[OpenAFS] refresh initial tokens
Ronny Blomme
Ronny.Blomme+afsinfo@elis.ugent.be
Sat, 03 Feb 2007 15:19:03 +0100
Citeren Jeffrey Hutzelman <jhutz@cmu.edu>:
>
>
> On Friday, February 02, 2007 02:16:27 PM +0100 Ronny Blomme
> <Ronny.Blomme+afsinfo@elis.ugent.be> wrote:
>
>> I am setting up openafs-1.4.2 client and server on FC4 with
>> heimdal-0.7.2. I replaced the kaserver with kdc. When I login to this
>> server with ssh, I get tickets/tokens (via /etc/pam.d/sshd). These
>> initial tokens can be refreshed once with "kinit -R", but the new tickets
>> have no "Flag=3DR" and so these tokens cannot be refreshed:
>> # kinit -R
>> kinit: krb5_get_kdc_cred: KDC can't fulfill requested option
>>
>> When I get renewable tokens with
>> # kinit --renewable
>> the "Flag=3DR" does not disapear, and I can "kinit -R" serveral times.
>
> Not really an AFS question, but yes, this is how it works.
> Only renewable tickets can be renewed; if you want the renewed ticket
> to itself be renewable, you will have to run 'kinit -R --renewable'.
> Note that the KDC may choose not to allow this.
I don't understand: what is the difference between the tickets I get =20
after logging in with ssh, and those I get with "kinit --renewable"? =20
They both are renewable since they have the R-flag. But the first =20
(ssh) one is only renewable once, the second one (kinit --renewable) =20
are renewable several times with "kinit -R". Can somebody explain this?
And how should I modify my configuration to allow several "kinit -R" =20
after login without giving my password?
--=20
Ronny Blomme - Ronny.Blomme@elis.UGent.be
system manager
IMEC/INVOMEC - UGent/ELIS
ELIS - Ghent University - Ghent, Belgium
tel: +32/9/264.42.35 fax: +32/9/264.35.94 gsm: 0472/27.99.67
http://www.elis.UGent.be/RonnyBlomme
***********************************************************************
This e-mail and/or its attachments may contain confidential information.
It is intended solely for the intended addressee(s). Any use of the
information contained herein by other persons is prohibited.
Both IMEC vzw and Ghent University do not accept any liability for the
contents of this mail and/or its attachments.
----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.