[OpenAFS] afs and samba

Thu, 30 Apr 2009 16:09:05 +0300

Harald,

Thank you for your help. I did as you told me to, I just used 
des-cbc-md5 that was present in my keyfile, and declared the KRB5CCNAME 
with export, otherwise it wouldn't work :

# export KRB5CCNAME=/tmp/krb5cc_`id -u testuser`
# /usr/local/libexec/kimpersonate -s afs/mydomain@MYDOMAIN -c 
testuser@MYDOMAIN -k AFSKEYFILE:/etc/KeyFile -t des-cbc-md5 -5
# chown testuser $KRB5CCNAME
testuser$ afslog -c mydomain
testuser$ klist -T
Credentials cache: FILE:/tmp/krb5cc_10002
        Principal: testuser@MYDOMAIN

  Issued           Expires          Principal
Apr 30 15:50:23  Apr 30 16:50:23  afs/mydomain@MYDOMAIN

Apr 30 15:50:23  Apr 30 16:50:22  User's (AFS ID 10002) tokens for mydomain

And everything worked as you mentioned in your email.

Then I placed a script to be executed by root preexec with the following 
content:

#!/bin/sh
DATE=`date "+%Y%m%d%H%M.%S"`
USERNAME=$1
DATE=$DATE
USERNAME=$USERNAME
export KRB5CCNAME=/tmp/krb5cc_${USERNAME}${DATE}
/usr/local/libexec/kimpersonate -s afs/mydomain@MYDOMAIN -c 
${USERNAME}@MYDOMAIN -k AFSKEYFILE:/etc/KeyFile -t des-cbc-md5 -5
afslog -c mydomain

AND EVERYTHING WORKED LIKE A CHARM! The only thing that looked a bit 
strange is that the ticket expiration is 1h, but this can be easily 
fixed with kimpersonate's --expire-time option. I assume that I will 
have to run a root postexec command that will destroy the tickets and 
tokens with kdestroy, and will erase /tmp/krb5cc_blabla file, and that's it?

Thousands of thanks once more for your precious help, I owe you one :-D.

Harald Barth wrote:
>   
>> When I tried to give the following command:
>>
>> [root@~]# /usr/local/libexec/kimpersonate -c testuser@MYDOMAIN -s krbtgt/MYDOMAIN@MYDOMAIN -5
>>
>> to test how kimpersonate works, I got the following error:
>>
>> kimpersonate: krb5_kt_get_entry: Failed to find krbtgt/MYDOMAIN@MYDOMAIN in keytab ANY:FILE:/etc/krb5.keytab (des-cbc-md5)
>>     
>
> >From http://www.h5l.org/blog/index.php/2006/09/kimpersonate/ :
>
> # kimpersonate -s host/nutcracker.it.su.se@SU.SE -c lha/root@SU.SE -t des3-cbc-sha1 -5 --ccache=FILE:/tmp/cache -k FILE:nutcracker-keytab
>
> So you want a afs/mycell@MYDOMAIN for user testuser@MYDOMAIN, don't you?
> (Or maybe afs@MYDOMAIN for user testuser@MYDOMAIN, if your setup is like that)
>
> That would be 
>
> incomplete command# kimpersonate -s afs/mycell@MYDOMAIN -c testuser@MYDOMAIN
>
> then you have to figure out from where to take the secret. The easiest
> thing for you is probably to (safely!) copy the AFS key file from one
> of your AFS servers to /etc/my-AFS-KeyFile. Chmod 600 /etc/my-AFS-KeyFile !!
>
> incomplete command# kimpersonate -s afs/mycell@MYDOMAIN -c testuser@MYDOMAIN -k AFSKEYFILE:/etc/my-AFS-KeyFile
>
> The AFSKEYFILE: tells the Heimdal krb5 library that it is not in normal keytab format.
> Then you have to tell kimpersonate where to write the tickets and what format, so you
> probably end up with something like:
>
> root# KRB5CCNAME=/tmp/krb5cc_`id -u testuser`
> root# kimpersonate -s afs/mycell@MYDOMAIN -c testuser@MYDOMAIN -k AFSKEYFILE:/etc/my-AFS-KeyFile -t des3-cbc-sha1 -5
> root# chown testuser $KRB5CCNAME
>
> testuser$ afslog -c mydomain
> testuser$ klist -T
> Credentials cache: FILE:/tmp/krb5cc_666
>         Principal: testuser@MYDOMAIN
>
>   Issued           Expires          Principal
> Apr 1  11:53:29  May  1 11:53:28  afs/mycell@MYDOMAIN
>
> Apr 1  11:53:29  May  1 11:53:28  User's (AFS ID 666) tokens for mycell
>
> I made this example without any actual kimpersonate, so it is a little like dry swimming, so
> it might contain some errors.
>
> Remember: Everyone who can read your KeyFile can do anything with your AFS data in that cell.
>
> Harald.
>   

-- 
George Mamalakis

IT Officer
Electrical and Computer Engineer (Aristotle Un. of Thessaloniki),
MSc (Imperial College of London)

Department of Electrical and Computer Engineering
Faculty of Engineering
Aristotle University of Thessaloniki

phone number : +30 (2310) 994379