[OpenAFS] OpenAFS with GDM in Ubuntu 22.04 (or 20.04)?

jukka.tuominen@finndesign.fi jukka.tuominen@finndesign.fi
Thu, 15 Sep 2022 00:02:27 +0300


My older setting for pam_krb5 seems to have a minimun UID of 1000 which 
I'm using. I do have a single local user for administration, so it is 
needed. I would def appreciate If you can send the patch though, thank 
you.

This is how far I'm now:

Once logged in as a local user, I can successfully kinit; aklog and 
access the homedir. However, when I try to log in using GDM, I get an 
error that the password authentication didn't work. But auth.log on the 
other hand tells gdm-password:auth authenticated the krb user attached 
to the correct realm having first failed trying the username as a local 
unix user. I'd guess that is the desired behavior this far. The next 
line gdm-password:account fails: "could not identify user (from 
etpwnam("
There used to be another error line, but I got rid of it, and I can't 
recall now what it was.

All afs lines now have nopag attributes.

I will keep trying to tweak the pam settings once I have some spare 
time, again.

br, jukka

spacefrogg-openafs@spacefrogg.net kirjoitti 2022-09-12 22:45:
> I usually start the user@.services with the following ExecStart line:
> ExecStart=-/bin/bash -c "if [ $(id -u %i) -ge LIMIT ]; then export
> KRB5CCNAME=/run/krb-caches/krb5cc_$(id -u %i); aklog fi; exec
> /usr/lib/systemd/systemd --user"
> 
> The assumptions are:
> - LIMIT is a user id limit, ids below are treated as machine-local and
> system users which don't have valid Kerberos credentials
> - kerberos cache filenames are known (no random files)
> - no use of PAG (as Jeffrey explained) or your services will lose
> access to AFS after a while (maybe a helper service could refresh
> systemd's token periodically)
> - the cache was filled by some upstream process (ssh or other login)
> - this means, ssh must adhere to this convention as well, which
> requires a small patch to sshd. Otherwise it instructs libkrb to use a
> random file. This would leave the pre-known cache file empty in case
> the ssh login is the first ever login, like on a server. I can send
> you the patch if interested.
> 
> Kind regards,
> –Michael
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info