From 2ea1fab1d4b390c8efe0e0ed1e87b429503c176e Mon Sep 17 00:00:00 2001
From: Konrad Bucheli <konrad.bucheli@psi.ch>
Date: Wed, 2 Nov 2022 12:58:08 +0100
Subject: [PATCH] document how to get TGT

---
 rhel8/kerberos.md | 25 +++++++++++++++++++++++++
 1 file changed, 25 insertions(+)

diff --git a/rhel8/kerberos.md b/rhel8/kerberos.md
index 2cd8ffac..9be34528 100644
--- a/rhel8/kerberos.md
+++ b/rhel8/kerberos.md
@@ -25,6 +25,29 @@ export KRB5CCNAME=$OLD_KRB5CCNAME
 ```
 to delete your administrative tickets and to get back to your normal credential cache.
 
+### Update TGT on Long Running Sessions
+The TGT will be automatically renewed for 7 days.
+Note that a screen unlock or a new connection with NoMachine NX will update the credential cache with a new TGT.
+
+But also manual reauthentication is possible. Inside the session you can do
+```
+kinit
+```
+Outside of the session you first need to figure out the credential cache used.
+First get the process ID of the process which needs authentication, then
+```
+$ strings /proc/$PID/environ | grep KRB5CCNAME
+KRB5CCNAME=KCM:44951:iepgjskbkd
+$
+```
+and then a
+```
+KRB5CCNAME=KCM:44951:iepgjskbkd kinit
+```
+will update given credential cache.
+
+Note that for AFS it will look in all caches for a valid TGT, so logging in on the desktop or ssh with password or ticket delegation is sufficient to make AFS access work for another week.
+
 ### List all Credential Caches
 ```
 KRB5CCNAME=KCM: klist -l
@@ -275,6 +298,8 @@ The code you find in [Gitlab](https://git.psi.ch/linux-infra/pam_single_kcm_cach
 
 ## Diagrams about Kerberos related Interactions
 
+Below diagrams show how PAM and especially `pam_single_kcm_cache.so` interact with the KCM in different use cases.
+
 ### Login with SSH using Password Authentication
 ![Login with SSH and Password Authentication](kerberos/kerberos_sshd_password_only.png)