Information on how to get kerberos ticket of the user in VFS/shell during conneciton
Volker Lendecke
Volker.Lendecke at SerNet.DE
Thu Feb 22 07:51:03 UTC 2018
On Wed, Feb 21, 2018 at 06:30:49PM -0500, Simo via samba-technical wrote:
> Getting the user TGT requires the client to delegate it to the server,
> this is not always straightforward (not all clients do that or honor
> flags in the KDC that says it is ok to), nor the best in security
> (suddenly your server becomes a big target for a place where to steal
> users' TGTs).
>
> Does AFS actually require a full blown TGT ?
In former times, the lowest-level AFS protocol, RX, was based on a
flavor of a krb4 ticket. The big question is -- is that still the
case, or has RX changed to something more recent. If RX is still based
on those tokens, we have a chance with the fake kaserver. If that's
based on GSSAPI or something like that, we can ditch the fake kaserver
and replace it with something real. I took a brief look at OpenAFS
sources, but I could not find the hint.
Any OpenAFS developer listening here?
Volker
--
Besuchen Sie die verinice.XP 2018 in Berlin,
Anwenderkonferenz für Informationssicherheit
vom 21.-23.03.2018 im Sofitel Kurfürstendamm
Info & Anmeldung hier: http://veriniceXP.org
SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
http://www.sernet.de, mailto:kontakt at sernet.de
More information about the samba-technical
mailing list