On 8/17/2018 5:38 AM, Gaja Sophie Peters wrote: > Am 17.08.2018 um 02:41 schrieb Prasad K. Dharmasena: >> I've installed OpenAFS and pam-afs-session on Ubuntu 18.04 (bionic) >> via (a) >> vendor supplied packages, and (b) building from source (1.6.22.3). On >> both >> machines, logging in via gdm doesn't get me a token. >> Has anyone else seen this on Ubuntu 18.04? (I've had this working for a >> while now on Ubuntu 16.04 -- building from 1.6.20+ source with >> pam-afs-session 2.6.) > > We had some success with an "aklog.service" as described in > > https://www.mail-archive.com/openafs-info@openafs.org/msg40604.html > > The main problem that we face at the moment is that there are TWO > sessions opened, and (especially in "Ubuntu"-Session) depending on which > program is started, it lives in the one or the other. Most notable > "xterm" and "gnome-terminal" have to different sessions - which in the > end means that an "aklog" needs to be performed in both... The above > mentioned script tries to help with that, but it's not quite perfect yet.
Gaja, The "aklog.service" approach introduces a significant amount of complexity with zero security improvement over the pam_afs_session "nopag" configuration. The reason that aklog can be executed by "aklog.service" is because the Kerberos credentials from which the AFS tokens are derived are accessible to any process running as the UID. Sincerely, Jeffrey Altman
<<attachment: jaltman.vcf>>
smime.p7s
Description: S/MIME Cryptographic Signature
