[OpenAFS] OpenAFS with GDM in Ubuntu 22.04 (or 20.04)?

spacefrogg-openafs@spacefrogg.net spacefrogg-openafs@spacefrogg.net
Mon, 12 Sep 2022 19:45:09 +0000 (UTC)


I usually start the user@.services with the following ExecStart line:
ExecStart=3D-/bin/bash -c "if [ $(id -u %i) -ge LIMIT ]; then export KRB5CC=
NAME=3D/run/krb-caches/krb5cc_$(id -u %i); aklog fi; exec /usr/lib/systemd/=
systemd --user"

The assumptions are:
- LIMIT is a user id limit, ids below are treated as machine-local and syst=
em users which don't have valid Kerberos credentials
- kerberos cache filenames are known (no random files)
- no use of PAG (as Jeffrey explained) or your services will lose access to=
 AFS after a while (maybe a helper service could refresh systemd's token pe=
riodically)
- the cache was filled by some upstream process (ssh or other login)
- this means, ssh must adhere to this convention as well, which requires a =
small patch to sshd. Otherwise it instructs libkrb to use a random file. Th=
is would leave the pre-known cache file empty in case the ssh login is the =
first ever login, like on a server. I can send you the patch if interested.

Kind regards,
=E2=80=93Michael