Re: [OpenAFS] Re: openafs versus systemd

[Jeffrey E Altman]

On 6/28/2023 10:18 AM, Jan Henrik Sylvester wrote:

On 6/28/23 15:02, Jeffrey E Altman wrote:

On 6/28/2023 3:54 AM, Jan Henrik Sylvester wrote:

On 6/9/23 13:38, Jan Henrik Sylvester wrote:
- you cannot use snap packaged with a home directory outside /home: 
use ppa:mozillateam/ppa for Firefox and Google Chrome instead of 
Chromium


Correction: This does not seem to be true anymore.

snap set system homedirs=/afs/math.uni-hamburg.de/users

works for Ubuntu 22.04.

The Firefox snap does start with this setting. We have very limited 
experience with this setting. Kerberos authentication does not work 
in Firefox snap, which is a known problem (independent of AFS).



What credential cache type is in use?

The underlying issues are the same as for PAGs.  The assumption is 
that a 'uid' represents all of the authorization credentials 
associated with the user.   If the Kerberos credential cache is using 
a session keyring or something that is not global to the 'uid', then 
there will be no Kerberos TGT available to snap.


Maybe I was not clear enough. Accessing the home directories from 
Firefox is not the issue. Kerberized http is the issue:


You were clear.   I am suggesting that you use a Kerberos credential 
cache that is tied to the uid for example a keyring with user scope 
instead of session scope.


Jeffrey Altman




smime.p7s
Description: S/MIME Cryptographic Signature

Re: [OpenAFS] Re: openafs versus systemd

[Jan Henrik Sylvester]

On 6/28/23 15:02, Jeffrey E Altman wrote:

On 6/28/2023 3:54 AM, Jan Henrik Sylvester wrote:

On 6/9/23 13:38, Jan Henrik Sylvester wrote:
- you cannot use snap packaged with a home directory outside /home: 
use ppa:mozillateam/ppa for Firefox and Google Chrome instead of 
Chromium


Correction: This does not seem to be true anymore.

snap set system homedirs=/afs/math.uni-hamburg.de/users

works for Ubuntu 22.04.

The Firefox snap does start with this setting. We have very limited 
experience with this setting. Kerberos authentication does not work in 
Firefox snap, which is a known problem (independent of AFS).



What credential cache type is in use?

The underlying issues are the same as for PAGs.  The assumption is that 
a 'uid' represents all of the authorization credentials associated with 
the user.   If the Kerberos credential cache is using a session keyring 
or something that is not global to the 'uid', then there will be no 
Kerberos TGT available to snap.


Maybe I was not clear enough. Accessing the home directories from 
Firefox is not the issue. Kerberized http is the issue:


https://bugzilla.mozilla.org/show_bug.cgi?id=1734791

There is apparmor, there is snap sandboxing. It is not just about the 
PAGs or keyrings.


We do use a file based Kerberos cache in /tmp (which is blocked by 
apparmor for Firefox, which is not the only issue according to the bug 
report). Yes, we could try to change that. All I wanted to say is 
getting snap packages to run with AFS home directories may not 
immediately solve all problems that come with snap packages in general.


With the deb package, we ended up completely disabling the Firefox 
apparmor profile to solve some other problems. We have not investigated 
that with the snap package, yet. Moreover, there is the question whether 
or not apparmor is useful in general if we have to disable it for 
applications that are a huge attack surface to a desktop system such as 
Firefox or Libreoffice, because we cannot fix their apparmor profiles 
completely. Anyhow, these problems may not be directly related to AFS. 
For example, Libreoffice with AFS home directory works fine with 
apparmor for the Ubuntu desktop environment, but fails for the Plasma 
desktop environment as long as the apparmor profile is active.


BTW: The solution to the snap problem is a bit unexpected, since the 
documentation states that "snap set system homedirs=" is available from 
snapd 2.59 onwards, but Ubuntu 22.04 has snapd 2.58. Anyhow, it does 
work with Ubuntu 22.04.


Best,
Jan Henrik
___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info

Re: [OpenAFS] Re: openafs versus systemd

[Jeffrey E Altman]

On 6/28/2023 3:54 AM, Jan Henrik Sylvester wrote:

On 6/9/23 13:38, Jan Henrik Sylvester wrote:
- you cannot use snap packaged with a home directory outside /home: 
use ppa:mozillateam/ppa for Firefox and Google Chrome instead of 
Chromium


Correction: This does not seem to be true anymore.

snap set system homedirs=/afs/math.uni-hamburg.de/users

works for Ubuntu 22.04.

The Firefox snap does start with this setting. We have very limited 
experience with this setting. Kerberos authentication does not work in 
Firefox snap, which is a known problem (independent of AFS).



What credential cache type is in use?

The underlying issues are the same as for PAGs.  The assumption is that 
a 'uid' represents all of the authorization credentials associated with 
the user.   If the Kerberos credential cache is using a session keyring 
or something that is not global to the 'uid', then there will be no 
Kerberos TGT available to snap.


Jeffrey Altman




smime.p7s
Description: S/MIME Cryptographic Signature

Re: [OpenAFS] Re: openafs versus systemd

[Jan Henrik Sylvester]

On 6/9/23 13:38, Jan Henrik Sylvester wrote:
- you cannot use snap packaged with a home directory outside /home: use 
ppa:mozillateam/ppa for Firefox and Google Chrome instead of Chromium


Correction: This does not seem to be true anymore.

snap set system homedirs=/afs/math.uni-hamburg.de/users

works for Ubuntu 22.04.

The Firefox snap does start with this setting. We have very limited 
experience with this setting. Kerberos authentication does not work in 
Firefox snap, which is a known problem (independent of AFS).


Best,
Jan Henrik
___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info

Re: [OpenAFS] Re: openafs versus systemd

[Jan Henrik Sylvester]

On 6/9/23 12:00, Harald Barth wrote:

I think a step-by-step guide how to run an Ubuntu 22.04LTS and 23.04
desktop along with OpenAFS would be very much appreciated because I
hear that folks are struggling with this and as it "is not possible"
do use that argument to "then we can not run AFS - period".


At the math department of the University of Hamburg, we do use home 
directories in the AFS on Ubuntu 22.04 desktop machines.


The main configuration:
- Use ppa:openafs/stable
- Apparmor must ignore /afs and /var/cache/openafs
- pam_afs_session must use the nopag option (we used to have scripts to 
copy credentials between contexts, but they did not always work)
- you cannot use snap packaged with a home directory outside /home: use 
ppa:mozillateam/ppa for Firefox and Google Chrome instead of Chromium


We have fairly large scripts to setup an Ubuntu desktop. I have tried to 
extract the relevant lines for AFS (which are not all needed):


TAB=$(printf '\t')
debconf-set-selections > 
/etc/apparmor.d/tunables/home.d/ubuntu

AAAB=/etc/apparmor.d/abstractions/base
AAAB_AFS_CACHE_LINE='/var/cache/openafs/** rw,'
AAAB_AFS_BASE_LINE='/afs/** rw,'
grep -q afs/ "$AAAB" || AA_RELOAD=yes
fgrep -q "$AAAB_AFS_CACHE_LINE" "$AAAB" || cat >>"$AAAB" <>"$AAAB" 

Re: [OpenAFS] Re: openafs versus systemd

[Harald Barth]

I think a step-by-step guide how to run an Ubuntu 22.04LTS and 23.04
desktop along with OpenAFS would be very much appreciated because I
hear that folks are struggling with this and as it "is not possible"
do use that argument to "then we can not run AFS - period".

Harald.


___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info

[OpenAFS] Re: openafs versus systemd

[Chad W Seys]

>  To disable that behavior, use the "nopag" option.

Thanks Jeffrey! I never noticed that option before.  It could be helpful...

Chad.

[OpenAFS] Re: openafs versus systemd

[Jeffrey E Altman]

On 6/7/2023 5:48 PM, Chad William Seys wrote:

Hi all,
  I've been trying to know how to disable PAG, but am having a google 
fail.  Anyone have pointers.


Thanks!
Chad.

A PAG is something that must be created using pagsh or via a side effect 
of a pam module.  If you are using pam_afs_session, it defaults to 
creating a PAG.  To disable that behavior, use the "nopag" option.


Jeffrey Altman




smime.p7s
Description: S/MIME Cryptographic Signature