> > - the client SSH onto a machine and is granted an AFS Token obtained with > > aklog.
I'd recommend SSH with GSSAPIKeyExchange and forwarded credentials. > > At this very step, the user have the Ticket Granting Ticket > > krbtgt/re...@realm ticket and the afs/c...@realm Ticket Granting > > Service. It also have an AFS Token obtained with aklog. > > - the user will then submit a job to our Batch system. > > - the job will be processed X hours/minutes later and could last a long > > time. > > Our problem is that some jobs could last more than the AFS token lifetime. > > Once this lifetime is expired, jobs could not access AFS filesystems > > anymore and will abort. I'd give the principal a long renewable-life and use kinit --renew at job start. If the ticket can not be renewed it is either because you have exceeded the renewable-life (misconfiguration) or because some admin has turned off that principal (for example for security reasons which have turned up between ticket issue point and renew point). Harald. _______________________________________________ OpenAFS-devel mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-devel
