[OpenAFS] afs and samba

Harald Barth haba@kth.se
Thu, 30 Apr 2009 12:33:11 +0200 (CEST)

> When I tried to give the following command:
> [root@~]# /usr/local/libexec/kimpersonate -c testuser@MYDOMAIN -s krbtgt/MYDOMAIN@MYDOMAIN -5
> to test how kimpersonate works, I got the following error:
> kimpersonate: krb5_kt_get_entry: Failed to find krbtgt/MYDOMAIN@MYDOMAIN in keytab ANY:FILE:/etc/krb5.keytab (des-cbc-md5)

>From http://www.h5l.org/blog/index.php/2006/09/kimpersonate/ :

# kimpersonate -s host/nutcracker.it.su.se@SU.SE -c lha/root@SU.SE -t des3-cbc-sha1 -5 --ccache=FILE:/tmp/cache -k FILE:nutcracker-keytab

So you want a afs/mycell@MYDOMAIN for user testuser@MYDOMAIN, don't you?
(Or maybe afs@MYDOMAIN for user testuser@MYDOMAIN, if your setup is like that)

That would be 

incomplete command# kimpersonate -s afs/mycell@MYDOMAIN -c testuser@MYDOMAIN

then you have to figure out from where to take the secret. The easiest
thing for you is probably to (safely!) copy the AFS key file from one
of your AFS servers to /etc/my-AFS-KeyFile. Chmod 600 /etc/my-AFS-KeyFile !!

incomplete command# kimpersonate -s afs/mycell@MYDOMAIN -c testuser@MYDOMAIN -k AFSKEYFILE:/etc/my-AFS-KeyFile

The AFSKEYFILE: tells the Heimdal krb5 library that it is not in normal keytab format.
Then you have to tell kimpersonate where to write the tickets and what format, so you
probably end up with something like:

root# KRB5CCNAME=/tmp/krb5cc_`id -u testuser`
root# kimpersonate -s afs/mycell@MYDOMAIN -c testuser@MYDOMAIN -k AFSKEYFILE:/etc/my-AFS-KeyFile -t des3-cbc-sha1 -5
root# chown testuser $KRB5CCNAME

testuser$ afslog -c mydomain
testuser$ klist -T
Credentials cache: FILE:/tmp/krb5cc_666
        Principal: testuser@MYDOMAIN

  Issued           Expires          Principal
Apr 1  11:53:29  May  1 11:53:28  afs/mycell@MYDOMAIN

Apr 1  11:53:29  May  1 11:53:28  User's (AFS ID 666) tokens for mycell

I made this example without any actual kimpersonate, so it is a little like dry swimming, so
it might contain some errors.

Remember: Everyone who can read your KeyFile can do anything with your AFS data in that cell.