[OpenAFS] token lifetime

Jayen Ashar jayen@science.unsw.edu.au
Fri, 6 Jul 2012 17:31:08 +1000


On Sun, Jul 13, 2003 at 5:26 AM, Derrick J Brashear <shadow@dementia.org> wrote:
> On Sat, 12 Jul 2003, Richard Wallace wrote:
>
>> Since it is a home network I wanted to lengthen the lifetime of the krb5
>> tickets and afs tokens.  Just to have a nice round number, I went with a
>> year for now.  I made the modifications to the kdc.conf file so max_life
>> and max_renewable_life are both "365d 0h 0m 0s".  I set the lifetime on
>> all the principals in the krb5 database and changed the configuration of
>> pam_krb5afs in the krb5.conf file to reflect these changes.
>
> krb4 with the afs lifetime extensions can do a life of up to 30 days, or
> unlimited. nothing in between. plus, translating something which is that
> long may not work the way you expect, anyway.

How can I do a life of unlimited (with krb5)?  I made the
modifications to the kdc.conf file so max_life and max_renewable_life
are both "0d".  I set the lifetime on all the principals in the krb5
database and changed the configuration of pam_krb5afs in the krb5.conf
file to reflect these changes.  I can see the afs service ticket and
token expire on 03:14:07 UTC on Tuesday, 19 January 2038 (which I
assume represents "unlimited").  The openafs server is, however,
rejecting the token outright.

Thanks,
Jayen

>>
>> Its seems the afs token has a max life of a month, but I haven't found
>> anywhere that this is set.  Any ideas?
>
> the variable used to represent the life doesn't go any higher than that.