[OpenAFS] afs and samba
Thu, 30 Apr 2009 12:33:11 +0200 (CEST)
> When I tried to give the following command:
> [root@~]# /usr/local/libexec/kimpersonate -c testuser@MYDOMAIN -s krbtgt/MYDOMAIN@MYDOMAIN -5
> to test how kimpersonate works, I got the following error:
> kimpersonate: krb5_kt_get_entry: Failed to find krbtgt/MYDOMAIN@MYDOMAIN in keytab ANY:FILE:/etc/krb5.keytab (des-cbc-md5)
>From http://www.h5l.org/blog/index.php/2006/09/kimpersonate/ :
# kimpersonate -s host/nutcracker.it.su.se@SU.SE -c lha/root@SU.SE -t des3-cbc-sha1 -5 --ccache=FILE:/tmp/cache -k FILE:nutcracker-keytab
So you want a afs/mycell@MYDOMAIN for user testuser@MYDOMAIN, don't you?
(Or maybe afs@MYDOMAIN for user testuser@MYDOMAIN, if your setup is like that)
That would be
incomplete command# kimpersonate -s afs/mycell@MYDOMAIN -c testuser@MYDOMAIN
then you have to figure out from where to take the secret. The easiest
thing for you is probably to (safely!) copy the AFS key file from one
of your AFS servers to /etc/my-AFS-KeyFile. Chmod 600 /etc/my-AFS-KeyFile !!
incomplete command# kimpersonate -s afs/mycell@MYDOMAIN -c testuser@MYDOMAIN -k AFSKEYFILE:/etc/my-AFS-KeyFile
The AFSKEYFILE: tells the Heimdal krb5 library that it is not in normal keytab format.
Then you have to tell kimpersonate where to write the tickets and what format, so you
probably end up with something like:
root# KRB5CCNAME=/tmp/krb5cc_`id -u testuser`
root# kimpersonate -s afs/mycell@MYDOMAIN -c testuser@MYDOMAIN -k AFSKEYFILE:/etc/my-AFS-KeyFile -t des3-cbc-sha1 -5
root# chown testuser $KRB5CCNAME
testuser$ afslog -c mydomain
testuser$ klist -T
Credentials cache: FILE:/tmp/krb5cc_666
Issued Expires Principal
Apr 1 11:53:29 May 1 11:53:28 afs/mycell@MYDOMAIN
Apr 1 11:53:29 May 1 11:53:28 User's (AFS ID 666) tokens for mycell
I made this example without any actual kimpersonate, so it is a little like dry swimming, so
it might contain some errors.
Remember: Everyone who can read your KeyFile can do anything with your AFS data in that cell.