[OpenAFS] Automatic token renewal

Robbert Eggermont R.Eggermont@tudelft.nl
Fri, 03 Jul 2009 15:27:01 +0200

Robbert Eggermont wrote:
>>> I tried to run 'krenew -b -t -K 60' from a /opt/kde3/env/ shell script.
>>> When running klist in a shell under KDE, I see the Kerberos ticket (in
>>> /tmp/krb5cc_xxxx) being renewed every 5 hours. However, my AFS token in
>>> the shell is not being renewed. According to the krenew and shell PAG
>>> group ids, they seem to be in the same PAG. Krenew seems to work as
>>> expected when run in a shell under KDE. What am I missing here?

According to keyctl, the krenew started from an /opt/kde3/env shell
script is in the right PAG. And krenew does call aklog, and aklog is
able to update my token successfully. Great! So the problem was
something else...

My best guess now is that krenew was not working because winbind was set
to renew my kerberos ticket, and did so apparently every 5 hours. Krenew
was happily waiting forever for the Kerberos ticket (with an expiration
time of 10 hours) to expire within the next hour, and did not bother to
update my AFS tokens (which did expire!).

I guess now that if I want to use krenew for multiple logins, I should
not use (a shared) /tmp/krb5cc_xxxx either?

Anyway, thanks for your suggestions, they really helped me to verify my
KDE krenew setup.



Robbert Eggermont                   Information & Communication Theory
R.Eggermont@TUDelft.nl         Electr.Eng., Mathematics & Comp.Science
+31 (15) 2783234                        Delft University of Technology