[OpenAFS] openafs versus systemd

Ken Hornstein kenh@cmf.nrl.navy.mil
Tue, 06 Jun 2023 09:04:25 -0400

>I'm aware this issue has been discussed before on the mailing list and
>also on the systemd bug tracker
><https://github.com/systemd/systemd/issues/7261> but I'm still really
>unclear on what the community feels is the best solution to this

>From my limited imperfect understanding, it seems the fundamental issue
is the systemd people are using a model where they assume the same
Unix user on the same system all have the same credentials (including
Kerberos credentials), and Kerberos/OpenAFS by default use a session
based model (only decendants of a particular process have access to the
same credentials) and the systemd people think a session based credential
access model is inherently ridiculous.

It seems like the solutions fall into one of two buckets: disable the
systemd --user support (which as you note is becoming more unworkable
as of late especially with things like GNOME) or switch to a per-user
credential management system for Kerberos and OpenAFS.  The latter
solution requires at a minimum switching to file-based credential caches
for Kerberos and possibly disabling PAGs (I suspect you could still use
PAGs with OpenAFS as it seems like systemd --user still goes through
the PAM stack).

At least at our site we do not run into this as an issue as 95% of our
access is remote and in that instance it is easy to make everything
session based.  I can only say that based on previous painful experiences
we would never use file-based Kerberos credential caches, but short of
some complicated reworking inside of systemd (which the systemd people
seem to not be interested in doing) there does not seem to be an ideal