document how to get TGT

rhel8/kerberos.md

@@ -25,6 +25,29 @@ export KRB5CCNAME=$OLD_KRB5CCNAME
 ```
 to delete your administrative tickets and to get back to your normal credential cache.
 
+### Update TGT on Long Running Sessions
+The TGT will be automatically renewed for 7 days.
+Note that a screen unlock or a new connection with NoMachine NX will update the credential cache with a new TGT.
+
+But also manual reauthentication is possible. Inside the session you can do
+```
+kinit
+```
+Outside of the session you first need to figure out the credential cache used.
+First get the process ID of the process which needs authentication, then
+```
+$ strings /proc/$PID/environ | grep KRB5CCNAME
+KRB5CCNAME=KCM:44951:iepgjskbkd
+$
+```
+and then a
+```
+KRB5CCNAME=KCM:44951:iepgjskbkd kinit
+```
+will update given credential cache.
+
+Note that for AFS it will look in all caches for a valid TGT, so logging in on the desktop or ssh with password or ticket delegation is sufficient to make AFS access work for another week.
+
 ### List all Credential Caches
 ```
 KRB5CCNAME=KCM: klist -l
@@ -275,6 +298,8 @@ The code you find in [Gitlab](https://git.psi.ch/linux-infra/pam_single_kcm_cach
 
 ## Diagrams about Kerberos related Interactions
 
+Below diagrams show how PAM and especially `pam_single_kcm_cache.so` interact with the KCM in different use cases.
+
 ### Login with SSH using Password Authentication
 ![Login with SSH and Password Authentication](kerberos/kerberos_sshd_password_only.png)