>I'm aware this issue has been discussed before on the mailing list and >also on the systemd bug tracker ><https://github.com/systemd/systemd/issues/7261> but I'm still really >unclear on what the community feels is the best solution to this >problem.
>From my limited imperfect understanding, it seems the fundamental issue is the systemd people are using a model where they assume the same Unix user on the same system all have the same credentials (including Kerberos credentials), and Kerberos/OpenAFS by default use a session based model (only decendants of a particular process have access to the same credentials) and the systemd people think a session based credential access model is inherently ridiculous. It seems like the solutions fall into one of two buckets: disable the systemd --user support (which as you note is becoming more unworkable as of late especially with things like GNOME) or switch to a per-user credential management system for Kerberos and OpenAFS. The latter solution requires at a minimum switching to file-based credential caches for Kerberos and possibly disabling PAGs (I suspect you could still use PAGs with OpenAFS as it seems like systemd --user still goes through the PAM stack). At least at our site we do not run into this as an issue as 95% of our access is remote and in that instance it is easy to make everything session based. I can only say that based on previous painful experiences we would never use file-based Kerberos credential caches, but short of some complicated reworking inside of systemd (which the systemd people seem to not be interested in doing) there does not seem to be an ideal solution. --Ken _______________________________________________ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info