Dear George,

you need to forge the ticket with kimpersonate like :

You can create directly a afs ticket otherwise you can forge a krb5
and convert it.

more infos are:
SYNOPSIS
     kimpersonate [-s string | --server=string] [-c string | --client=string]
                  [-k string | --keytab=string] [-5 | --krb5] [-e integer |
                  --expire-time=integer] [-a string | --client-address=string]
                  [-t string | --enc-type=string] [-f string |
                  --ticket-flags=string] [--verbose] [--version] [--help]

DESCRIPTION
     The kimpersonate program creates a "fake" ticket using the service-key of
     the service.  The service key can be read from a Kerberos 5 keytab, AFS
     KeyFile or (if compiled with support for Kerberos 4) a Kerberos 4 srvtab.
     Supported options:

     -s string, --server=string
             name of server principal

     -c string, --client=string
             name of client principal

     -k string, --keytab=string
             name of keytab file

     -5, --krb5
             create a Kerberos 5 ticket

     -e integer, --expire-time=integer
             lifetime of ticket in seconds

     -a string, --client-address=string
             address of client

     -t string, --enc-type=string
             encryption type

     -f string, --ticket-flags=string
             ticket flags for krb5 ticket


http://www.h5l.org/blog/index.php/2006/09/kimpersonate/


bye manfred



On Wed, Apr 29, 2009 at 4:50 PM, Jeffrey Altman
<[email protected]> wrote:
> George Mamalakis wrote:
>> Dear Harald,
>>
>> I tried to play with kimpersonate, as I told you in my previous mail,
>> with no luck. I googled for it, as you proposed, but didn't find
>> something enlightening. It seems that kimpersonate is quite
>> undocumented. In fact, I still have not understood how to use it along
>> with samba.
>
> kimpersonate works by using the AFS cell's own key to forge AFS tokens
> for any user that authenticates to Samba regardless of the
> authentication method.  That permits the use of GSS-SPNEGO
> authentication which will not expose the user's password on the network.
>
>
>
_______________________________________________
OpenAFS-info mailing list
[email protected]
https://lists.openafs.org/mailman/listinfo/openafs-info

Reply via email to