I usually start the [email protected] with the following ExecStart line: ExecStart=-/bin/bash -c "if [ $(id -u %i) -ge LIMIT ]; then export KRB5CCNAME=/run/krb-caches/krb5cc_$(id -u %i); aklog fi; exec /usr/lib/systemd/systemd --user"
The assumptions are: - LIMIT is a user id limit, ids below are treated as machine-local and system users which don't have valid Kerberos credentials - kerberos cache filenames are known (no random files) - no use of PAG (as Jeffrey explained) or your services will lose access to AFS after a while (maybe a helper service could refresh systemd's token periodically) - the cache was filled by some upstream process (ssh or other login) - this means, ssh must adhere to this convention as well, which requires a small patch to sshd. Otherwise it instructs libkrb to use a random file. This would leave the pre-known cache file empty in case the ssh login is the first ever login, like on a server. I can send you the patch if interested. Kind regards, –Michael _______________________________________________ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
