Jump to: navigation, search

When a user logs into an AFS client, the user gets a "Kerberos ticket". The AFS token is generated from the Kerberos ticket. You can see this by logging into any AFS client and running the command 'klist.'

somehost-57 user123>: klist
Ticket cache: FILE:/tmp/krb5cc_98765_1Ul1SV
Default principal: user123@NJIT.EDU

Valid starting     Expires            Service principal
02/27/14 11:44:23  02/27/14 19:44:24  krbtgt/NJIT.EDU@NJIT.EDU
	renew until 03/29/14 12:44:23
02/27/14 11:44:23  02/27/14 19:44:24  afs/
	renew until 03/29/14 12:44:23

To see the tokens :

somehost-58 user123>: tokens

Tokens held by the Cache Manager:

User's (AFS ID 98765) tokens for [Expires Feb 27 19:44]
   --End of list--

Note that in the above case, the user logged in at 11:44 the ticket and token expires eight hours later, at 19:44. Also note that the ticket is renewable until the end of March.

The command to automatically renew the Kerberos ticket and AFS token is :

krenew -b -t -K 60

-b  	: run the background
-t  	: run aklog to get the AFS token after the ticket is renewed
-K 60 	: check every 60 minutes and see if the ticket needs to be renewed

Using krenew as above is useful in circumstances such as the following:

  • Maintain login credentials on a personal workstation
  • Maintain a VNC or screen session

Alternatively, krenew can take a command as an argument. In this case krenew maintains credentials specific to the command. For example, to run sftp with krenew :

krenew -t -K 60 /usr/bin/sftp

To run a long running compute job in the background where the output is directed to a file, the argument to krenew needs to be a shell followed by the command :

krenew -t -b -K 60 -- sh -c '/full/path/to/compute-job > /afs/cad/.../output.file'