Sergio Gelato wrote: > * Robbert Eggermont [2009-07-02 11:55:31 +0200]: >> Our AD Kerberos servers serves tickets with a 10 hour expiration time, >> thus my tickets (and AFS tokens) expire at night. I would like to >> automatically renew my AFS token for all processes started from KDE >> (which seem to be in the same PAG). Is there a "standard" solution for this? > > krenew should be good enough. > >> I tried to run 'krenew -b -t -K 60' from a /opt/kde3/env/ shell script. >> When running klist in a shell under KDE, I see the Kerberos ticket (in >> /tmp/krb5cc_xxxx) being renewed every 5 hours. However, my AFS token in >> the shell is not being renewed. According to the krenew and shell PAG >> group ids, they seem to be in the same PAG. Krenew seems to work as >> expected when run in a shell under KDE. What am I missing here? > > Is this Linux? Which kernel version?
Sorry, yes, Linux 2.6.22.19-0.3-default (x86_64) > In recent Linux (from 2.6.18 onwards) I wouldn't trust the group IDs to > tell me the truth about PAG membership. Running "keyctl show" is the > preferred way. Outside a PAG I get: > > Session Keyring > -3 --alswrv 1000 -1 keyring: _uid_ses.1000 > 708748815 --alswrv 1000 -1 \_ keyring: _uid.1000 > > while inside it I get: > > Session Keyring > -3 --alswrv 1000 1000 keyring: _ses.7860 > 512427344 ----s--v 0 0 \_ afs_pag: _pag > > Different PAGs have different session keyring names. > > There *is* code in the OpenAFS kernel module that tries to update the > group ID based on the keyring contents, but in my experience it doesn't > always work. So if PAGs are keyring-based on your system, please look > at the keyring contents before assuming that the PAG is the same. I just installed keyutils, I'll see what keyctl tells me. > I suppose you could wrap aklog (by setting the AKLOG variable in krenew's > environment) in a script that does useful logging. That way you > should be able to demonstrate whether aklog is being run, with what > arguments, in what PAG, and whether there is a fresh token afterwards. Thanks for the tip, I'll try this as well. > You may also be able to work out some of this from the contents of your > Kerberos credentials cache. Is there a new AFS service ticket along > with the new TGT? No, when the TGT is renewed, all other tickets are dropped. Does this mean that aklog is not run at all (not even in a different PAG)? Cheers, Robbert -- Robbert Eggermont Information & Communication Theory [email protected] Electr.Eng., Mathematics & Comp.Science +31 (15) 2783234 Delft University of Technology _______________________________________________ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
