[OpenAFS] Questions regarding AFS ticket lifetime

Jeffrey Altman jaltman@secure-endpoints.com
Fri, 20 Apr 2012 23:42:13 -0400


This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enigFC7A9E473EF3B9A84A841F68
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

Automatic renewal in NIM is used at many sites so I think you need
to figure out what tickets you have and what cache is being used.
kinit -R does exactly the same thing that NIM does.

Of course, I don't know why the configuration is set to renew when=20
there is 1 minute left.
You want to renew when there is much more than one minute.  I think=20
default is 30 minutes.

On Friday, April 20, 2012 10:25:55 AM, Anders Magnusson wrote:
> Thanks Jeffrey, now lot of things became clearer :-)
>
> But to solve this incident; since automatic renew in NiM do not work
> but kinit -R && aklog does work for the API cache, we are planning to
> add this to the Task Scheduler.  Do you see any problem with doing it
> like this?
>
> -- Ragge
>
>
> On 04/20/2012 03:40 PM, Jeffrey Altman wrote:
>> Anders:
>>
>> If you configure the default credential cache to be MSLSA: then the LS=
A
>> credentials will be used.
>>
>> The functionality (an explorer shell logon hook) that was used to copy=

>> credentials at logon no longer exists on Vista and later versions of
>> the operating system.  Since the functionality does not exist, the
>> functions exported from kfwlogon.dll do not get executed and no
>> Kerberos tickets can be copied in to the API: credential cache.
>>
>> I have plans to build a new in kernel credential cache mechanism using=

>> the AFS Authentication Groups available in the 1.7.x series.  I have n=
o
>> available resources at the moment to implement it and I can't make a
>> commitment as to when I will.
>>
>> At the moment afslogon.dll will obtain a new AFS token at logon, but i=
t
>> will not be renewable.
>>
>> Jeffrey Altman
>>
>>
>> On Friday, April 20, 2012 9:25:13 AM, Anders Magnusson wrote:
>>
>>> Yes, I have seen that, but that do not explain the behaviour since I
>>> have no wish to fetch thingd from MSLSA.
>>> Integrated logon works, but fetching new krbtgt at unlock of the logi=
n
>>> window does not.
>>> And BTW, importing tickets from MSLSA to API seems to work (pressing
>>> import button).
>>>
>>> -- Ragge
>>>
>>
>
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info


--------------enigFC7A9E473EF3B9A84A841F68
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)

iQEcBAEBAgAGBQJPkiyXAAoJENxm1CNJffh4oU4H/i1IXdtHWEMxv/VLLeQ6IS/A
BzDO3tvqlDstNbSH3hZlwiWgS7zndRCt/mlTicaQitTU4N6oxRHS56tamBHv44hg
OzIwElJ4HCfUwdkJax+qHsTun7QHf/+H5nDFLc4oBbdDWK4Lf5WvwYxV1muZ1pNF
o+74zT6CqRVhOUDo/qh4QJYxrzxwopOEAOz9U4VftsDauP8kl1Gc1+bi9Uf3kUeT
v6cwi0oBeLX0hra8ifDyd3l4v9JzxB00vdx5CafVt1awjyCbJGsmDi3Ou63lLxZC
Ip83uaBYEHbKNJeZGKHpff7PlKdAUBSn1k8/MyyUoa3EPZiC0lJv5QfXzn9gBCg=
=Yy0+
-----END PGP SIGNATURE-----

--------------enigFC7A9E473EF3B9A84A841F68--