Information on how to get kerberos ticket of the user in VFS/shell during conneciton

Manfred Furuholmen manfred.furuholmen at
Thu Feb 22 20:41:20 UTC 2018

Hi Volker,

the conversion is done by the aklog, you can find it in the src/aklog
directory in openAFS.
That is possible because it was implemented the 2b token, mainly kerberos 5
in rxkad.
The aklog is able to do several conversions, for the krb5 there is a
function call  rxkad_build_native_token
that is possible because it was implemented the 2b token in AFS , mainly
kerberos 5 in rxkad, the trick was to use kerberos 5 EncTicketPart instead
of kerberos 4 ditto.

Thanks, FM

On Thu, Feb 22, 2018 at 10:34 AM, Volker Lendecke <Volker.Lendecke at
> wrote:

> On Wed, Feb 21, 2018 at 07:50:57PM +0100, Manfred Furuholmen via
> samba-technical wrote:
> > Hi Volker,
> >
> > thanks for the answer.
> >  Yes AFS moved a bit forward,  today no one is using the kaserver
> anymore,
> > all the installation are using a Kerberos 5 server (MIT, Heimdal or ADC),
> > but at the end the akog convert the kerberos TGT in the AFS token, and
> from
> > that point not much it is changed.
> > For these reason if it is possible to have the TGT of the user during the
> > connection we can convert in AFS  token and the pag will take care of the
> > rest (thanks for the Samba model base on process), without insert the
> > KeyFile to secrets.tdb
> How is the conversion from tgt to afs token done exactly? Can you
> point me at the code in the afs sources?
> Thanks, Volker
> --
> Besuchen Sie die verinice.XP 2018 in Berlin,
> Anwenderkonferenz für Informationssicherheit
> vom 21.-23.03.2018 im Sofitel Kurfürstendamm
> Info & Anmeldung hier:
> SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
> phone: +49-551-370000-0, fax: +49-551-370000-9
> AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
>, mailto:kontakt at

More information about the samba-technical mailing list