[OpenAFS] Token Lifetime

Tue, 25 Jun 2013 23:10:06 -0400 (EDT)

On Tue, 25 Jun 2013, J wrote:

>
> Hi.
>
> Wondering if someone can help me with changing the default token lifetime of an identity, or the default for all identities.
>
> I read on the OpenAFS site that the default afs entry is 100 hours, the default krbtgt.cellname entry is 720 hours (30 days), and the default entry for the user is 25 hours.
>
> But in Network Identity Manager, my token lifetime appears to be 10 hours, that's by default before I make any changes.
>
> Now oddly, after I changed:
>
> 1. modprinc -maxlife 25 hours (principal)
>
> and
>
> 2. "ticket_lifetime = 25hrs" in /etc/krb5kdc/kdc.conf
>
> The token lifetime still shows 10 hours when I log in, but the elapsed 
> time does not seem to reflect this actual time.  So, I'll see 9 hours 50 
> minutes, and then a few hours later it will read "9 hours 10 minutes", 
> for example.

That sounds like you need to modprinc -maxlife krbtgt/REALM@REALM as well.
(And maybe something is autorenewing your credentials?)

> Just wondering if someone can tell me exactly what needs to be changed 
> to alter both the Kerberos and AFS ticket/token lifetime.

The times should be driven by Kerberos.  Unless there's a 
NIM-plugin-specific bit, once the kerberos ticket lifetimes are correct, 
the token lifetime should follow naturally.

-Ben Kaduk