[OpenAFS] Service principal ticket expiring (AD)
John Tang Boyland
boyland@uwm.edu
Tue, 17 Jan 2012 16:05:56 -0600
Dear OpenAFS community,
I was able to get my AFS fileservers to work with authentication through Active
Directory with help from http://wiki.openafs.org/AFSLore/WindowsK5AfsServicePrincipal/
and also your help (in particular, Jeffrey Altman), but I've noticed some strangeness.
After aklog got me a token using AD (without error), the fileserver still rejects it.
I needed to restart the fileserver and then it worked fine. But a week later,
I had to restart the fileserver again in order for AD Source AFS tokens.
Was this just a fluke, or is it a problem that
the service principal TGT expires and the fs process doesn't realize that it has?
WHen I use kinit directly with the keytab.afs file generated, it says
that the TGT expires in 24 hours:
% kinit -k -t keytab.afs afs/cs.uwm.edu@ADTEST.UWM.EDU
% klist
Ticket cache: FILE:/tmp/krb5cc_920
Default principal: afs/cs.uwm.edu@ADTEST.UWM.EDU
Valid starting Expires Service principal
01/17/12 14:37:15 01/18/12 00:36:57 krbtgt/ADTEST.UWM.EDU@ADTEST.UWM.EDU
renew until 01/18/12 14:37:15
Best regards,
John