Information on how to get kerberos ticket of the user in VFS/shell during conneciton
manfred.furuholmen at gmail.com
Thu Feb 22 20:41:20 UTC 2018
the conversion is done by the aklog, you can find it in the src/aklog
directory in openAFS.
That is possible because it was implemented the 2b token, mainly kerberos 5
The aklog is able to do several conversions, for the krb5 there is a
function call rxkad_build_native_token
that is possible because it was implemented the 2b token in AFS , mainly
kerberos 5 in rxkad, the trick was to use kerberos 5 EncTicketPart instead
of kerberos 4 ditto.
On Thu, Feb 22, 2018 at 10:34 AM, Volker Lendecke <Volker.Lendecke at sernet.de
> On Wed, Feb 21, 2018 at 07:50:57PM +0100, Manfred Furuholmen via
> samba-technical wrote:
> > Hi Volker,
> > thanks for the answer.
> > Yes AFS moved a bit forward, today no one is using the kaserver
> > all the installation are using a Kerberos 5 server (MIT, Heimdal or ADC),
> > but at the end the akog convert the kerberos TGT in the AFS token, and
> > that point not much it is changed.
> > For these reason if it is possible to have the TGT of the user during the
> > connection we can convert in AFS token and the pag will take care of the
> > rest (thanks for the Samba model base on process), without insert the
> > KeyFile to secrets.tdb
> How is the conversion from tgt to afs token done exactly? Can you
> point me at the code in the afs sources?
> Thanks, Volker
> Besuchen Sie die verinice.XP 2018 in Berlin,
> Anwenderkonferenz für Informationssicherheit
> vom 21.-23.03.2018 im Sofitel Kurfürstendamm
> Info & Anmeldung hier: http://veriniceXP.org
> SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
> phone: +49-551-370000-0, fax: +49-551-370000-9
> AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
> http://www.sernet.de, mailto:kontakt at sernet.de
More information about the samba-technical