Information on how to get kerberos ticket of the user in VFS/shell during conneciton

Volker Lendecke Volker.Lendecke at SerNet.DE
Thu Feb 22 07:51:03 UTC 2018

On Wed, Feb 21, 2018 at 06:30:49PM -0500, Simo via samba-technical wrote:
> Getting the user TGT requires the client to delegate it to the server,
> this is not always straightforward (not all clients do that or honor
> flags in the KDC that says it is ok to), nor the best in security
> (suddenly your server becomes a big target for a place where to steal
> users' TGTs).
> Does AFS actually require a full blown TGT ?

In former times, the lowest-level AFS protocol, RX, was based on a
flavor of a krb4 ticket. The big question is -- is that still the
case, or has RX changed to something more recent. If RX is still based
on those tokens, we have a chance with the fake kaserver. If that's
based on GSSAPI or something like that, we can ditch the fake kaserver
and replace it with something real. I took a brief look at OpenAFS
sources, but I could not find the hint.

Any OpenAFS developer listening here?


Besuchen Sie die verinice.XP 2018 in Berlin,
Anwenderkonferenz für Informationssicherheit
vom 21.-23.03.2018 im Sofitel Kurfürstendamm
Info & Anmeldung hier:

SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen, mailto:kontakt at

More information about the samba-technical mailing list