Hi, On Thu, May 25, 2006 at 12:23:01PM -0700, Brady Catherman wrote: > I am currently considering moving our environment to OpenAFS but before I > can switch I need to make sure a few things are going to keep working.. > > We have users that use or systems for months on end without logging off > and I am concerned that the kerberos ticket they are being issued will > expire. Having them log back into kerberos/openafs isn't really a good > option for us (I am having a hard enough time selling even the basic > conversion, let alone anything that requires user action!)
Use some kind of reauthentication. On one of my AFS-clients there are 4 processes running *always* (->they start when the computer boots up, they terminate only, when the computer is going to reboot). I'm using a self-written tool "tokenmgr" which knows how to execute kinit, aklog and some other programs in the right way to ensure that a valid token is always available. In most cases, I'm using keytabs to provide the necessary Kerberos credentials. A different method can be used for interactive or "semi-interactive" sessions. When someone logs in by ssh, he would just type 'tokenmgr -R' (and enter his passwort twice) to get an arbitrary number of virtual terminals (using the almighty 'screen' command). All programs run in those terminals will always have a valid token. Regards, Frank _______________________________________________ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
