[OpenAFS] AFS Token not renewable after integrated login

Dave Botsch botsch@cnf.cornell.edu
Wed, 10 Dec 2014 12:27:06 -0500

You might be experencing the same bug I'm working with Microsoft.

That is, Windows would appear to not properly set the flags in its
renewal request when authenticating against a foreign Kerberos realm, so
the ticket one gets back from the foreign kerberos realm is not

You can verify your TGTs by at a windows command prompt typing in:

klist tgt

and then after the ticket should have been renewed, type that command
again to see what happened.

On Fri, Dec 05, 2014 at 07:31:37PM +0100, Dr. Hendrik Naumann wrote:
> Hi
> I am looking for a way to setup the Integrated Logon in such a way, 
> that the aquired AFS Tokens can be renewed. 
> We are using the latest versions of OpenAFS (1.7.31) , NIM (2.102.907) 
> and Heimdal Kerberos ( We have identical user accounts stored 
> in our central Unix Kerberos Realm (TU-BERLIN) which authenticates 
> also the AFS and your windows domain WIN.TU-BERLIN.DE. Both Realms 
> have a trust relationsship.
> On the windows clients the heimdal default realm is configured to TU-
> BERLIN.DE and the default AFS cell to TU-BERLIN.DE. The integrated 
> logon works fine, but after login the NIM only shows the AFS Token 
> aquired during the logon process but not the TGT and Service 
> Certificate afs/tu-berlin.de@TU-BERLIN.DE which must have been used to 
> get the AFS Token für afs@tu-berlin.de. 
> Is there any way to get access to the Kerberos Tickets from the 
> integrated logon? Under Linux Kerberos can be configured to store its 
> Tickets in a file und thus the TGT and also the Token can be renewed 
> later.
> If I open the NIM and obtain a new TGT from TU-BERLIN.DE, the Token 
> renewal works fine. However this would require all users to type in 
> their password twice and in addition fiddle with the NIM at all.
> Do you have any idea how I can renew the AFS token without additional 
> user interaction?
> Thanks very much
> Hendrik Naumann
> -- 
> Dr. Hendrik Naumann
> Technische Universität Berlin
> Institut für Chemie, Sekr. C3
> Leiter EDV Chemie
> Strasse des 17. Juni 115
> 10623 Berlin
> Tel.: +49 30 314 29892  Mobil: +49 172 314 0410  Fax: +49 30 314 29309
> WWW: http://www.chemie.tu-berlin.de/it
> E-Mail: naumann@tu-berlin.de

David William Botsch