[OpenAFS] Service principal ticket expiring (AD)

Jeffrey Altman jaltman@your-file-system.com
Tue, 17 Jan 2012 17:43:15 -0500

This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

I assume that you are not regenerating a keytab and installing the new
key with asetkey.   If that assumption is true, then there is something
wrong because the key known to the file server will never expire unless
you generate a afs/cs.uwm.edu@ADTEST.UWM.EDU key.

If a file server restart permits the acceptance of an authenticated
connection without obtaining a new token on the client, it means that
there is most likely a memory corruption problem in the file server.

Jeffrey Altman

On 1/17/2012 5:05 PM, John Tang Boyland wrote:
> Dear OpenAFS community,
>   I was able to get my AFS fileservers to work with authentication thro=
ugh Active
> Directory with help from http://wiki.openafs.org/AFSLore/WindowsK5AfsSe=
> and also your help (in particular, Jeffrey Altman), but I've noticed so=
me strangeness.
> After aklog got me a token using AD (without error), the fileserver sti=
ll rejects it.
> I needed to restart the fileserver and then it worked fine.  But a week=
> I had to restart the fileserver again in order for AD Source AFS tokens=
=2E =20
> Was this just a fluke, or is it a problem that
> the service principal TGT expires and the fs process doesn't realize th=
at it has?
> WHen I use kinit directly with the keytab.afs file generated, it says
> that the TGT expires in 24 hours:
> % kinit -k -t keytab.afs afs/cs.uwm.edu@ADTEST.UWM.EDU
> % klist
> Ticket cache: FILE:/tmp/krb5cc_920
> Default principal: afs/cs.uwm.edu@ADTEST.UWM.EDU
> Valid starting     Expires            Service principal
> 01/17/12 14:37:15  01/18/12 00:36:57  krbtgt/ADTEST.UWM.EDU@ADTEST.UWM.=
>         renew until 01/18/12 14:37:15
> Best regards,
> John
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info

Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

Version: GnuPG v1.4.9 (MingW32)