500

On Friday, February 02, 2007 02:16:27 PM +0100 Ronny Blomme 
<Ronny.Blomme+afsinfo@elis.ugent.be> wrote:

> I am setting up openafs-1.4.2 client and server on FC4 with
> heimdal-0.7.2. I replaced the kas-server with kdc. When I login to this
> server with ssh, I get tickets/tokens (via /etc/pam.d/sshd). These
> initial tokens can be refreshed once with "kinit -R", but the new tickets
> have no "Flag=R" and so these tokens cannot be refreshed:
># kinit -R
> kinit: krb5_get_kdc_cred: KDC can't fulfill requested option
> When I get renewable tokens with
># kinit --renewable
> the "Flag=R" does not disapear, and I can "kinit -R" serveral times.

Not really an AFS question, but yes, this is how it works.
Only renewable tickets can be renewed; if you want the renewed ticket to 
itself be renewable, you will have to run 'kinit -R --renewable'.  Note 
that the KDC may choose not to allow this.

-- Jeffrey T. Hutzelman (N3NHS) <jhutz+@cmu.edu>
   Sr. Research Systems Programmer
   School of Computer Science - Research Computing Facility
   Carnegie Mellon University - Pittsburgh, PA