[OpenAFS] Redux: Linux: systemctl --user vs. AFS

[Jonathan Billings]

On Thu, Aug 05, 2021 at 05:11:23PM +0000, spacefrogg-openafs@spacefrogg.net wrote:
> It is as basic as it sounds. Setting up sssd is documented in its
> manpages and gets as complicated and messy as your site requires. 
> 
> user@.service: We literally changed the ExecStart= directive to a
> shell script that reads like: 
> 
> if [ ! $guard-against-system-accounts ]; then
>     export KRB5CCNAME=/path/to/cache-depending-on-$(id -u)
>     aklog
> fi
> exec /path/to/systemd --user

While I do suggest using KEYRING: or KCM: Kerberos 5 ccache, I think
that this is the ideal solution.  Previously, I was getting AFS tokens
for the systemd --user session with a user service that ran *AFTER*
systemd --user launched, but the aforementioned method gets tokens
*BEFORE* systemd --user runs, so the user session already has a PAG
with a token in it.

This is my new configuration:

# cat /etc/systemd/system/user@.service.d/afs.conf
# Disable the default action and run a script instead
[Service]
ExecStart=
ExecStart=-/usr/libexec/afs/systemd-user-execstart.sh



# cat /usr/libexec/afs/systemd-user-execstart.sh 
#!/bin/bash

# Don't get tokens if $UID isn't defined
if [[ -z "$UID" ]]; then
	exec /usr/lib/systemd/systemd --user
fi

# System accounts do not need tokens in systemd user
if [[ "$UID" -lt 1000 ]]; then
	exec /usr/lib/systemd/systemd --user
fi

# Skip if no krb5 tools
if [[ ! -x /usr/bin/klist ]]; then
	exec /usr/lib/systemd/systemd --user
fi

# Set ccache name
export KRB5CCNAME="KEYRING:persistent:$UID"

# Get AFS Tokens
if /usr/bin/klist -s; then
	/usr/bin/aklog
fi

exec /usr/lib/systemd/systemd --user






======================================================================

With the above configuration, users (with UID >= 1000) have AFS tokens
in their systemd --user session, and all the services that are
launched out of their home directory launch fine (assuming they
support AFS homedirs).  

My execstart script could probably use some work, and better logic,
but it is a first attempt.  It is great to see systemd --user launch
with AFS tokens this way.

Now, when I'm logged in with my regular user, I see this after SSH'ing
in (this is my RHEL 8 test VM):

[jbillings@rhel8 ~]$ systemctl --user status
● rhel8
    State: running
     Jobs: 0 queued
   Failed: 0 units
    Since: Fri 2021-08-13 10:31:25 EDT; 1min 10s ago
   CGroup: /user.slice/user-1000.slice/user@1000.service
           ├─pulseaudio.service
           │ └─3775 /usr/bin/pulseaudio --daemonize=no --log-target=journal
           ├─init.scope
           │ ├─3747 /usr/lib/systemd/systemd --user
           │ └─3754 (sd-pam)
           └─dbus.service
             └─3837 /usr/bin/dbus-daemon --session --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only

(Logging in through GDM works too, but the output of 'systemctl --user
status' is really long)

-- 
Jonathan Billings <billings@negate.org>