Dj Merrill wrote: > I tried messing with that prior to posting, but it does not seem > to have any effect at all on the AFS token lifetime. The AFS token > lifetime gets set to whatever the maximum lifetime is set to, > rather than the default of 25 hours like my Linux machines. > To clarify, I think it seems to get set to the value of "max_life" > within the [realms] section of my kdc.conf. > > The Leash software shows no Krb5 ticket, and says Krb4 > is not available, which I believe is correct for our environment > (we are using only Krb5, not Krb4, and we are not using Kerberos > for logins on the Windows clients. We have the OpenAFS client set > for integrated logins, and in this case the Windows login acct/password > and the Kerberos acct/password have the same values). It shows the > correct AFS token, but it is for 27 days, 23 hours if I did the math > correctly (login at 1:35pm on 10 Oct 2005, AFS token expiration of 12:35 pm > 07 Nov 2005). The AFS client software shows the same thing with regards > to the AFS token. > > Where does the default AFS token lifetime get set with > the OpenAFS for Windows client software? > > I feel like I might be overlooking something obvious somewhere...
The lifetime of the AFS tokens is equivalent to the lifetime of the Kerberos 5 TGT that you obtain from the KDC. If you use Leash to obtain your Kerberos 5 TGT, then you can specify the lifetime you want for that TGT and all service tickets obtained with it. The OpenAFS System Tray Tool (afscreds.exe) does not have any user interface for specifying the lifetime of tickets or tokens. The lifetime used for Kerberos 5 TGTs and service tickets are those set by Leash in the registry. See the KFW Release Notes for details. Jeffrey Altman
smime.p7s
Description: S/MIME Cryptographic Signature
