When a user logs into an AFS client, the user gets a "Kerberos ticket". The AFS token is generated from the Kerberos ticket. You can see this by logging into any AFS client and running the command 'klist.'
somehost-57 user123>: klist Ticket cache: FILE:/tmp/krb5cc_98765_1Ul1SV Default principal: user123@NJIT.EDU Valid starting Expires Service principal 02/27/14 11:44:23 02/27/14 19:44:24 krbtgt/NJIT.EDU@NJIT.EDU renew until 03/29/14 12:44:23 02/27/14 11:44:23 02/27/14 19:44:24 afs/cad.njit.edu@NJIT.EDU renew until 03/29/14 12:44:23
To see the tokens :
somehost-58 user123>: tokens Tokens held by the Cache Manager: User's (AFS ID 98765) tokens for email@example.com [Expires Feb 27 19:44] --End of list--
Note that in the above case, the user logged in at 11:44 the ticket and token expires eight hours later, at 19:44. Also note that the ticket is renewable until the end of March.
The command to automatically renew the Kerberos ticket and AFS token is :
krenew -b -t -K 60 -b : run the background -t : run aklog to get the AFS token after the ticket is renewed -K 60 : check every 60 minutes and see if the ticket needs to be renewed
Using krenew as above is useful in circumstances such as the following:
- Maintain login credentials on a personal workstation
- Maintain a VNC or screen session
Alternatively, krenew can take a command as an argument. In this case krenew maintains credentials specific to the command. For example, to run sftp with krenew :
krenew -t -K 60 /usr/bin/sftp
To run a long running compute job in the background where the output is directed to a file, the argument to krenew needs to be a shell followed by the command :
krenew -t -b -K 60 -- sh -c '/full/path/to/compute-job > /afs/cad/.../output.file'