[OpenAFS] Automatic token renewal

Russ Allbery rra@stanford.edu
Fri, 20 Nov 2009 10:41:56 -0800

Fr=C3=A9d=C3=A9ric Grelot <fredericg_99@yahoo.fr> writes:

> So would you confirm this behavior :

> -user logs in at the morning, kinit (its pam_krb5.so equivalent
> actually) is issued (say kinit -r 7d -l 24h)

> -krenew runs in the background and renews every 60 minutes thanks to
> what you told me

> -after 24hours, lifetime is still (roughly) at "24h left", and renewal
> time left is 6 days.

> -by chance, since the night passed, the computer locked the session, the
> user has to enter his password again

> -he recovers his sesssion, but now, renewal time got back to 7 days

> -furthermore, the "krenew -K 60" process now uses the new tickets, and,
> 24 hours later, we are in the same previous state : lifetime at 24h, and
> renewal time of 6 days.

This is indeed what should happen.  You'll want to run krenew with -i so
that it will cope with the ticket cache going away temporarily.

> This way, the user never looses his session provided that he lets the
> computer lock the screen and logs in at least once every 7 days...  (and
> I hope he will!)


Russ Allbery (rra@stanford.edu)             <http://www.eyrie.org/~eagle/>