[OpenAFS] AFS Token not renewable after integrated login

Dr. Hendrik Naumann naumann@tu-berlin.de
Fri, 5 Dec 2014 19:31:37 +0100

Content-Type: Text/Plain;
Content-Transfer-Encoding: quoted-printable


I am looking for a way to setup the Integrated Logon in such a way,=20
that the aquired AFS Tokens can be renewed.=20

We are using the latest versions of OpenAFS (1.7.31) , NIM (2.102.907)=20
and Heimdal Kerberos ( We have identical user accounts stored=20
in our central Unix Kerberos Realm (TU-BERLIN) which authenticates=20
also the AFS and your windows domain WIN.TU-BERLIN.DE. Both Realms=20
have a trust relationsship.

On the windows clients the heimdal default realm is configured to TU-
BERLIN.DE and the default AFS cell to TU-BERLIN.DE. The integrated=20
logon works fine, but after login the NIM only shows the AFS Token=20
aquired during the logon process but not the TGT and Service=20
Certificate afs/tu-berlin.de@TU-BERLIN.DE which must have been used to=20
get the AFS Token f=FCr afs@tu-berlin.de.=20

Is there any way to get access to the Kerberos Tickets from the=20
integrated logon? Under Linux Kerberos can be configured to store its=20
Tickets in a file und thus the TGT and also the Token can be renewed=20

If I open the NIM and obtain a new TGT from TU-BERLIN.DE, the Token=20
renewal works fine. However this would require all users to type in=20
their password twice and in addition fiddle with the NIM at all.

Do you have any idea how I can renew the AFS token without additional=20
user interaction?

Thanks very much

Hendrik Naumann

Dr. Hendrik Naumann
Technische Universit=E4t Berlin
Institut f=FCr Chemie, Sekr. C3
Leiter EDV Chemie
Strasse des 17. Juni 115
10623 Berlin
Tel.: +49 30 314 29892  Mobil: +49 172 314 0410  Fax: +49 30 314 29309
WWW: http://www.chemie.tu-berlin.de/it
E-Mail: naumann@tu-berlin.de

Content-Type: application/pgp-signature; name=signature.asc 
Content-Description: This is a digitally signed message part.

Version: GnuPG v1.4.12 (GNU/Linux)