[OpenAFS] Re: Serving AFS to Windows boxes w/o OpenAFS client
Wed, 05 Jan 2011 15:54:39 -0500
I'm a little confused about kimpersonate. I realize it's
not OpenAFS code, but maybe someone can explain further:
kimpersonate -s host/hummel.e.kth.se@E.KTH.SE \
-c lha@E.KTH.SE -5
"will create a Kerberos 5 ticket for lha@E.KTH.SE for
the host hummel.e.kth.se if there exists a keytab entry
for it in /etc/krb5.keytab"
a) Extract the key for afs/OUR.ORG into /etc/krb5.keytab
once the host was fully secured
b) kimpersonate -s afs/OUR.ORG -c jblaine@OUR.ORG -5
Can't modern MIT kinit do the same thing?
On 12/30/2010 4:00 PM, Jeff Blaine wrote:
> Thanks for all of the replies.
> I would like to document the various methods as I am investigating
> From Samba 3.5.6 configure:
> Kerberos v4 auth via native AFS libs.
> Requires cleartext SMB password.
> Useful, albeit insecure, no less than 5+ years ago.
> What the heck is this? I know what fakeka is. I don't
> know enough to make sense of the spots where I find
> WITH_FAKE_KASERVER defined in the Samba source.
> Is this support for authenticating only to a fakeka, which
> as I understand it would gain you Kerberos v5 using crappy
> old enctypes?
> If so, that would mean it's useless for those not running
> (or wanting to run) fakeka. We don't.
> Haven't even looked into it yet. Will, and will doc.
> OpenAFS-info mailing list