[OpenAFS] Questions regarding AFS ticket lifetime

Lars Schimmer l.schimmer@cgv.tugraz.at
Fri, 20 Apr 2012 09:35:39 +0200


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 2012-04-20 07:52, Anders Nordin wrote:
> Ok,
>=20
> Bear with me because I might not have formulated the questions
> correctly, I'm mostly a Windows admin and not entirely up to speed
> on the AFS/Kerberos lingo.
>=20
> Environment:
>=20
> Windows 7 x64 Enterprise OpenAFS 1.7.1000 (64-bit) Network Identity
> Manager 2.0.1.903 MIT Kerberos for Windows (64-bit) 3.2.2
>=20
> 1)
>=20
> Why do you need to renew the credentials manually? From what I
> understand Network Identity Manager should handle this (until the
> end of the renewable lifetime ofcourse). Please see the two
> attached images.
>=20
> http://staff.www.ltu.se/~kex/renew1.jpg=20
> http://staff.www.ltu.se/~kex/renew2.jpg
>=20
> 2)
>=20
> From memory, during our Windows XP days (different OS, different
> OpenAFS, different Network Identity Manager, different MIT Kerberos
> for Windows), just locking and unlocking the computer refreshed the
> AFS ticket.
>=20
> How has this changed for Windows 7 and our current setup, as this
> no longer seems to be working?

Remember the 2 different credential caches of windows - one of system
at login and one for NetworkID Manager.

On Login you get a ticket/token with the Windows Builtin credential
cache which CANNOT be accessed by Network ID Manager.
Only after you obtained a token manual in NetworkID manager it renews
the token automatic and you can set the token lifetime with Network ID
manager.

On logon you can set ticket lifetime in AD controller.

> MVH
>=20
> Anders Nordin IT-Service


MfG,
Lars Schimmer
- --=20
- -------------------------------------------------------------
TU Graz, Institut f=FCr ComputerGraphik & WissensVisualisierung
Tel: +43 316 873-5405       E-Mail: l.schimmer@cgv.tugraz.at
Fax: +43 316 873-5402       PGP-Key-ID: 0x4A9B1723


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk+REcsACgkQmWhuE0qbFyPSTwCaAn7A/pLfvD/6pgUzVWdQbfhQ
dwIAnjo15Pa24Pc3G44pepVjj+qK3k3M
=3Dq4Eb
-----END PGP SIGNATURE-----