On Wed, Nov 30, 2016 at 07:31:24PM -0300, Felipe Sateler wrote: > > `systemctl --user import-environment KRB5CCNAME` might be more > appropriate if this variable should be copied from an already existing > environment.
But when would this run, and what package would be responsible for causing it to be run? (I would prefer to not require that the user is responsible for causing it to be run.) Michael Biebl <bi...@debian.org> writes: > This was mentiond on IRC: > > > <grawity> afaik, AFS tokens are stored as special keys in the > > keyring, nowadays... so it might work if afs was patched to look in > > the 'user' keyring, or if regular logins somehow joined systemd's > > session keyring instead of creating a new one > > <grawity> (CIFS has the same problem) The AFS tokens are scoped to a specific PAG (Process Authentication Group), which can provide cross-process isolation. Processes can request to be put in a new PAG explicitly if they desire separation, and PAGS are identified by the afs_pag key type in the session keyring. We generally don't want to use the user keyring since that could lead to neutering of the cross-process isolation that the PAGs are expected to provide. -Ben P.S. Looking more closely at the linked google doc, it was more likely to be Jonathan Billings than Dave Botsch who wrote it.
