[OpenAFS] refresh initial tokens

Christopher D. Clausen cclausen@acm.org
Thu, 8 Feb 2007 02:00:53 -0600

Ronny Blomme <Ronny.Blomme+afs@elis.ugent.be> wrote:
> I am setting up openafs-1.4.2 client and server on FC4 with
> heimdal-0.7.2. I replaced the kas-server with kdc.
> When I login to this server with ssh, I get tickets/tokens (via
> /etc/pam.d/sshd).
> These initial tokens can be refreshed once with "kinit -R", but the
> new tickets have no "Flag=R" and so these tokens cannot be refreshed:
> # kinit -R
> kinit: krb5_get_kdc_cred: KDC can't fulfill requested option
> When I get renewable tokens with
> # kinit --renewable
> the "Flag=R" does not disapear, and I can "kinit -R" serveral times.
> # cat /etc/krb5.conf
> [libdefaults]
>        default_realm = ELIS.UGENT.BE

Add the following to your libdefaults section in the krb5.conf file:

        forwardable = true
        proxiable = true

Does that help?

Its also possible that the principals are flagged in the KDC to not 
allow renewal.