[OpenAFS] afs and samba

George Mamalakis mamalos@eng.auth.gr
Thu, 30 Apr 2009 11:34:51 +0300


thank you two very much for your help and patience, but I still haven't 
figured out what you want me to do :). Let's say we have the AFS user 
testuser with his kerberos5 keytab located in 
/usr/local/keytabs/testuser.keytab. Of course, I can convert it to AFS 
token with ktutil, but you will tell me if I should do it. The AFS space 
is mounted in /afs/mydomain and the user folder along with his profile 
are located in /afs/mydomain/users/testuser and 
/afs/mydomain/users/testuser/profile respectively. The keytab contains 
the following:

[root@~]# ktutil -k /usr/local/keytabs/testuser.keytab list

Vno  Type           Principal          
  1  des3-cbc-sha1  testuser@MYDOMAIN
  1  des-cbc-md5    testuser@MYDOMAIN
  1  des-cbc-md4    testuser@MYDOMAIN
  1  des-cbc-crc    testuser@MYDOMAIN

If I kinit with it, I get the following:

[root@~]# kinit -t  /usr/local/keytabs/testuser.keytab testuser
kinit: NOTICE: ticket renewable lifetime is 1 week
[root@~]# klist
Credentials cache: FILE:/tmp/krb5cc_0
        Principal: testuser@MYDOMAIN

  Issued           Expires          Principal                  
Apr 30 11:23:35  Apr 30 21:23:35  krbtgt/MYDOMAIN@MYDOMAIN

When I tried to give the following command:

[root@~]# /usr/local/libexec/kimpersonate -c testuser@MYDOMAIN -s 

to test how kimpersonate works, I got the following error:

kimpersonate: krb5_kt_get_entry: Failed to find krbtgt/MYDOMAIN@MYDOMAIN 
in keytab ANY:FILE:/etc/krb5.keytab (des-cbc-md5)

In what sense should I use kimpersonate, in your opinions, and how would 
it help me in samba's preexec? I mean, since kinit -t 
/pathtokeytab/keytab testuser and afslog mydomain didn't work, how will 
kimpersonate work? To make it more clear to me, given the example I 
posed you, what commands should I run in preexec (root preexec or user 
preexec?) so as to be able to access AFS space from samba.

Thanx again, and sorry for my incompetence in understanding what you are 
trying to explain to me...but guys, I still don't get it :). 

Fabrizio Manfredi wrote:
> Dear George,
> you need to forge the ticket with kimpersonate like :
> You can create directly a afs ticket otherwise you can forge a krb5
> and convert it.
> more infos are:
>      kimpersonate [-s string | --server=string] [-c string | --client=string]
>                   [-k string | --keytab=string] [-5 | --krb5] [-e integer |
>                   --expire-time=integer] [-a string | --client-address=string]
>                   [-t string | --enc-type=string] [-f string |
>                   --ticket-flags=string] [--verbose] [--version] [--help]
>      The kimpersonate program creates a "fake" ticket using the service-key of
>      the service.  The service key can be read from a Kerberos 5 keytab, AFS
>      KeyFile or (if compiled with support for Kerberos 4) a Kerberos 4 srvtab.
>      Supported options:
>      -s string, --server=string
>              name of server principal
>      -c string, --client=string
>              name of client principal
>      -k string, --keytab=string
>              name of keytab file
>      -5, --krb5
>              create a Kerberos 5 ticket
>      -e integer, --expire-time=integer
>              lifetime of ticket in seconds
>      -a string, --client-address=string
>              address of client
>      -t string, --enc-type=string
>              encryption type
>      -f string, --ticket-flags=string
>              ticket flags for krb5 ticket
> http://www.h5l.org/blog/index.php/2006/09/kimpersonate/
> bye manfred
> On Wed, Apr 29, 2009 at 4:50 PM, Jeffrey Altman
> <jaltman@secure-endpoints.com> wrote:
>> George Mamalakis wrote:
>>> Dear Harald,
>>> I tried to play with kimpersonate, as I told you in my previous mail,
>>> with no luck. I googled for it, as you proposed, but didn't find
>>> something enlightening. It seems that kimpersonate is quite
>>> undocumented. In fact, I still have not understood how to use it along
>>> with samba.
>> kimpersonate works by using the AFS cell's own key to forge AFS tokens
>> for any user that authenticates to Samba regardless of the
>> authentication method.  That permits the use of GSS-SPNEGO
>> authentication which will not expose the user's password on the network.
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info

George Mamalakis

IT Officer
Electrical and Computer Engineer (Aristotle Un. of Thessaloniki),
MSc (Imperial College of London)

Department of Electrical and Computer Engineering
Faculty of Engineering
Aristotle University of Thessaloniki

phone number : +30 (2310) 994379