Guys,

thank you two very much for your help and patience, but I still haven't figured out what you want me to do :). Let's say we have the AFS user testuser with his kerberos5 keytab located in /usr/local/keytabs/testuser.keytab. Of course, I can convert it to AFS token with ktutil, but you will tell me if I should do it. The AFS space is mounted in /afs/mydomain and the user folder along with his profile are located in /afs/mydomain/users/testuser and /afs/mydomain/users/testuser/profile respectively. The keytab contains the following:

[r...@~]# ktutil -k /usr/local/keytabs/testuser.keytab list
/usr/local/keytabs/testuser.keytab:

Vno Type Principal 1 des3-cbc-sha1 testu...@mydomain
 1  des-cbc-md5    testu...@mydomain
 1  des-cbc-md4    testu...@mydomain
 1  des-cbc-crc    testu...@mydomain

If I kinit with it, I get the following:

[r...@~]# kinit -t  /usr/local/keytabs/testuser.keytab testuser
kinit: NOTICE: ticket renewable lifetime is 1 week
[r...@~]# klist
Credentials cache: FILE:/tmp/krb5cc_0
       Principal: testu...@mydomain

Issued Expires Principal Apr 30 11:23:35 Apr 30 21:23:35 krbtgt/mydom...@mydomain

When I tried to give the following command:

[r...@~]# /usr/local/libexec/kimpersonate -c testu...@mydomain -s krbtgt/mydom...@mydomain -5

to test how kimpersonate works, I got the following error:

kimpersonate: krb5_kt_get_entry: Failed to find krbtgt/mydom...@mydomain in keytab ANY:FILE:/etc/krb5.keytab (des-cbc-md5)

In what sense should I use kimpersonate, in your opinions, and how would it help me in samba's preexec? I mean, since kinit -t /pathtokeytab/keytab testuser and afslog mydomain didn't work, how will kimpersonate work? To make it more clear to me, given the example I posed you, what commands should I run in preexec (root preexec or user preexec?) so as to be able to access AFS space from samba.

Thanx again, and sorry for my incompetence in understanding what you are trying to explain to me...but guys, I still don't get it :).

Fabrizio Manfredi wrote:
Dear George,

you need to forge the ticket with kimpersonate like :

You can create directly a afs ticket otherwise you can forge a krb5
and convert it.

more infos are:
SYNOPSIS
     kimpersonate [-s string | --server=string] [-c string | --client=string]
                  [-k string | --keytab=string] [-5 | --krb5] [-e integer |
                  --expire-time=integer] [-a string | --client-address=string]
                  [-t string | --enc-type=string] [-f string |
                  --ticket-flags=string] [--verbose] [--version] [--help]

DESCRIPTION
     The kimpersonate program creates a "fake" ticket using the service-key of
     the service.  The service key can be read from a Kerberos 5 keytab, AFS
     KeyFile or (if compiled with support for Kerberos 4) a Kerberos 4 srvtab.
     Supported options:

     -s string, --server=string
             name of server principal

     -c string, --client=string
             name of client principal

     -k string, --keytab=string
             name of keytab file

     -5, --krb5
             create a Kerberos 5 ticket

     -e integer, --expire-time=integer
             lifetime of ticket in seconds

     -a string, --client-address=string
             address of client

     -t string, --enc-type=string
             encryption type

     -f string, --ticket-flags=string
             ticket flags for krb5 ticket


http://www.h5l.org/blog/index.php/2006/09/kimpersonate/


bye manfred



On Wed, Apr 29, 2009 at 4:50 PM, Jeffrey Altman
<[email protected]> wrote:
George Mamalakis wrote:
Dear Harald,

I tried to play with kimpersonate, as I told you in my previous mail,
with no luck. I googled for it, as you proposed, but didn't find
something enlightening. It seems that kimpersonate is quite
undocumented. In fact, I still have not understood how to use it along
with samba.
kimpersonate works by using the AFS cell's own key to forge AFS tokens
for any user that authenticates to Samba regardless of the
authentication method.  That permits the use of GSS-SPNEGO
authentication which will not expose the user's password on the network.



_______________________________________________
OpenAFS-info mailing list
[email protected]
https://lists.openafs.org/mailman/listinfo/openafs-info


--
George Mamalakis

IT Officer
Electrical and Computer Engineer (Aristotle Un. of Thessaloniki),
MSc (Imperial College of London)

Department of Electrical and Computer Engineering
Faculty of Engineering
Aristotle University of Thessaloniki

phone number : +30 (2310) 994379

_______________________________________________
OpenAFS-info mailing list
[email protected]
https://lists.openafs.org/mailman/listinfo/openafs-info

Reply via email to