[OpenAFS] Automatic token renewal

Frédéric Grelot fredericg_99@yahoo.fr
Fri, 20 Nov 2009 09:35:53 +0100 (CET)

> You will, regardless, have to have *something* running to refresh
> tickets
> and tokens, since it won't happen by itself.  :)  You can kick off
> krenew
> -bit -K 60 from a user's shell initialization files or take some
> similar
> approach to start it automatically on login.

Ok, I understand this and that's what I missed. I think it will be either in some user "~/*rc", or in gnome "startup programs".

> > By the way, since I added the openafs module in common-session and
> > common-auth, if after some time of inactivty ubuntu suspends my
> session
> > and asks me for a password to unlock it, will it send a new query to
> the
> > servers (equivalent of a "kinit&&aklog") ?
> Yes, if the PAM modules are correctly configured.

Good news.
So would you confirm this behavior :
-user logs in at the morning, kinit (its pam_krb5.so equivalent actually) is issued (say kinit -r 7d -l 24h)
-krenew runs in the background and renews every 60 minutes thanks to what you told me
-after 24hours, lifetime is still (roughly) at "24h left", and renewal time left is 6 days.
-by chance, since the night passed, the computer locked the session, the user has to enter his password again
-he recovers his sesssion, but now, renewal time got back to 7 days
-furthermore, the "krenew -K 60" process now uses the new tickets, and, 24 hours later, we are in the same previous state : lifetime at 24h, and renewal time of 6 days.

This way, the user never looses his session provided that he lets the computer lock the screen and logs in at least once every 7 days...
(and I hope he will!)

Thanks for your help, 


> -- 
> Russ Allbery (rra@stanford.edu)            
> <http://www.eyrie.org/~eagle/>