[OpenAFS] Re: Serving AFS to Windows boxes w/o OpenAFS client (Samba)?

Jeff Blaine jblaine@kickflop.net
Wed, 05 Jan 2011 15:54:39 -0500

I'm a little confused about kimpersonate.  I realize it's
not OpenAFS code, but maybe someone can explain further:

      kimpersonate -s host/hummel.e.kth.se@E.KTH.SE \
                   -c lha@E.KTH.SE -5

      "will create a Kerberos 5 ticket for lha@E.KTH.SE for
       the host hummel.e.kth.se if there exists a keytab entry
       for it in /etc/krb5.keytab"


a) Extract the key for afs/OUR.ORG into /etc/krb5.keytab
    once the host was fully secured

b) kimpersonate -s afs/OUR.ORG -c jblaine@OUR.ORG -5

c) aklog


Can't modern MIT kinit do the same thing?

On 12/30/2010 4:00 PM, Jeff Blaine wrote:
> Thanks for all of the replies.
> I would like to document the various methods as I am investigating
> this.
>  From Samba 3.5.6 configure:
> --with-afs
> Kerberos v4 auth via native AFS libs.
> Requires cleartext SMB password.
> Useful, albeit insecure, no less than 5+ years ago.
> --with-fake-kaserver
> What the heck is this? I know what fakeka is. I don't
> know enough to make sense of the spots where I find
> WITH_FAKE_KASERVER defined in the Samba source.
> Is this support for authenticating only to a fakeka, which
> as I understand it would gain you Kerberos v5 using crappy
> old enctypes?
> If so, that would mean it's useless for those not running
> (or wanting to run) fakeka. We don't.
> kimpersonate
> Haven't even looked into it yet. Will, and will doc.
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info