My older setting for pam_krb5 seems to have a minimun UID of 1000 which
I'm using. I do have a single local user for administration, so it is
needed. I would def appreciate If you can send the patch though, thank
you.
This is how far I'm now:
Once logged in as a local user, I can successfully kinit; aklog and
access the homedir. However, when I try to log in using GDM, I get an
error that the password authentication didn't work. But auth.log on the
other hand tells gdm-password:auth authenticated the krb user attached
to the correct realm having first failed trying the username as a local
unix user. I'd guess that is the desired behavior this far. The next
line gdm-password:account fails: "could not identify user (from
etpwnam("
There used to be another error line, but I got rid of it, and I can't
recall now what it was.
All afs lines now have nopag attributes.
I will keep trying to tweak the pam settings once I have some spare
time, again.
br, jukka
[email protected] kirjoitti 2022-09-12 22:45:
I usually start the [email protected] with the following ExecStart line:
ExecStart=-/bin/bash -c "if [ $(id -u %i) -ge LIMIT ]; then export
KRB5CCNAME=/run/krb-caches/krb5cc_$(id -u %i); aklog fi; exec
/usr/lib/systemd/systemd --user"
The assumptions are:
- LIMIT is a user id limit, ids below are treated as machine-local and
system users which don't have valid Kerberos credentials
- kerberos cache filenames are known (no random files)
- no use of PAG (as Jeffrey explained) or your services will lose
access to AFS after a while (maybe a helper service could refresh
systemd's token periodically)
- the cache was filled by some upstream process (ssh or other login)
- this means, ssh must adhere to this convention as well, which
requires a small patch to sshd. Otherwise it instructs libkrb to use a
random file. This would leave the pre-known cache file empty in case
the ssh login is the first ever login, like on a server. I can send
you the patch if interested.
Kind regards,
–Michael
_______________________________________________
OpenAFS-info mailing list
[email protected]
https://lists.openafs.org/mailman/listinfo/openafs-info
_______________________________________________
OpenAFS-info mailing list
[email protected]
https://lists.openafs.org/mailman/listinfo/openafs-info
