[OpenAFS] afs and samba

George Mamalakis mamalos@eng.auth.gr
Wed, 29 Apr 2009 17:37:57 +0300

Dear Harald,

I tried to play with kimpersonate, as I told you in my previous mail, 
with no luck. I googled for it, as you proposed, but didn't find 
something enlightening. It seems that kimpersonate is quite 
undocumented. In fact, I still have not understood how to use it along 
with samba.

What I have done up until now, was to exploit samba's preexec (and root 
preexec) in order to provide a token to my process. Since I couldn't 
find how kimpersonate works, what I logically thought, was to execute 
something like kinit so as to obtain a kerberos ticket for my user 
(testuser in my example), and then use afslog to obtain an AFS token. 
Therefore, I created this simple script to be run by preexec:

kinit -k -t /path/to/keytab testuser
afslog mydomain

The only way I could run this script was through the root preexec 
directive, and even then, even though tickets and tokens were created, 
the server replied with the following error message:

[log.smbserver excerpt]:

[2009/04/29 17:28:00,  0] smbd/service.c:make_connection_snum(1156)
  '/afs/mydomain/users/testuser/profile' does not exist or permission 
denied when connecting to [Profiles] Error was Permission denied

I never managed to "preexec" this script as a normal user, only as root. 
This probably means that the procedure fails before user preexec is started.

If I put a command following to "afslog mydomain" that creates a file 
for example (like touch /afs/mydomain/users/testuser/lala), then the 
file is created with the correct permissions and ownerships, but the 
aforementioned error remains.

After these experiments, I am not sure how kimpersonate would help in my 
case, not to mention once more, that I still haven't figured out how to 
use it with samba.

Would you happen to know how to use it? And if so, could you please tell 
me so as to try and see if it works for me?

Thanks all, again, for your time and effort

Harald Barth wrote:
>> 1) old way use a clear text password from client, this option is
>> disable by default for security reason. If you want use this method
>> you need to set clear text on all your clients
> Sounds scary.
>> 2) new way, the samba server can work as a kaserver, that means the
>> samba can create a afs token for each user ( you need put the key
>> master password on samba tdb)
> There is another more modern variation of the same theme but with krb5.
> Google for kimpersonate.
> ----
> That said, I still would use the clients as AFS clients if possible,
> instead of going through a Samba gateway.
> Harald.
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info

George Mamalakis

IT Officer
Electrical and Computer Engineer (Aristotle Un. of Thessaloniki),
MSc (Imperial College of London)

Department of Electrical and Computer Engineering
Faculty of Engineering
Aristotle University of Thessaloniki

phone number : +30 (2310) 994379