Thank you Jeffrey and Gaja about the further information and even giving
hope to some extent really, and sorry about the late response - somehow
my email failed to notify me about your important messages.
I will try my best to solve my instance using your framework
understanding, guidelines and the script Gaja provided. The ssh usage is
equally important in this case; a headless access to one or several
execution nodes utilising one's personal account privileges.
I seriously wish Gnome developers would hear you out and will provide a
supported solution upstream to help all of OpenAFS community, not just
the user-experience oriented professionals like me, missing the
superpowers likes of you.
br, jukka
---
Jeffrey E Altman, 2022-08-29 03:05:
On 8/28/2022 3:14 AM, jukka.tuomi...@finndesign.fi wrote:
Hi all,
I wonder if anybody has OpenAFS client working with GDM in Ubuntu
22.04 (or 20.04)? That is, allowing users to log into their homedirs
graphically.
The underlying problem is that GDM heavily relies upon processes
launched as children of "systemd --user" services. As a result they do
not share the same session keyring as the child processes of login.
The "systemd --user" expectation is that all processes executing as a
"uid" have access to the same authentication credentials whether they be
local or remote. In such an environment, AFS Process Authentication
Groups (PAGs) cannot be created as a side-effect of login.
Modify the pam configuration to disable PAG creation for GDM logins.
If the expectation is that "sshd" logins should be separate from the
desktop, then "sshd" logins can continue to create a PAG.
Sincerely,
Jeffrey Altman
---
Gaja Peters kirjoitti 2022-08-29 14:51:
Am 28.08.22 um 09:14 schrieb jukka.tuomi...@finndesign.fi:
I wonder if anybody has OpenAFS client working with GDM in Ubuntu
22.04 (or 20.04)? That is, allowing users to log into their homedirs
graphically.
Yes. But only with "nopag":
for FILE in /etc/pam.d/*
do
grep '^[^#].*pam_afs_session' "$FILE" | grep -qv 'nopag' \
&& sed -e 's|^[^#].*pam_afs_session.*[^ ]$|& |' \
-e 's|^[^#].*pam_afs_session.*$|&nopag|'
-i "$FILE"
done
Having the pam settings all over the place doesn't seem to be the
right path.
It's not quite "all over the place", but yes, three files are modified
that way. Previously we (mostly) managed with a systemd-task that
would watch dbus for a login and then obtain an AFS-token in the
context of systemd. Effectively it's not so much different from
"nopag" though, ant this is a way easier (and in the end more stable)
solution.
Greetings,
Gaja Peters
_______________________________________________
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info
