[OpenAFS] Service principal ticket expiring (AD)
Jeffrey Altman
jaltman@your-file-system.com
Tue, 17 Jan 2012 17:43:15 -0500
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enigBEF6CA44A11D27FC4DD7F6D7
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
I assume that you are not regenerating a keytab and installing the new
key with asetkey. If that assumption is true, then there is something
wrong because the key known to the file server will never expire unless
you generate a afs/cs.uwm.edu@ADTEST.UWM.EDU key.
If a file server restart permits the acceptance of an authenticated
connection without obtaining a new token on the client, it means that
there is most likely a memory corruption problem in the file server.
Jeffrey Altman
On 1/17/2012 5:05 PM, John Tang Boyland wrote:
> Dear OpenAFS community,
> I was able to get my AFS fileservers to work with authentication thro=
ugh Active
> Directory with help from http://wiki.openafs.org/AFSLore/WindowsK5AfsSe=
rvicePrincipal/
> and also your help (in particular, Jeffrey Altman), but I've noticed so=
me strangeness.
>=20
> After aklog got me a token using AD (without error), the fileserver sti=
ll rejects it.
> I needed to restart the fileserver and then it worked fine. But a week=
later,
> I had to restart the fileserver again in order for AD Source AFS tokens=
=2E =20
>=20
> Was this just a fluke, or is it a problem that
> the service principal TGT expires and the fs process doesn't realize th=
at it has?
> WHen I use kinit directly with the keytab.afs file generated, it says
> that the TGT expires in 24 hours:
>=20
> % kinit -k -t keytab.afs afs/cs.uwm.edu@ADTEST.UWM.EDU
> % klist
> Ticket cache: FILE:/tmp/krb5cc_920
> Default principal: afs/cs.uwm.edu@ADTEST.UWM.EDU
>=20
> Valid starting Expires Service principal
> 01/17/12 14:37:15 01/18/12 00:36:57 krbtgt/ADTEST.UWM.EDU@ADTEST.UWM.=
EDU
> renew until 01/18/12 14:37:15
>=20
>=20
> Best regards,
> John
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info
--------------enigBEF6CA44A11D27FC4DD7F6D7
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
iQEcBAEBAgAGBQJPFfmFAAoJENxm1CNJffh4hHwIANZtID3xTOSy/b2PFwm8CovS
z7NbJyyU1aW1WfBbAi2DmrFU2fpx0thUzFAKVxCgzAqt7w5Rdd/X05XzRxIt19MW
9pVsRIEaUw3cjwVWhhe3eGNRrE01TDNXJXuXvCl3B9/evp64xTR+aj8icu64KJxC
vu4hIRTBsjoJUEXWBiBU9mEubL7mjo3Gu85Zc4eScqf4usfetMsSB2n4Pf8QrGNP
8fonu8OjWVX6hswvQD0AiXtuyArVa2wTEPxoeXQCYI5tM+5BYe63pT0erJG7uazE
N9ABhC4YGzmsbrgc6DM92By04nHA2+pWZVmGoQ5cGbiYGP2Ua6SjYwwodRCI3Ds=
=H82p
-----END PGP SIGNATURE-----
--------------enigBEF6CA44A11D27FC4DD7F6D7--