Re: [OpenAFS] OpenAFS with GDM in Ubuntu 22.04 (or 20.04)?
My older setting for pam_krb5 seems to have a minimun UID of 1000 which I'm using. I do have a single local user for administration, so it is needed. I would def appreciate If you can send the patch though, thank you. This is how far I'm now: Once logged in as a local user, I can successfully kinit; aklog and access the homedir. However, when I try to log in using GDM, I get an error that the password authentication didn't work. But auth.log on the other hand tells gdm-password:auth authenticated the krb user attached to the correct realm having first failed trying the username as a local unix user. I'd guess that is the desired behavior this far. The next line gdm-password:account fails: "could not identify user (from etpwnam(" There used to be another error line, but I got rid of it, and I can't recall now what it was. All afs lines now have nopag attributes. I will keep trying to tweak the pam settings once I have some spare time, again. br, jukka spacefrogg-open...@spacefrogg.net kirjoitti 2022-09-12 22:45: I usually start the user@.services with the following ExecStart line: ExecStart=-/bin/bash -c "if [ $(id -u %i) -ge LIMIT ]; then export KRB5CCNAME=/run/krb-caches/krb5cc_$(id -u %i); aklog fi; exec /usr/lib/systemd/systemd --user" The assumptions are: - LIMIT is a user id limit, ids below are treated as machine-local and system users which don't have valid Kerberos credentials - kerberos cache filenames are known (no random files) - no use of PAG (as Jeffrey explained) or your services will lose access to AFS after a while (maybe a helper service could refresh systemd's token periodically) - the cache was filled by some upstream process (ssh or other login) - this means, ssh must adhere to this convention as well, which requires a small patch to sshd. Otherwise it instructs libkrb to use a random file. This would leave the pre-known cache file empty in case the ssh login is the first ever login, like on a server. I can send you the patch if interested. Kind regards, –Michael ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] OpenAFS with GDM in Ubuntu 22.04 (or 20.04)?
I usually start the user@.services with the following ExecStart line: ExecStart=-/bin/bash -c "if [ $(id -u %i) -ge LIMIT ]; then export KRB5CCNAME=/run/krb-caches/krb5cc_$(id -u %i); aklog fi; exec /usr/lib/systemd/systemd --user" The assumptions are: - LIMIT is a user id limit, ids below are treated as machine-local and system users which don't have valid Kerberos credentials - kerberos cache filenames are known (no random files) - no use of PAG (as Jeffrey explained) or your services will lose access to AFS after a while (maybe a helper service could refresh systemd's token periodically) - the cache was filled by some upstream process (ssh or other login) - this means, ssh must adhere to this convention as well, which requires a small patch to sshd. Otherwise it instructs libkrb to use a random file. This would leave the pre-known cache file empty in case the ssh login is the first ever login, like on a server. I can send you the patch if interested. Kind regards, –Michael ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] OpenAFS with GDM in Ubuntu 22.04 (or 20.04)?
Thank you Jeffrey and Gaja about the further information and even giving hope to some extent really, and sorry about the late response - somehow my email failed to notify me about your important messages. I will try my best to solve my instance using your framework understanding, guidelines and the script Gaja provided. The ssh usage is equally important in this case; a headless access to one or several execution nodes utilising one's personal account privileges. I seriously wish Gnome developers would hear you out and will provide a supported solution upstream to help all of OpenAFS community, not just the user-experience oriented professionals like me, missing the superpowers likes of you. br, jukka --- Jeffrey E Altman, 2022-08-29 03:05: On 8/28/2022 3:14 AM, jukka.tuomi...@finndesign.fi wrote: Hi all, I wonder if anybody has OpenAFS client working with GDM in Ubuntu 22.04 (or 20.04)? That is, allowing users to log into their homedirs graphically. The underlying problem is that GDM heavily relies upon processes launched as children of "systemd --user" services. As a result they do not share the same session keyring as the child processes of login. The "systemd --user" expectation is that all processes executing as a "uid" have access to the same authentication credentials whether they be local or remote. In such an environment, AFS Process Authentication Groups (PAGs) cannot be created as a side-effect of login. Modify the pam configuration to disable PAG creation for GDM logins. If the expectation is that "sshd" logins should be separate from the desktop, then "sshd" logins can continue to create a PAG. Sincerely, Jeffrey Altman --- Gaja Peters kirjoitti 2022-08-29 14:51: Am 28.08.22 um 09:14 schrieb jukka.tuomi...@finndesign.fi: I wonder if anybody has OpenAFS client working with GDM in Ubuntu 22.04 (or 20.04)? That is, allowing users to log into their homedirs graphically. Yes. But only with "nopag": for FILE in /etc/pam.d/* do grep '^[^#].*pam_afs_session' "$FILE" | grep -qv 'nopag' \ && sed -e 's|^[^#].*pam_afs_session.*[^ ]$|& |' \ -e 's|^[^#].*pam_afs_session.*$||' -i "$FILE" done Having the pam settings all over the place doesn't seem to be the right path. It's not quite "all over the place", but yes, three files are modified that way. Previously we (mostly) managed with a systemd-task that would watch dbus for a login and then obtain an AFS-token in the context of systemd. Effectively it's not so much different from "nopag" though, ant this is a way easier (and in the end more stable) solution. Greetings, Gaja Peters ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] OpenAFS with GDM in Ubuntu 22.04 (or 20.04)?
On 8/28/2022 3:14 AM, jukka.tuomi...@finndesign.fi wrote: Hi all, I wonder if anybody has OpenAFS client working with GDM in Ubuntu 22.04 (or 20.04)? That is, allowing users to log into their homedirs graphically. The underlying problem is that GDM heavily relies upon processes launched as children of "systemd --user" services. As a result they do not share the same session keyring as the child processes of login. The "systemd --user" expectation is that all processes executing as a "uid" have access to the same authentication credentials whether they be local or remote. In such an environment, AFS Process Authentication Groups (PAGs) cannot be created as a side-effect of login. Modify the pam configuration to disable PAG creation for GDM logins. If the expectation is that "sshd" logins should be separate from the desktop, then "sshd" logins can continue to create a PAG. Sincerely, Jeffrey Altman smime.p7s Description: S/MIME Cryptographic Signature
Re: [OpenAFS] OpenAFS with GDM in Ubuntu 22.04 (or 20.04)?
Thank you Dirk, sad to hear, but at least I know now not to waste more time banging my head against the wall. SDDM is new to me, I'll look into it. br, jukka Dirk Heinrichs kirjoitti 2022-08-28 10:59: jukka.tuomi...@finndesign.fi: I wonder if anybody has OpenAFS client working with GDM in Ubuntu 22.04 (or 20.04)? That is, allowing users to log into their homedirs graphically. You can't. Most of the Gnome stuff nowadays heavily depends on systemctl --user which doesn't work when $HOME is in /afs (because systemd starts the systemctl --user separate from the user session and thus it doesn't get a token at login). Unfortunately, systemd folks are not willing to fix this nonsense. SDDM works fine, though. HTH... Dirk ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] OpenAFS with GDM in Ubuntu 22.04 (or 20.04)?
jukka.tuomi...@finndesign.fi: I wonder if anybody has OpenAFS client working with GDM in Ubuntu 22.04 (or 20.04)? That is, allowing users to log into their homedirs graphically. You can't. Most of the Gnome stuff nowadays heavily depends on systemctl --user which doesn't work when $HOME is in /afs (because systemd starts the systemctl --user separate from the user session and thus it doesn't get a token at login). Unfortunately, systemd folks are not willing to fix this nonsense. SDDM works fine, though. HTH... Dirk -- Dirk Heinrichs Matrix-Adresse: @heini:chat.altum.de GPG Public Key: 80F1540E03A3968F3D79C382853C32C427B48049 Privacy Handbuch: https://www.privacy-handbuch.de OpenPGP_signature Description: OpenPGP digital signature