Category Archives: Linux
Linux machines that have krenew installed can keep kerberos tickets and afs tokens valid in an automated fashion. Limitations on the renewal period are dependent on the way accounts are configured in the KDC. Typically new tickets can be renewed for a week.
krenew -t -- ~/bin/testkrenew.bash > ~/tmp/testkrenew.out 2> ~/tmp/testkrenew.err
More about what is going on
SCS has a good source of AFS help.
Logging onto an ECE Linux host, either on the console or remotely via ssh, requires entering username and password (ie: no tickets are obtained when using publickey authentication). This process obtains a kerberos ticket and AFS token for the session. To see the current state of these run:
klist -f tokens
klist lists kerberos tickets and the -f flag causes the ticket flags to be listed as well. The tickets obtained on initial logon should have the I (initial), F (forwardable) and R (renewable) flags set. On ECE hosts the lifespan should be 25 hours from the time they were obtained and they can be renewed for 7 days. The ticket cache location is also listed. These are the parameters krenew will use though krenew will run the commands in a new PAG with new tickets in a new ticket cache.
username@ecexxx:~; date Fri Aug 31 10:02:00 EDT 2012 username@ecexxx:~> klist -f Ticket cache: FILE:/var/tmp/krb5cc_username_nNSLfy Default principal: username@ECE.CMU.EDU Valid starting Expires Service principal 08/31/12 10:01:54 09/01/12 11:01:54 krbtgt/ECE.CMU.EDU@ECE.CMU.EDU renew until 09/01/12 12:41:54, Flags: FRI username@ecexxx:~> tokens Tokens held by the Cache Manager: Tokens for email@example.com [Expires Sep 1 11:01] --End of list--
If a kerberos ticket has not expired yet it can be renewed. Once the kerberos ticket is renewed the AFS tokens need to be renewed as well. krenew automates this ticket renewal only for the commands run under it’s control. Renewal can also be done manually:
kinit -r 7d -l 25h -f -R aklog
Even though a renewal period of 7 days was requested, the renew expiration date will not have changed. Similarly when there are no longer 25 hours to go until the renewal duration expires, the lifespan of the ticket will correspond to the renewal expiration rather than the full 25 hours requested. If tickets/tokens expire, or if tickets with a full 7 day renewal period are desired, new tickets will need to be obtained. When requesting new tickets typing in the password is required.
kinit -r 7d -l 25h -f aklog