You might be experencing the same bug I'm working with Microsoft. That is, Windows would appear to not properly set the flags in its renewal request when authenticating against a foreign Kerberos realm, so the ticket one gets back from the foreign kerberos realm is not renewable.
You can verify your TGTs by at a windows command prompt typing in: klist tgt and then after the ticket should have been renewed, type that command again to see what happened. On Fri, Dec 05, 2014 at 07:31:37PM +0100, Dr. Hendrik Naumann wrote: > Hi > > I am looking for a way to setup the Integrated Logon in such a way, > that the aquired AFS Tokens can be renewed. > > We are using the latest versions of OpenAFS (1.7.31) , NIM (2.102.907) > and Heimdal Kerberos (1.6.2.0). We have identical user accounts stored > in our central Unix Kerberos Realm (TU-BERLIN) which authenticates > also the AFS and your windows domain WIN.TU-BERLIN.DE. Both Realms > have a trust relationsship. > > On the windows clients the heimdal default realm is configured to TU- > BERLIN.DE and the default AFS cell to TU-BERLIN.DE. The integrated > logon works fine, but after login the NIM only shows the AFS Token > aquired during the logon process but not the TGT and Service > Certificate afs/[email protected] which must have been used to > get the AFS Token für [email protected]. > > Is there any way to get access to the Kerberos Tickets from the > integrated logon? Under Linux Kerberos can be configured to store its > Tickets in a file und thus the TGT and also the Token can be renewed > later. > > If I open the NIM and obtain a new TGT from TU-BERLIN.DE, the Token > renewal works fine. However this would require all users to type in > their password twice and in addition fiddle with the NIM at all. > > Do you have any idea how I can renew the AFS token without additional > user interaction? > > Thanks very much > > Hendrik Naumann > > -- > Dr. Hendrik Naumann > Technische Universität Berlin > Institut für Chemie, Sekr. C3 > Leiter EDV Chemie > Strasse des 17. Juni 115 > 10623 Berlin > Tel.: +49 30 314 29892 Mobil: +49 172 314 0410 Fax: +49 30 314 29309 > WWW: http://www.chemie.tu-berlin.de/it > E-Mail: [email protected] -- ******************************** David William Botsch Programmer/Analyst @CNFComputing [email protected] ******************************** _______________________________________________ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
