[OpenAFS] refresh initial tokens
Christopher D. Clausen
cclausen@acm.org
Thu, 8 Feb 2007 02:00:53 -0600
Ronny Blomme <Ronny.Blomme+afs@elis.ugent.be> wrote:
> I am setting up openafs-1.4.2 client and server on FC4 with
> heimdal-0.7.2. I replaced the kas-server with kdc.
> When I login to this server with ssh, I get tickets/tokens (via
> /etc/pam.d/sshd).
> These initial tokens can be refreshed once with "kinit -R", but the
> new tickets have no "Flag=R" and so these tokens cannot be refreshed:
> # kinit -R
> kinit: krb5_get_kdc_cred: KDC can't fulfill requested option
>
> When I get renewable tokens with
> # kinit --renewable
> the "Flag=R" does not disapear, and I can "kinit -R" serveral times.
> # cat /etc/krb5.conf
> [libdefaults]
> default_realm = ELIS.UGENT.BE
Add the following to your libdefaults section in the krb5.conf file:
forwardable = true
proxiable = true
Does that help?
Its also possible that the principals are flagged in the KDC to not
allow renewal.
<<CDC