Dear Jan,
thanks for the message. Setting nopag = true in the [appdefaults]
section of /etc/krb5.conf appears to "fix" the gdm login. However, I am
somewhat surprised (or maybe it is just a lack of understanding of sudo
on my end) that if I log in as a user, and issue sudo -i, root still has
tokens (presumably because pam_afs_session is called again, and because
KRB5CCNAME is preserved?). If I now issue "unlog", tokens are gone, as
expected. But then if I exit and return to "user", also "user"'s tokens
are gone... Is that expected? Best wishes,
Christian
On 10/7/25 12:45, Jan Henrik Sylvester wrote:
On 10/7/25 10:11 AM, Christian wrote:
Tickets and tokens are there. But logging in to gnome via gdm3 fails.
This list has had discussion on that topic before. In short, we used
to have a systemd service to execute aklog in the systemd user session
(after locating the correct Kerberos ticket cache), but we have given
up on that approach and simply use the option nopag for
pam_afs_session (in common-auth, common-session, and
common-session-noninteractive). We have not had any trouble because of
this (no token has vanished because one of multiple parallel SSH
sessions has logged out or something like that).
Best,
Jan Henrik
_______________________________________________
OpenAFS-info mailing list
[email protected]
https://lists.openafs.org/mailman/listinfo/openafs-info
