[OpenAFS] Automatic token renewal

Robbert Eggermont R.Eggermont@tudelft.nl
Thu, 02 Jul 2009 22:54:40 +0200


Sergio Gelato wrote:
> * Robbert Eggermont [2009-07-02 11:55:31 +0200]:
>> Our AD Kerberos servers serves tickets with a 10 hour expiration time,
>> thus my tickets (and AFS tokens) expire at night. I would like to
>> automatically renew my AFS token for all processes started from KDE
>> (which seem to be in the same PAG). Is there a "standard" solution for this?
> 
> krenew should be good enough.
> 
>> I tried to run 'krenew -b -t -K 60' from a /opt/kde3/env/ shell script.
>> When running klist in a shell under KDE, I see the Kerberos ticket (in
>> /tmp/krb5cc_xxxx) being renewed every 5 hours. However, my AFS token in
>> the shell is not being renewed. According to the krenew and shell PAG
>> group ids, they seem to be in the same PAG. Krenew seems to work as
>> expected when run in a shell under KDE. What am I missing here?
> 
> Is this Linux? Which kernel version?

Sorry, yes, Linux 2.6.22.19-0.3-default (x86_64)

> In recent Linux (from 2.6.18 onwards) I wouldn't trust the group IDs to
> tell me the truth about PAG membership. Running "keyctl show" is the
> preferred way. Outside a PAG I get:
> 
> Session Keyring
>        -3 --alswrv   1000    -1  keyring: _uid_ses.1000
> 708748815 --alswrv   1000    -1   \_ keyring: _uid.1000
> 
> while inside it I get:
> 
> Session Keyring
>        -3 --alswrv   1000  1000  keyring: _ses.7860
> 512427344 ----s--v      0     0   \_ afs_pag: _pag
> 
> Different PAGs have different session keyring names.
> 
> There *is* code in the OpenAFS kernel module that tries to update the 
> group ID based on the keyring contents, but in my experience it doesn't 
> always work. So if PAGs are keyring-based on your system, please look
> at the keyring contents before assuming that the PAG is the same.

I just installed keyutils, I'll see what keyctl tells me.

> I suppose you could wrap aklog (by setting the AKLOG variable in krenew's
> environment) in a script that does useful logging. That way you
> should be able to demonstrate whether aklog is being run, with what
> arguments, in what PAG, and whether there is a fresh token afterwards.

Thanks for the tip, I'll try this as well.

> You may also be able to work out some of this from the contents of your
> Kerberos credentials cache. Is there a new AFS service ticket along
> with the new TGT?

No, when the TGT is renewed, all other tickets are dropped. Does this
mean that aklog is not run at all (not even in a different PAG)?

Cheers,

Robbert

-- 
Robbert Eggermont                   Information & Communication Theory
R.Eggermont@TUDelft.nl         Electr.Eng., Mathematics & Comp.Science
+31 (15) 2783234                        Delft University of Technology