[OpenAFS] Service principal ticket expiring (AD)

John Tang Boyland boyland@uwm.edu
Tue, 17 Jan 2012 16:05:56 -0600

Dear OpenAFS community,
  I was able to get my AFS fileservers to work with authentication through Active
Directory with help from http://wiki.openafs.org/AFSLore/WindowsK5AfsServicePrincipal/
and also your help (in particular, Jeffrey Altman), but I've noticed some strangeness.

After aklog got me a token using AD (without error), the fileserver still rejects it.
I needed to restart the fileserver and then it worked fine.  But a week later,
I had to restart the fileserver again in order for AD Source AFS tokens.  

Was this just a fluke, or is it a problem that
the service principal TGT expires and the fs process doesn't realize that it has?
WHen I use kinit directly with the keytab.afs file generated, it says
that the TGT expires in 24 hours:

% kinit -k -t keytab.afs afs/cs.uwm.edu@ADTEST.UWM.EDU
% klist
Ticket cache: FILE:/tmp/krb5cc_920
Default principal: afs/cs.uwm.edu@ADTEST.UWM.EDU

Valid starting     Expires            Service principal
01/17/12 14:37:15  01/18/12 00:36:57  krbtgt/ADTEST.UWM.EDU@ADTEST.UWM.EDU
        renew until 01/18/12 14:37:15

Best regards,