> > pam_afs_session "nopag" should be used in conjunction with USM.
If no PAG is set, the 'two advantages' described in http://docs.openafs.org/Reference/1/pagsh.html go away. Specifically, this part "If the credential structure is identified by a UNIX UID rather than a PAG, then the local superuser root can assume a UNIX UID and use any tokens associated with that UID." is unacceptable for us. Traditionally, we've had departmental admins and lab managers who have root access to machines but no rights to users' AFS directories. I believe, this is the point you made in the systemd/issues thread. So, we must pick our poison? A: live w/o '"systemctl --user" and all that stuff' or B: pam_afs_session with 'nopag'
