[OpenAFS] Obtaining tokens at login on Ubuntu 18.04
Prasad K. Dharmasena
pkd@umd.edu
Sat, 18 Aug 2018 18:46:17 -0400
--0000000000005b84900573bd7379
Content-Type: text/plain; charset="UTF-8"
>
> pam_afs_session "nopag" should be used in conjunction with USM.
If no PAG is set, the 'two advantages' described in
http://docs.openafs.org/Reference/1/pagsh.html go away. Specifically, this
part "If the credential structure is identified by a UNIX UID rather than a
PAG, then the local superuser root can assume a UNIX UID and use any tokens
associated with that UID." is unacceptable for us. Traditionally, we've had
departmental admins and lab managers who have root access to machines but
no rights to users' AFS directories. I believe, this is the point you made
in the systemd/issues thread.
So, we must pick our poison? A: live w/o '"systemctl --user" and all that
stuff' or B: pam_afs_session with 'nopag'
--0000000000005b84900573bd7379
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr"><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px =
0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">pam_afs_=
session "nopag" should be used in conjunction with USM.</blockquo=
te><div><div class=3D"gmail_quote"><div><br></div><div>If no PAG is set, th=
e 'two advantages' described in=C2=A0<a href=3D"http://docs.openafs=
.org/Reference/1/pagsh.html">http://docs.openafs.org/Reference/1/pagsh.html=
</a> go away.=C2=A0 Specifically, this part "If the credential structu=
re is identified by a UNIX UID rather than a PAG, then the local superuser =
root can assume a UNIX UID and use any tokens associated with that UID.&quo=
t; is unacceptable for us. Traditionally, we've had departmental admins=
and lab managers who have root access to machines but no rights to users&#=
39; AFS directories.=C2=A0 I believe, this is the point you made in the sys=
temd/issues thread.</div><div><br></div><div>So, we must pick our poison?=
=C2=A0 <font color=3D"#000000">A: live w/o '"systemctl --user"=
; and all that stuff'=C2=A0 or B: pam_afs_session with 'nopag'<=
/font></div><div><span style=3D"color:rgb(80,0,80)"><br></span></div><div><=
br></div></div></div></div>
--0000000000005b84900573bd7379--