Dj Merrill wrote: > In our environment, the LIFETIME variable is not set. > The HKCU\Software\MIT\Leash,lifetime is present, and is set to > 1500, which the notes say is minutes, so 25 hours. > The HKLM\Software\MIT\Leash,lifetime is not present.
> Accordingly, we should be getting 25 hour tokens, correct?
Yes.
> Note that if I open the Leash GUI, it tells me that
> I do not have any Kerberos 4 or 5 tickets, just the
> AFS tokens. Do I have a configuration issue perhaps?
The AFS System Tray tool supports the use of multiple Kerberos
principals and therefore multiple simultaneous credential caches.
Leash only supports the use of one credential cache. Use
klist -C
to list the contents of all of the credentials caches on the machine.
> Interestingly enough, if I open the OpenAFS tray tool, and
> manually discard tokens, then obtain new tokens, I get a token
> lifetime of 5 days, 5 hours (125 hours, or 7500 minutes).
> I can't figure out where this value is coming from at all.
> Why would this get a different token lifetime than the
> integrated login?
>
> If I manually Initialize Tickets from within the
> Leash GUI, I get a Krb 5 ticket good for 21 hours, and I get an
> AFS token that has a lifetime of 21 hours (not 25).
>
> I'm getting a bit confused. I'm aiming for a configuration
> where people are able to login at the Windows login prompt,
> and automatically get an AFS token (integrated login) with a
> default lifetime of 25 hours, without ever having to type their
> password a second time.
There is a lifetime bug in OAFW which I will fix in the next release
candidate. You can take a look at the latest daily builds tomorrow at
http://web.mit.edu/jaltman/Public/OpenAFS/
/afs/athena.mit.edu/user/j/a/jaltman/Public/OpenAFS/
When this is fixed, the Leash lifetime imported from the registry will
be used correctly.
Jeffrey Altman
smime.p7s
Description: S/MIME Cryptographic Signature
