Coda File System

Re: How to renew coda tickets and tockens automatically?

From: <>
Date: Mon, 11 Jul 2016 13:05:53 +0200
Hello Karl-Philipp,

On Mon, Jul 11, 2016 at 11:13:55AM +0200, Karl-Philipp Richter wrote:
> Hi,
> OpenAFS has the ability to renew kerberos tickets and get AFS tokens
> automatically with the `krenew` command. Is there an equivalent in coda?

It is not an "ability of OpenAFS" but an ability of krenew,
to renew Kerberos tickets and run external commands when asked so.

You _can_ use "krenew" with Coda:

 AKLOG=clog krenew -t ....

but then you need a Kerberos-capable Coda build (and realm), which
regrettably is not included in upstream.

When you do not need _all_ of the krenew functionality, here is
an example of a shell one-liner which acts similar to krenew
as a daemon:  (doing nothing specific to either AFS or Coda)

 while sleep 10000; do kinit -R; done

Together with a kerberos-aware clog:

 while sleep 10000; do kinit -R [...]; clog [...]; done

Without Kerberos you have no use for krenew but still can do something

 while sleep 30000; do clog xxx_at_yyyy </protected/file/with/a/pass; done

Here the pass file plays the same role as the Kerberos credentials cache
with krenew. The difference is that the pass does not expire while the
credentials cache is designed to. This nice property of Kerberos credentials
is also available to Coda when clog is built with Kerberos support but
this is not necessarily crucial for a particular deployment.

The differing sleep amounts above reflect the expected credentials
validity length, several hours for a Kerberos tgt, somewhat over 24
hours for Coda tokens. To protect oneself from possible temporary
reauthentication failures it is preferable to make more than one attempt
during the validity period.

(A different approach would be generation of Coda tokens with longer
validity. This relies on administrative rights on the Coda realm
and as such is much more intrusive.)

Does this address your needs?

Received on 2016-07-11 07:15:53