[OpenAFS] OpenAFS with GDM in Ubuntu 22.04 (or 20.04)?

jukka.tuominen@finndesign.fi jukka.tuominen@finndesign.fi
Sun, 11 Sep 2022 12:30:28 +0300 

Thank you Jeffrey and Gaja about the further information and even giving 
hope to some extent really, and sorry about the late response - somehow 
my email failed to notify me about your important messages.

I will try my best to solve my instance using your framework 
understanding, guidelines and the script Gaja provided. The ssh usage is 
equally important in this case; a headless access to one or several 
execution nodes utilising one's personal account privileges.

I seriously wish Gnome developers would hear you out and will provide a 
supported solution upstream to help all of OpenAFS community, not just 
the user-experience oriented professionals like me, missing the 
superpowers likes of you.

br, jukka

---

Jeffrey E Altman, 2022-08-29 03:05:

On 8/28/2022 3:14 AM, jukka.tuominen@finndesign.fi wrote:

     Hi all,

     I wonder if anybody has OpenAFS client working with GDM in Ubuntu 
22.04 (or 20.04)? That is, allowing users to log into their homedirs 
graphically.


The underlying problem is that GDM heavily relies upon processes 
launched as children of "systemd --user" services.  As a result they do 
not share the same session keyring as the child processes of login.   
The "systemd --user" expectation is that all processes executing as a 
"uid" have access to the same authentication credentials whether they be 
local or remote.  In such an environment, AFS Process Authentication 
Groups (PAGs) cannot be created as a side-effect of login.

Modify the pam configuration to disable PAG creation for GDM logins.

If the expectation is that "sshd" logins should be separate from the 
desktop, then "sshd" logins can continue to create a PAG.

Sincerely,

Jeffrey Altman

---

Gaja Peters kirjoitti 2022-08-29 14:51:
> Am 28.08.22 um 09:14 schrieb jukka.tuominen@finndesign.fi:
> 
>> I wonder if anybody has OpenAFS client working with GDM in Ubuntu 
>> 22.04 (or 20.04)? That is, allowing users to log into their homedirs 
>> graphically.
> 
> Yes. But only with "nopag":
> 
> for FILE in /etc/pam.d/*
> do
>   grep '^[^#].*pam_afs_session' "$FILE" | grep -qv 'nopag' \
>     && sed -e 's|^[^#].*pam_afs_session.*[^ ]$|& |' \
>            -e 's|^[^#].*pam_afs_session.*$|&nopag|'
>            -i "$FILE"
> done
> 
>> Having the pam settings all over the place doesn't seem to be the 
>> right path.
> 
> It's not quite "all over the place", but yes, three files are modified
> that way. Previously we (mostly) managed with a systemd-task that
> would watch dbus for a login and then obtain an AFS-token in the
> context of systemd. Effectively it's not so much different from
> "nopag" though, ant this is a way easier (and in the end more stable)
> solution.
> 
> Greetings,
> Gaja Peters