From HPC Wiki
Revision as of 19:13, 28 February 2014 by Hpcwiki dept.admin (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

When a user logs into an AFS client, the user gets a "Kerberos ticket". The AFS token is generated from the Kerberos ticket. You can see this by logging into any AFS client and running the command 'klist.'

band-57 guest24>: klist Ticket cache: FILE:/tmp/krb5cc_22967_1Ul1SV Default principal: guest24@NJIT.EDU

Valid starting Expires Service principal 02/27/14 11:44:23 02/27/14 19:44:24 krbtgt/NJIT.EDU@NJIT.EDU renew until 03/29/14 12:44:23 02/27/14 11:44:23 02/27/14 19:44:24 afs/ renew until 03/29/14 12:44:23

To see the tokens :

band-58 guest24>: tokens

Tokens held by the Cache Manager:

User's (AFS ID 22967) tokens for [Expires Feb 27 19:44]

  --End of list--

Note that in the above case, the user logged in at 11:44 the ticket and token expires eight hours later, at 19:44. Also note that the ticket is renewable until the end of March.

The command to automatically renew the Kerberos ticket and AFS token is :

krenew -b -t -K 60

-b run the background -t run aklog to get the AFS token after the ticket is renewed -K 60 wake up every 60 minute and see if the ticket need to be renewed

Using krenew as above is useful in circumstances such as the following:

1) Maintain login credentials on a personal workstation 2) Maintain a vnc or screen session

Alternatively, krenew can take a command as an argument. In this case krenew maintains credentials specific to the command. For example, to run sftp with krenew --

krenew -t -K 60 /usr/bin/sftp

To run a long running compute job in the background where the output is directed to a file, the argument to krenew needs to be a shell followed by the command --

krenew -t -b -K 60 -- sh -c '/full/path/to/compute-job > /afs/.../output'