Re: [OpenAFS] Re: openafs versus systemd
On 6/28/2023 10:18 AM, Jan Henrik Sylvester wrote: On 6/28/23 15:02, Jeffrey E Altman wrote: On 6/28/2023 3:54 AM, Jan Henrik Sylvester wrote: On 6/9/23 13:38, Jan Henrik Sylvester wrote: - you cannot use snap packaged with a home directory outside /home: use ppa:mozillateam/ppa for Firefox and Google Chrome instead of Chromium Correction: This does not seem to be true anymore. snap set system homedirs=/afs/math.uni-hamburg.de/users works for Ubuntu 22.04. The Firefox snap does start with this setting. We have very limited experience with this setting. Kerberos authentication does not work in Firefox snap, which is a known problem (independent of AFS). What credential cache type is in use? The underlying issues are the same as for PAGs. The assumption is that a 'uid' represents all of the authorization credentials associated with the user. If the Kerberos credential cache is using a session keyring or something that is not global to the 'uid', then there will be no Kerberos TGT available to snap. Maybe I was not clear enough. Accessing the home directories from Firefox is not the issue. Kerberized http is the issue: You were clear. I am suggesting that you use a Kerberos credential cache that is tied to the uid for example a keyring with user scope instead of session scope. Jeffrey Altman smime.p7s Description: S/MIME Cryptographic Signature
Re: [OpenAFS] Re: openafs versus systemd
On 6/28/23 15:02, Jeffrey E Altman wrote: On 6/28/2023 3:54 AM, Jan Henrik Sylvester wrote: On 6/9/23 13:38, Jan Henrik Sylvester wrote: - you cannot use snap packaged with a home directory outside /home: use ppa:mozillateam/ppa for Firefox and Google Chrome instead of Chromium Correction: This does not seem to be true anymore. snap set system homedirs=/afs/math.uni-hamburg.de/users works for Ubuntu 22.04. The Firefox snap does start with this setting. We have very limited experience with this setting. Kerberos authentication does not work in Firefox snap, which is a known problem (independent of AFS). What credential cache type is in use? The underlying issues are the same as for PAGs. The assumption is that a 'uid' represents all of the authorization credentials associated with the user. If the Kerberos credential cache is using a session keyring or something that is not global to the 'uid', then there will be no Kerberos TGT available to snap. Maybe I was not clear enough. Accessing the home directories from Firefox is not the issue. Kerberized http is the issue: https://bugzilla.mozilla.org/show_bug.cgi?id=1734791 There is apparmor, there is snap sandboxing. It is not just about the PAGs or keyrings. We do use a file based Kerberos cache in /tmp (which is blocked by apparmor for Firefox, which is not the only issue according to the bug report). Yes, we could try to change that. All I wanted to say is getting snap packages to run with AFS home directories may not immediately solve all problems that come with snap packages in general. With the deb package, we ended up completely disabling the Firefox apparmor profile to solve some other problems. We have not investigated that with the snap package, yet. Moreover, there is the question whether or not apparmor is useful in general if we have to disable it for applications that are a huge attack surface to a desktop system such as Firefox or Libreoffice, because we cannot fix their apparmor profiles completely. Anyhow, these problems may not be directly related to AFS. For example, Libreoffice with AFS home directory works fine with apparmor for the Ubuntu desktop environment, but fails for the Plasma desktop environment as long as the apparmor profile is active. BTW: The solution to the snap problem is a bit unexpected, since the documentation states that "snap set system homedirs=" is available from snapd 2.59 onwards, but Ubuntu 22.04 has snapd 2.58. Anyhow, it does work with Ubuntu 22.04. Best, Jan Henrik ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Re: openafs versus systemd
On 6/28/2023 3:54 AM, Jan Henrik Sylvester wrote: On 6/9/23 13:38, Jan Henrik Sylvester wrote: - you cannot use snap packaged with a home directory outside /home: use ppa:mozillateam/ppa for Firefox and Google Chrome instead of Chromium Correction: This does not seem to be true anymore. snap set system homedirs=/afs/math.uni-hamburg.de/users works for Ubuntu 22.04. The Firefox snap does start with this setting. We have very limited experience with this setting. Kerberos authentication does not work in Firefox snap, which is a known problem (independent of AFS). What credential cache type is in use? The underlying issues are the same as for PAGs. The assumption is that a 'uid' represents all of the authorization credentials associated with the user. If the Kerberos credential cache is using a session keyring or something that is not global to the 'uid', then there will be no Kerberos TGT available to snap. Jeffrey Altman smime.p7s Description: S/MIME Cryptographic Signature
Re: [OpenAFS] Re: openafs versus systemd
On 6/9/23 13:38, Jan Henrik Sylvester wrote: - you cannot use snap packaged with a home directory outside /home: use ppa:mozillateam/ppa for Firefox and Google Chrome instead of Chromium Correction: This does not seem to be true anymore. snap set system homedirs=/afs/math.uni-hamburg.de/users works for Ubuntu 22.04. The Firefox snap does start with this setting. We have very limited experience with this setting. Kerberos authentication does not work in Firefox snap, which is a known problem (independent of AFS). Best, Jan Henrik ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Re: openafs versus systemd
On 6/9/23 12:00, Harald Barth wrote: I think a step-by-step guide how to run an Ubuntu 22.04LTS and 23.04 desktop along with OpenAFS would be very much appreciated because I hear that folks are struggling with this and as it "is not possible" do use that argument to "then we can not run AFS - period". At the math department of the University of Hamburg, we do use home directories in the AFS on Ubuntu 22.04 desktop machines. The main configuration: - Use ppa:openafs/stable - Apparmor must ignore /afs and /var/cache/openafs - pam_afs_session must use the nopag option (we used to have scripts to copy credentials between contexts, but they did not always work) - you cannot use snap packaged with a home directory outside /home: use ppa:mozillateam/ppa for Firefox and Google Chrome instead of Chromium We have fairly large scripts to setup an Ubuntu desktop. I have tried to extract the relevant lines for AFS (which are not all needed): TAB=$(printf '\t') debconf-set-selections> /etc/apparmor.d/tunables/home.d/ubuntu AAAB=/etc/apparmor.d/abstractions/base AAAB_AFS_CACHE_LINE='/var/cache/openafs/** rw,' AAAB_AFS_BASE_LINE='/afs/** rw,' grep -q afs/ "$AAAB" || AA_RELOAD=yes fgrep -q "$AAAB_AFS_CACHE_LINE" "$AAAB" || cat >>"$AAAB" <>"$AAAB"
Re: [OpenAFS] Re: openafs versus systemd
I think a step-by-step guide how to run an Ubuntu 22.04LTS and 23.04 desktop along with OpenAFS would be very much appreciated because I hear that folks are struggling with this and as it "is not possible" do use that argument to "then we can not run AFS - period". Harald. ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
[OpenAFS] Re: openafs versus systemd
> To disable that behavior, use the "nopag" option. Thanks Jeffrey! I never noticed that option before. It could be helpful... Chad.
[OpenAFS] Re: openafs versus systemd
On 6/7/2023 5:48 PM, Chad William Seys wrote: Hi all, I've been trying to know how to disable PAG, but am having a google fail. Anyone have pointers. Thanks! Chad. A PAG is something that must be created using pagsh or via a side effect of a pam module. If you are using pam_afs_session, it defaults to creating a PAG. To disable that behavior, use the "nopag" option. Jeffrey Altman smime.p7s Description: S/MIME Cryptographic Signature