[OpenAFS] Automatic token renewal
Thu, 02 Jul 2009 22:54:40 +0200
Sergio Gelato wrote:
> * Robbert Eggermont [2009-07-02 11:55:31 +0200]:
>> Our AD Kerberos servers serves tickets with a 10 hour expiration time,
>> thus my tickets (and AFS tokens) expire at night. I would like to
>> automatically renew my AFS token for all processes started from KDE
>> (which seem to be in the same PAG). Is there a "standard" solution for this?
> krenew should be good enough.
>> I tried to run 'krenew -b -t -K 60' from a /opt/kde3/env/ shell script.
>> When running klist in a shell under KDE, I see the Kerberos ticket (in
>> /tmp/krb5cc_xxxx) being renewed every 5 hours. However, my AFS token in
>> the shell is not being renewed. According to the krenew and shell PAG
>> group ids, they seem to be in the same PAG. Krenew seems to work as
>> expected when run in a shell under KDE. What am I missing here?
> Is this Linux? Which kernel version?
Sorry, yes, Linux 126.96.36.199-0.3-default (x86_64)
> In recent Linux (from 2.6.18 onwards) I wouldn't trust the group IDs to
> tell me the truth about PAG membership. Running "keyctl show" is the
> preferred way. Outside a PAG I get:
> Session Keyring
> -3 --alswrv 1000 -1 keyring: _uid_ses.1000
> 708748815 --alswrv 1000 -1 \_ keyring: _uid.1000
> while inside it I get:
> Session Keyring
> -3 --alswrv 1000 1000 keyring: _ses.7860
> 512427344 ----s--v 0 0 \_ afs_pag: _pag
> Different PAGs have different session keyring names.
> There *is* code in the OpenAFS kernel module that tries to update the
> group ID based on the keyring contents, but in my experience it doesn't
> always work. So if PAGs are keyring-based on your system, please look
> at the keyring contents before assuming that the PAG is the same.
I just installed keyutils, I'll see what keyctl tells me.
> I suppose you could wrap aklog (by setting the AKLOG variable in krenew's
> environment) in a script that does useful logging. That way you
> should be able to demonstrate whether aklog is being run, with what
> arguments, in what PAG, and whether there is a fresh token afterwards.
Thanks for the tip, I'll try this as well.
> You may also be able to work out some of this from the contents of your
> Kerberos credentials cache. Is there a new AFS service ticket along
> with the new TGT?
No, when the TGT is renewed, all other tickets are dropped. Does this
mean that aklog is not run at all (not even in a different PAG)?
Robbert Eggermont Information & Communication Theory
R.Eggermont@TUDelft.nl Electr.Eng., Mathematics & Comp.Science
+31 (15) 2783234 Delft University of Technology