[OpenAFS] openafs versus systemd

spacefrogg-openafs@spacefrogg.net spacefrogg-openafs@spacefrogg.net
Tue, 6 Jun 2023 13:38:47 +0200 (GMT+02:00)

I have no idea what exactly is messing up what part, but we also have home =
directories on AFS and use the following solution for several years now.

Replace the ExecStart line of the user@.service with the following script:

if [ $(id -u %i) -ge 10000 ]; then
=C2=A0=C2=A0=C2=A0 export KRB5CCNAME=3D/PATH/TO/CACHE-DEPENDING-ON-$(id -u =
=C2=A0=C2=A0=C2=A0 aklog
exec /path/to/systemd --user

You must use the same fixed Kerberos cache files in PAM, obviously.

You should set up a token refresh user service, so that the systemd user se=
ssion does not die due to missing filesystem access.

We also circumvent issues with PAGs by not using them. I would be intereste=
d to know, whether this approach works with PAGs.