While this thread is live again, let me contribute my own findings on this. Our network runs mainly NixOS machines.
For us, using sssd for Kerberos ticket management turned out to be a huge benefit, mainly for its centralized ticket refresh functionality. We hold users' tickets in well-known files. Using sssd lifts the necessity to have the directory holding ticket caches user-writable. So, well-known cache files is not a security concern anymore. We use systemd, as well. We have set up the systemd-user@.service in a way, that it acquires an AFS token before starting. Thus, all dependent user services have AFS access. This is what we need well-known ticket cache files for. PAM has already run at the time, so the cache is hot. Lingering does obviously not work with this setup. We use nopag tokens, as we don't believe in its added security promises. In parallel, we allow ticket forwarding for remote logins, mainly for the benefit of single sign-on. So, this circumvents most promises, PAGs would give us anyway. nopag also allows us to post-acquire AFS token for systemd services of a running session, which is important for road-warrior (does one still use this term?) setups. PAGs are a big usability bonus, though, when using pagsh to temporarily acquire an administrative shell. Hope this helps! –Michael _______________________________________________ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
