AFS tokens and kerberos information
Reviewed by John Sopko 12/25/2019
The AFS klog command is no longer supported on the Computer Science departments linux machines for obtaining AFS tokens to the cs.unc.edu AFS file server cell. The klog command is based on Kerberos version 4 which is no longer being developed. The klog command can still be used to obtain AFS tokens to other cells that have not yet converted to use Kerberos version 5. The main campus AFS isis.unc.edu cell supports Kerberos 5, you should use the method described below to obtain AFS tokens instead of using the klog command. At some point the klog command will not work for you.
The Computer Science department’s linux AFS clients are configured to automatically obtain AFS tokens from the department’s Kerberos 5 servers. If you login to a Red Hat linux desktop machine or if you use ssh to login to the departments servers you automatically get an AFS token that is valid for 7 days. You can still use the AFS “tokens” command line utility to view the remaining lifetime of your AFS tokens. Below is detailed information on how to manually obtain an AFS token to any AFS cell that supports AFS Kerberos 5 including our cs.unc.edu cell.
Instead of using the “klog” command you now use the following 2 commands:
Note on Red Hat 5.x systems the kerberos commands are kept in /usr/kerberos/bin. On Red Hat 6.x systems and Ubuntu systems the kerberos commands are located at in /usr/bin. Execute “lsb_release -d” to print the operating system information for the system you are logged into.
You can make a shell command alias to simulate the deprecated AFS klog command, for example to
create an alias called “ka”:
csh or tcsh alias command:
alias ka ‘/usr/bin/kinit -l7d; /usr/bin/aklog’
bash alias command:
alias ka=’/usr/bin/kinit -l7d; /usr/bin/aklog’
The kinit and aklog commands without arguments will default to getting tickets and afs tokens for our cs.unc.edu AFS cell.
The Kerberos 5 “kinit” command takes several options. The “-l7d” option will give you a Kerberos 5 ticket good for our configured maximum time of 7 days. Without this option you will get a token for whatever the default kinit command is compiled with, usually 24 hours.
To obtain an afs token to another AFS cell besides the default cs.unc.edu cell use the following commands. For example to obtain an AFS tokens to the campus AFS cell:
/usr/bin/kinit -l7d onyen@ISIS.UNC.EDU
/usr/bin/aklog -cell isis.unc.edu
Note the “ISIS.UNC.EdU” is the Kerberos 5 REALM for campus and needs to be specified in upper case letters. By convention Kerberos 5 REALMs are in upper case to distinguish them from DNS domains.
Our Computer Science Linux Kerberos 5 REALM is “CS.UNC.EDU”. We use this Kerberos REALM name because the “CS.UNC.EDU” realm is what our Windows Active Directory Server uses for its Kerberos REALM name.
The “kinit” command obtains your Kerberos 5 credentials. The technical term is a ticket granting ticket or TGT. The Open AFS “aklog” command generates an AFS token for you based on your TGT.
Here is another example. Some remote user who used to use the klog command wants to obtain an AFS token to our cs.unc.edu cell. The remote user would use:
kinit -l7d compsci_login@CS.UNC.EDU
aklog -cell cs.unc.edu
The remote user will have to have these utilities located on their machine. The aklog command comes with the Open AFS client software and the kinit command with the Kerberos software.
Another Kerberos command line utility that will list your Kerberos ticket granting tickets is:
Kerberos ticket granting tickets have an initial lifetime and a renew lifetime. This is listed in the klist output. Our CS.UNC.EDU and the campus ISIS.UNC.EDU has a maximum renew time of 14days. You can renew your Kerberos TGT and afs tokens up to the renew time without entering a password. Use the “-R” option to renew a kerberos ticket:
Renew kerberos tickets and afs tokens
If you have long-running jobs that exceed your token lifetime, or you need to keep a token alive, you can use the krenew command to extend you AFS token to a maximum of two weeks. Before you can do this, you must set the KINIT_PROG environment variable. In bash shell set the following:
% export KINIT_PROG=/usr/bin/aklog
In the csh/tcsh shell set:
% setenv KINIT_PROG /usr/bin/aklog
You can place these commands in your .cshrc or .bashrc shell startup files.
The krenew command renews your Kerberos 5 TGT and AFS token up to the maximum of 14 days, to renew every 60 minutes execute:
% /usr/bin/krenew -K 60 -t -b
You can make a command alias to renew your tokens:
bash alias command:
alias kr=’/usr/bin/krenew -K 60 -t -b’
csh or tcsh alias command:
alias kr ‘/usr/bin/krenew -K 60 -t -b’
See “man krenew” for more information.
If you really need to maintain a token indefinitely email firstname.lastname@example.org. There is a method for doing so using the k5start command but should not be used unless absolutely necessary.