[OpenAFS] afs and samba
Fabrizio Manfredi
fabrizio.manfredi@gmail.com
Thu, 30 Apr 2009 09:54:38 +0200
Dear George,
you need to forge the ticket with kimpersonate like :
You can create directly a afs ticket otherwise you can forge a krb5
and convert it.
more infos are:
SYNOPSIS
kimpersonate [-s string | --server=3Dstring] [-c string | --client=3Ds=
tring]
[-k string | --keytab=3Dstring] [-5 | --krb5] [-e integer=
|
--expire-time=3Dinteger] [-a string | --client-address=3D=
string]
[-t string | --enc-type=3Dstring] [-f string |
--ticket-flags=3Dstring] [--verbose] [--version] [--help]
DESCRIPTION
The kimpersonate program creates a "fake" ticket using the service-key=
of
the service. The service key can be read from a Kerberos 5 keytab, AF=
S
KeyFile or (if compiled with support for Kerberos 4) a Kerberos 4 srvt=
ab.
Supported options:
-s string, --server=3Dstring
name of server principal
-c string, --client=3Dstring
name of client principal
-k string, --keytab=3Dstring
name of keytab file
-5, --krb5
create a Kerberos 5 ticket
-e integer, --expire-time=3Dinteger
lifetime of ticket in seconds
-a string, --client-address=3Dstring
address of client
-t string, --enc-type=3Dstring
encryption type
-f string, --ticket-flags=3Dstring
ticket flags for krb5 ticket
http://www.h5l.org/blog/index.php/2006/09/kimpersonate/
bye manfred
On Wed, Apr 29, 2009 at 4:50 PM, Jeffrey Altman
<jaltman@secure-endpoints.com> wrote:
> George Mamalakis wrote:
>> Dear Harald,
>>
>> I tried to play with kimpersonate, as I told you in my previous mail,
>> with no luck. I googled for it, as you proposed, but didn't find
>> something enlightening. It seems that kimpersonate is quite
>> undocumented. In fact, I still have not understood how to use it along
>> with samba.
>
> kimpersonate works by using the AFS cell's own key to forge AFS tokens
> for any user that authenticates to Samba regardless of the
> authentication method. =A0That permits the use of GSS-SPNEGO
> authentication which will not expose the user's password on the network.
>
>
>