[OpenAFS] refresh initial tokens

Ronny Blomme Ronny.Blomme+afsinfo@elis.ugent.be
Sat, 03 Feb 2007 15:33:34 +0100 

$ ssh rb2@arabier
rb2@arabier's password:
Last login: Thu Feb  1 18:25:23 2007 from xxxxx.elis.ugent.be
Terminal type? [dtterm]
-bash-3.00$ klist -f
Credentials cache: FILE:/tmp/krb5cc_10104_yg1T5z
         Principal: rb2@ELIS.UGENT.BE

   Issued           Expires        Flags    Principal
Feb  3 15:27:36  Feb  4 16:27:36  FRI    krbtgt/ELIS.UGENT.BE@ELIS.UGENT.BE
-bash-3.00$ kinit -R
-bash-3.00$ klist -f
Credentials cache: FILE:/tmp/krb5cc_10104_yg1T5z
         Principal: rb2@ELIS.UGENT.BE

   Issued           Expires        Flags    Principal
Feb  3 15:28:08  Feb  4 16:27:36         krbtgt/ELIS.UGENT.BE@ELIS.UGENT.BE
Feb  3 15:28:08  Feb  4 16:27:36         afs@ELIS.UGENT.BE


>>>>>> why did the R-flag disappear?

-bash-3.00$ kinit -R
kinit: krb5_get_kdc_cred: KDC can't fulfill requested option
-bash-3.00$ kinit --renewable
rb2@ELIS.UGENT.BE's Password:
-bash-3.00$ klist -f
Credentials cache: FILE:/tmp/krb5cc_10104_yg1T5z
         Principal: rb2@ELIS.UGENT.BE

   Issued           Expires        Flags    Principal
Feb  3 15:28:32  Feb  4 01:28:32  RI     krbtgt/ELIS.UGENT.BE@ELIS.UGENT.BE
Feb  3 15:28:32  Feb  4 01:28:32         afs@ELIS.UGENT.BE
-bash-3.00$ kinit -R
-bash-3.00$ kinit -R
-bash-3.00$ klist -f
Credentials cache: FILE:/tmp/krb5cc_10104_yg1T5z
         Principal: rb2@ELIS.UGENT.BE

   Issued           Expires        Flags    Principal
Feb  3 15:28:45  Feb  4 01:28:45  R      krbtgt/ELIS.UGENT.BE@ELIS.UGENT.BE
Feb  3 15:28:45  Feb  4 01:28:45         afs@ELIS.UGENT.BE
-bash-3.00$

Citeren Jeffrey Altman <jaltman@secure-endpoints.com>:

> Ronny Blomme wrote:
>> I don't understand: what is the difference between the tickets I get
>> after logging in with ssh, and those I get with "kinit --renewable"?
>
> Compare them by using 'klist -f'.
>
> What are the differences between the tickets?
>
>> They both are renewable since they have the R-flag. But the first (ssh)
>> one is only renewable once, the second one (kinit --renewable) are
>> renewable several times with "kinit -R". Can somebody explain this?
>> And how should I modify my configuration to allow several "kinit -R"
>> after login without giving my password?
>
> A ticket is only renewable if it is not expired and if the renew
> lifetime has not been reached.
>
> Jeffrey Altman
>



--=20
Ronny Blomme - Ronny.Blomme@elis.UGent.be
system manager
IMEC/INVOMEC - UGent/ELIS
ELIS - Ghent University - Ghent, Belgium
tel: +32/9/264.42.35 fax: +32/9/264.35.94 gsm: 0472/27.99.67
http://www.elis.UGent.be/RonnyBlomme

***********************************************************************
This e-mail and/or its attachments may contain confidential information.
It is intended solely for the intended addressee(s). Any use of the
information contained herein by other persons is prohibited.
Both IMEC vzw and Ghent University do not accept any liability for the
contents of this mail and/or its attachments.


----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.