[OpenAFS] Re: openafs versus systemd

[Chad W Seys]

>  To disable that behavior, use the "nopag" option.

Thanks Jeffrey! I never noticed that option before.  It could be helpful...

Chad.

[OpenAFS] Re: openafs versus systemd

[Jeffrey E Altman]

On 6/7/2023 5:48 PM, Chad William Seys wrote:

Hi all,
  I've been trying to know how to disable PAG, but am having a google 
fail.  Anyone have pointers.


Thanks!
Chad.

A PAG is something that must be created using pagsh or via a side effect 
of a pam module.  If you are using pam_afs_session, it defaults to 
creating a PAG.  To disable that behavior, use the "nopag" option.


Jeffrey Altman




smime.p7s
Description: S/MIME Cryptographic Signature

[OpenAFS] Re: OpenAFS-info digest, Vol 1 #7363 - 4 msgs

[Chad William Seys]

Hi all,
  I've been trying to know how to disable PAG, but am having a google 
fail.  Anyone have pointers.


Thanks!
Chad.

On 6/6/23 11:01, openafs-info-requ...@openafs.org wrote:

Send OpenAFS-info mailing list submissions to
openafs-info@openafs.org

To subscribe or unsubscribe via the World Wide Web, visit
https://lists.openafs.org/mailman/listinfo/openafs-info
or, via email, send a message with subject or body 'help' to
openafs-info-requ...@openafs.org

You can reach the person managing the list at
openafs-info-ad...@openafs.org

When replying, please edit your Subject line so it is more specific
than "Re: Contents of OpenAFS-info digest..."


Today's Topics:

1. openafs versus systemd (Stephen Quinney)
2. openafs versus systemd (spacefrogg-open...@spacefrogg.net)
3. Re: openafs versus systemd (Giovanni Bracco)
4. Re: openafs versus systemd (Ken Hornstein)

--__--__--

Message: 1
From: Stephen Quinney 
Date: Tue, 6 Jun 2023 11:53:08 +0100
To: OpenAFS 
Subject: [OpenAFS] openafs versus systemd

We're having trouble with the dbus-user-session package messing up afs
for logins on Ubuntu 22.04. On 20.04 we solved the issue by just
removing the package but this is now very difficult due to other
dependencies.

I'm aware this issue has been discussed before on the mailing list and
also on the systemd bug tracker
 but I'm still really
unclear on what the community feels is the best solution to this
problem.

I realise not everyone is a fan of systemd and some might suggest just
disabling the user session support entirely but that also appears to
have undesirable side-effects so I'd like to minimise the impact of
any changes I have to make.

How have others solved this? Any suggestions?


Thanks,

Stephen Quinney

--__--__--

Message: 2
Date: Tue, 6 Jun 2023 13:38:47 +0200 (GMT+02:00)
From: spacefrogg-open...@spacefrogg.net
To: openafs-info@openafs.org
Subject: [OpenAFS] openafs versus systemd

I have no idea what exactly is messing up what part, but we also have home =
directories on AFS and use the following solution for several years now.

Replace the ExecStart line of the user@.service with the following script:
#!/usr/bin/bash

if [ $(id -u %i) -ge 1 ]; then
=C2=A0=C2=A0=C2=A0 export KRB5CCNAME=3D/PATH/TO/CACHE-DEPENDING-ON-$(id -u =
%i)
=C2=A0=C2=A0=C2=A0 aklog
fi
exec /path/to/systemd --user

You must use the same fixed Kerberos cache files in PAM, obviously.

You should set up a token refresh user service, so that the systemd user se=
ssion does not die due to missing filesystem access.

We also circumvent issues with PAGs by not using them. I would be intereste=
d to know, whether this approach works with PAGs.

Regards,
=E2=80=93Michael

--__--__--

Message: 3
Date: Tue, 6 Jun 2023 14:06:32 +0200
To: spacefrogg-open...@spacefrogg.net, openafs-info@openafs.org
From: Giovanni Bracco 
Subject: Re: [OpenAFS] openafs versus systemd

Is it possible (and it may be more general) to use kswitch ?

Something like:

#!/usr/bin/bash

if [ $(id -u %i) -ge 1 ]; then
  kswitch -p $(id -u %i)
  aklog
fi
exec /path/to/systemd --user


Giovanni


On 06/06/23 13:38, spacefrogg-open...@spacefrogg.net wrote:

I have no idea what exactly is messing up what part, but we also have home 
directories on AFS and use the following solution for several years now.

Replace the ExecStart line of the user@.service with the following script:
#!/usr/bin/bash

if [ $(id -u %i) -ge 1 ]; then
      export KRB5CCNAME=/PATH/TO/CACHE-DEPENDING-ON-$(id -u %i)
      aklog
fi
exec /path/to/systemd --user

You must use the same fixed Kerberos cache files in PAM, obviously.

You should set up a token refresh user service, so that the systemd user 
session does not die due to missing filesystem access.

We also circumvent issues with PAGs by not using them. I would be interested to 
know, whether this approach works with PAGs.

Regards,
–Michael
___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info



___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info

[OpenAFS] 2023 AFS Technologies Workshop - virtual

[Di Marco White, Tracy J]

Hi all,

I'd like to invite anyone interested in AFS to register for the 2023 AFS 
Technologies Workshop taking place next week on June 12th, 13th, & 14th. The 
workshop is again this year being hosted on Zoom, and registration is open at 
https://workshop.openafs.org with the talks and timings listed. The main talks 
will run from 9:30am until 3pm Eastern time, with themed community discussion 
or social time for an hour before the start each day, and an hour after the 
talks end each day.

If you have any issues with registration, please mail to 
openafs.works...@gmail.com to let us help.

If you are a student at a higher education institution, please contact 
openafs.works...@gmail.com to take advantage of our offer of comped 
registration.

Please feel free to forward to anyone who you feel is interested in the 
conference

If you have any questions, please let us know at openafs.works...@gmail.com.

Tracy Di Marco White
On behalf of the 2023 Workshop organizers



Your Personal Data: We may collect and process information about you that may 
be subject to data protection laws. For more information about how we use and 
disclose your personal data, how we protect your information, our legal basis 
to use your information, your rights and who you can contact, please refer to: 
www.gs.com/privacy-notices
___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info