[OpenAFS] home dir in afs, debian

[Christian]

Dear Jan,

thanks for the message. Setting nopag = true in the [appdefaults] 
section of /etc/krb5.conf appears to "fix" the gdm login. However, I am 
somewhat surprised (or maybe it is just a lack of understanding of sudo 
on my end) that if I log in as a user, and issue sudo -i, root still has 
tokens (presumably because pam_afs_session is called again, and because 
KRB5CCNAME is preserved?). If I now issue "unlog", tokens are gone, as 
expected. But then if I exit and return to "user", also "user"'s tokens 
are gone... Is that expected? Best wishes,

Christian

On 10/7/25 12:45, Jan Henrik Sylvester wrote:
> On 10/7/25 10:11 AM, Christian wrote:
>> Tickets and tokens are there. But logging in to gnome via gdm3 fails. 
>
> This list has had discussion on that topic before. In short, we used 
> to have a systemd service to execute aklog in the systemd user session 
> (after locating the correct Kerberos ticket cache), but we have given 
> up on that approach and simply use the option nopag for 
> pam_afs_session (in common-auth, common-session, and 
> common-session-noninteractive). We have not had any trouble because of 
> this (no token has vanished because one of multiple parallel SSH 
> sessions has logged out or something like that).
>
> Best,
> Jan Henrik