[OpenAFS] Re: Serving AFS to Windows boxes w/o OpenAFS client
(Samba)?
Jeff Blaine
jblaine@kickflop.net
Wed, 05 Jan 2011 15:54:39 -0500
I'm a little confused about kimpersonate. I realize it's
not OpenAFS code, but maybe someone can explain further:
kimpersonate -s host/hummel.e.kth.se@E.KTH.SE \
-c lha@E.KTH.SE -5
"will create a Kerberos 5 ticket for lha@E.KTH.SE for
the host hummel.e.kth.se if there exists a keytab entry
for it in /etc/krb5.keytab"
So:
a) Extract the key for afs/OUR.ORG into /etc/krb5.keytab
once the host was fully secured
b) kimpersonate -s afs/OUR.ORG -c jblaine@OUR.ORG -5
c) aklog
No?
Can't modern MIT kinit do the same thing?
On 12/30/2010 4:00 PM, Jeff Blaine wrote:
> Thanks for all of the replies.
>
> I would like to document the various methods as I am investigating
> this.
>
> From Samba 3.5.6 configure:
>
> --with-afs
>
> Kerberos v4 auth via native AFS libs.
>
> Requires cleartext SMB password.
>
> Useful, albeit insecure, no less than 5+ years ago.
>
> --with-fake-kaserver
>
> What the heck is this? I know what fakeka is. I don't
> know enough to make sense of the spots where I find
> WITH_FAKE_KASERVER defined in the Samba source.
>
> Is this support for authenticating only to a fakeka, which
> as I understand it would gain you Kerberos v5 using crappy
> old enctypes?
>
> If so, that would mean it's useless for those not running
> (or wanting to run) fakeka. We don't.
>
> kimpersonate
>
> Haven't even looked into it yet. Will, and will doc.
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info
>