Dear Harald,

I tried to play with kimpersonate, as I told you in my previous mail, with no luck. I googled for it, as you proposed, but didn't find something enlightening. It seems that kimpersonate is quite undocumented. In fact, I still have not understood how to use it along with samba.

What I have done up until now, was to exploit samba's preexec (and root preexec) in order to provide a token to my process. Since I couldn't find how kimpersonate works, what I logically thought, was to execute something like kinit so as to obtain a kerberos ticket for my user (testuser in my example), and then use afslog to obtain an AFS token. Therefore, I created this simple script to be run by preexec:

#!/bin/sh
kinit -k -t /path/to/keytab testuser
afslog mydomain

The only way I could run this script was through the root preexec directive, and even then, even though tickets and tokens were created, the server replied with the following error message:

[log.smbserver excerpt]:

[2009/04/29 17:28:00,  0] smbd/service.c:make_connection_snum(1156)
'/afs/mydomain/users/testuser/profile' does not exist or permission denied when connecting to [Profiles] Error was Permission denied

I never managed to "preexec" this script as a normal user, only as root. This probably means that the procedure fails before user preexec is started.

If I put a command following to "afslog mydomain" that creates a file for example (like touch /afs/mydomain/users/testuser/lala), then the file is created with the correct permissions and ownerships, but the aforementioned error remains.

After these experiments, I am not sure how kimpersonate would help in my case, not to mention once more, that I still haven't figured out how to use it with samba.

Would you happen to know how to use it? And if so, could you please tell me so as to try and see if it works for me?

Thanks all, again, for your time and effort


Harald Barth wrote:
1) old way use a clear text password from client, this option is
disable by default for security reason. If you want use this method
you need to set clear text on all your clients

Sounds scary.

2) new way, the samba server can work as a kaserver, that means the
samba can create a afs token for each user ( you need put the key
master password on samba tdb)

There is another more modern variation of the same theme but with krb5.
Google for kimpersonate.

----

That said, I still would use the clients as AFS clients if possible,
instead of going through a Samba gateway.

Harald.
_______________________________________________
OpenAFS-info mailing list
[email protected]
https://lists.openafs.org/mailman/listinfo/openafs-info


--
George Mamalakis

IT Officer
Electrical and Computer Engineer (Aristotle Un. of Thessaloniki),
MSc (Imperial College of London)

Department of Electrical and Computer Engineering
Faculty of Engineering
Aristotle University of Thessaloniki

phone number : +30 (2310) 994379

_______________________________________________
OpenAFS-info mailing list
[email protected]
https://lists.openafs.org/mailman/listinfo/openafs-info

Reply via email to