[OpenAFS] afs and samba
Wed, 29 Apr 2009 17:37:57 +0300
I tried to play with kimpersonate, as I told you in my previous mail,
with no luck. I googled for it, as you proposed, but didn't find
something enlightening. It seems that kimpersonate is quite
undocumented. In fact, I still have not understood how to use it along
What I have done up until now, was to exploit samba's preexec (and root
preexec) in order to provide a token to my process. Since I couldn't
find how kimpersonate works, what I logically thought, was to execute
something like kinit so as to obtain a kerberos ticket for my user
(testuser in my example), and then use afslog to obtain an AFS token.
Therefore, I created this simple script to be run by preexec:
kinit -k -t /path/to/keytab testuser
The only way I could run this script was through the root preexec
directive, and even then, even though tickets and tokens were created,
the server replied with the following error message:
[2009/04/29 17:28:00, 0] smbd/service.c:make_connection_snum(1156)
'/afs/mydomain/users/testuser/profile' does not exist or permission
denied when connecting to [Profiles] Error was Permission denied
I never managed to "preexec" this script as a normal user, only as root.
This probably means that the procedure fails before user preexec is started.
If I put a command following to "afslog mydomain" that creates a file
for example (like touch /afs/mydomain/users/testuser/lala), then the
file is created with the correct permissions and ownerships, but the
aforementioned error remains.
After these experiments, I am not sure how kimpersonate would help in my
case, not to mention once more, that I still haven't figured out how to
use it with samba.
Would you happen to know how to use it? And if so, could you please tell
me so as to try and see if it works for me?
Thanks all, again, for your time and effort
Harald Barth wrote:
>> 1) old way use a clear text password from client, this option is
>> disable by default for security reason. If you want use this method
>> you need to set clear text on all your clients
> Sounds scary.
>> 2) new way, the samba server can work as a kaserver, that means the
>> samba can create a afs token for each user ( you need put the key
>> master password on samba tdb)
> There is another more modern variation of the same theme but with krb5.
> Google for kimpersonate.
> That said, I still would use the clients as AFS clients if possible,
> instead of going through a Samba gateway.
> OpenAFS-info mailing list
Electrical and Computer Engineer (Aristotle Un. of Thessaloniki),
MSc (Imperial College of London)
Department of Electrical and Computer Engineering
Faculty of Engineering
Aristotle University of Thessaloniki
phone number : +30 (2310) 994379