Information on how to get kerberos ticket of the user in VFS/shell during conneciton

Manfred Furuholmen manfred.furuholmen at
Wed Feb 21 18:50:57 UTC 2018

Hi Volker,

thanks for the answer.
 Yes AFS moved a bit forward,  today no one is using the kaserver anymore,
all the installation are using a Kerberos 5 server (MIT, Heimdal or ADC),
but at the end the akog convert the kerberos TGT in the AFS token, and from
that point not much it is changed.
For these reason if it is possible to have the TGT of the user during the
connection we can convert in AFS  token and the pag will take care of the
rest (thanks for the Samba model base on process), without insert the
KeyFile to secrets.tdb

Please don't ask, why we are not moving out...


On Wed, Feb 21, 2018 at 12:35 PM, Volker Lendecke <Volker.Lendecke at
> wrote:

> On Wed, Feb 21, 2018 at 12:23:38PM +0100, Manfred Furuholmen via
> samba-technical wrote:
> > We are actually trying to build a bridge between Windows and AFS,
> > because we need to replace the native AFS client(that is no longer
> > supported). We want to exporting with Samba the /afs/cell_name path
> > mounted on a Linux node.
> >
> > One of the major problem is the token for the AFS cell, we want to
> > avoid to forge the token inside of the samba machine, and also we
> > don't have Kaserver anymore (If I understood is also removed from
> > Samba), for this reason i have a couple of questions:
> >
> > Is it possible to have the user kerberos ticket during the execution
> > of the prexec during the connection to the share? (to have as a file)?
> >
> > or is it possible to have in the VFS layer for the same operation (I
> > didn't see any call for that in the vfs) ?
> The fake kaserver code is still around. I have not looked at that in
> -- I don't know actually how many years, so it's more likely to be
> broken than working. Also, this is the old krb4 stuff faking tokens.
> AFS should have moved on since then, right? Is core RX still based on
> krb4, or is that proper gssapi by now?
> Volker
> --
> Besuchen Sie die verinice.XP 2018 in Berlin,
> Anwenderkonferenz für Informationssicherheit
> vom 21.-23.03.2018 im Sofitel Kurfürstendamm
> Info & Anmeldung hier:
> SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
> phone: +49-551-370000-0, fax: +49-551-370000-9
> AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
>, mailto:kontakt at

More information about the samba-technical mailing list