When a user logs into an AFS client, the user gets a "Kerberos ticket". The AFS token is generated from the Kerberos ticket. You can see this by logging into any AFS client and running the command 'klist.'
band-57 guest24>: klist Ticket cache: FILE:/tmp/krb5cc_22967_1Ul1SV Default principal: guest24@NJIT.EDU
Valid starting Expires Service principal 02/27/14 11:44:23 02/27/14 19:44:24 krbtgt/NJIT.EDU@NJIT.EDU renew until 03/29/14 12:44:23 02/27/14 11:44:23 02/27/14 19:44:24 afs/cad.njit.edu@NJIT.EDU renew until 03/29/14 12:44:23
To see the tokens :
band-58 guest24>: tokens
Tokens held by the Cache Manager:
User's (AFS ID 22967) tokens for email@example.com [Expires Feb 27 19:44]
--End of list--
Note that in the above case, the user logged in at 11:44 the ticket and token expires eight hours later, at 19:44. Also note that the ticket is renewable until the end of March.
The command to automatically renew the Kerberos ticket and AFS token is :
krenew -b -t -K 60
-b run the background -t run aklog to get the AFS token after the ticket is renewed -K 60 wake up every 60 minute and see if the ticket need to be renewed
Using krenew as above is useful in circumstances such as the following:
1) Maintain login credentials on a personal workstation 2) Maintain a vnc or screen session
Alternatively, krenew can take a command as an argument. In this case krenew maintains credentials specific to the command. For example, to run sftp with krenew --
krenew -t -K 60 /usr/bin/sftp
To run a long running compute job in the background where the output is directed to a file, the argument to krenew needs to be a shell followed by the command --
krenew -t -b -K 60 -- sh -c '/full/path/to/compute-job > /afs/.../output'