# Using Samba as an AFS gateway Recently I've been researching methods of using Samba as an AFS gateway. Below are my findings so far. Please feel free to add/correct stuff. -- [[DanielClark]] - 04 Aug 2002 ## Plain text passwords sent over network In these solutions the plain text password is sent over the network. This requires [[EnablePlainTextPassword]] be set on your Windows hosts. Plain text passwords are necessary with stock Samba because the method that SMB uses for secure authentication is not compatible with Kerberos. Therefore the Samba server must have your plain text password so it can in turn get you AFS tokens using your password. Advantages: - No new software needs to be installed on clients - Only required change on clients is to set a registry key Disadvantages: - Passwords sent in plain text over the network - Clients may initially try to use plain text passwords to login to SMB servers other than the AFS gateway - Client gets no warning before AFS tokens expire - To get new tokens, client must unmap and then remap the drive letter corresponding to the AFS gateway ### Compile Samba 2 --with-pam This causes Samba to use pluggable authentication modules (PAM) for authentication. PAM is available on many Unix variants, notably Linux and Solaris. There are PAM modules for the various Kerberos implementations that work with AFS; the module for the default kaserver comes with [[OpenAFS]]. For some more info on PAM see the [Samba doc](http://de.samba.org/samba/ftp/docs/htmldocs/Samba-HOWTO-Collection.html#PAM). Many precompiled versions of Samba are built with this option (i.e. Redhat's Samba RPMs) Advantages: - The only method that is integrated into Samba core and pretty much guaranteed to be maintained and work with all future Samba releases, as it is generally useful to people for purposes other then using Samba as an AFS gateway. There seem to be no people on the Samba core team that have an active interest in AFS. Disadvantages: - Doesn't work with operating systems that do not support PAM. ### Compile Samba 2 --with-afs This links Samba against AFS authentication code directly. Advantages: - May work with systems that do not support PAM. Disadvantages: - Not actively maintained. Author states the option may be suffering from bit rot. - Several people have mentioned difficulty getting the library and header paths right, mentioning conflicts between [[OpenAFS]], [[OpenSSL]] and non-AFS Kerberos libraries and header files. It is unclear if this code is works with the latest Samba and [[OpenAFS]] releases at all. - May need to hunt around on the internet for a patch to make this work against a specific OS type and Samba version, and then use that older Samba version. - Patch for AIX / Samba 2.0.4b: ## No plain text passwords sent over network These are methods that avoid sending plain text passwords over the network. Advantages: - Increased security Disadvantages: - Requires modifications to stock Samba distribution - Requires additional infrastructure beyond Samba - All are primarily internal projects that people did for their employers, support may be minimal to nonexistent. ### kSAMBA kSamba is used for AFS translation in University of Michigan Campus sites. It also allows Windows workstations to authenticate and connect to UNIX SMB (Server Message Block) servers via a Kerberos out-of-band negotiation. This allows users to connect without entering a SMB password. A version of Samba 2.0.6 modified to support AFS and Kerberos is implemented on the server side.
URL http://rsug.itd.umich.edu/software/ksamba.html
Email ifs.via.samba@umich.edu
Advantages: - Very good security. Plain text passwords are not required to be sent over the network or kept on the Samba server. - Has been in active use by a good number of clients for several years. - Looks like it might have an interface to manipulate AFS permissions - see Disadvantages: - Seems to be pretty specific to UMich's site - unclear if anyone else is using it. - Requires each Windows client to install some software - Windows client software doesn't seem to be open source - Windows client software won't install on Windows 2000 or XP - Looks like it may be tied to a specific Kerberos implementation - Must run Samba 2.0.6 or do some porting to newer version ### SMBKlog SMBKlog uses out-of-band authentication over SSL. The server sends the client an RSA public key - the client encrypts the password with the public key and sends it to the server, which then decrypts it. There is an email explaining it at .
URL http://www22.brinkster.com/jvrobert
Email Jason Robertson jason.v.robertson@intel.com
Advantages: - Password not sent over network in plain text - Not specific to any particular Kerberos/AFS implementation [ Transarc/OpenAFS OK ] - Uses [[OpenSSL]] so probably relatively easy to write new Windows clients - Successfully used at Intel to comply with corporate security requirements Disadvantages: - Password exists in plain text form on Samba server, at least in memory, for some period of time (Samba server decrypts password to plaintext form and uses that to get AFS tokens) - Requires each Windows client to install some software - Windows client software dies on Windows 2000 and XP [ May be fixed in current version ] - Must run specific Samba version or do some porting to newer version [ Should be straightforward ] - Not under heavy active development. Updates: - Frank Cameron () updated Jason's smbklog patches to work with Samba 2.2.7 - [samba-2.2.7-afstoken.patch](http://www.dementia.org/twiki//view/samba-2.2.7-afstoken.patch): Updated smbklog patch for Samba 2.2.7 - Also available is a patch to compile Samba 2.2.7 on [[RedHat]] 8 - [samba-2.2.7\_afstoken.spec](http://www.dementia.org/twiki//view/samba-2.2.7_afstoken.spec): Spec file to build Samba 2.2.7 w/ SMBKlog on RH 8 ### FOKSTRAUT **Fokstraut and Samba - Dealing with Authentication and Performance Issues On A Large Scale Samba Service** Robert Beck & Steve Holstead, _University of Alberta_ **Abstract** At the University of Alberta, we have approximately 55,000 user id's using central services authenticated by Kerberos. We use AFS for central file service. We use Samba to provide Windows compatible access to much of our central file service. Samba contains a number of useful features for Microsoft Windows compatibility, including a kludge to deal with the problem of Windows sending an all uppercase version of a user's password. We observed that when Windows connects to a share, it frequently attempts many incorrect passwords repeatedly before trying the correct one. This created a very heavy authentication load on our central Samba service when users would connect every morning and authenticate. We observed this load and noticed that most of our problems were caused by repeated attempts to authenticate, and the high cost of checking these attempts. To help reduce the load due to authentication, we implemented FOKSTRAUT, a set of modifications to Samba to cache recent password failures and successes in a DBM database built by the Samba server as it runs. By caching the recent failures we avoid expensive re-checks of the (many) other passwords Windows likes to send us. We also cache the correct case of the real password, and by doing so we avoid the expensive overhead of "cracking" an all uppercase password When Windows decides to send one. We also use FOKSTRAUT to cache the NT and LanMan password hashes of a users password once we see a successful authentication. This then allows us to use the newer Windows NT password hash after the user has connected once, without having to centrally convert and maintain a large SMB password file, and while maintaining the ability of our server to access services such as AFS which can not be authenticated against using the Windows password hash alone. Performance on our service has been drastically improved since the implementation of FOKSTRAUT.
URL http://www.usenix.org/events/lisa2000/full_papers/beck/beck_html/
  http://www.ualberta.ca/~sholstea/patches.tar Patches against Samba 2.2.4
Email Steve Holstead Steve.Holstead@ualberta.ca
  Robert Beck beck@bofh.ucs.ualberta.ca or beck@obtuse.com
Advantages: - Password not sent over network in plain text - In use for several years with a large number of clients - Has advantages other than secure AFS login - Seems to be under active development - Support for automatic reauthentication before token lifetime ends recently added - Requires no changes to Windows Clients. This is a unique feature of this method. - Everything is under BSD style license terms Disadvantages: - Requires some out-of-band secure infrastructure for users to change their passwords. - Authors mention using a simple script on a login server in which a user can make an SMB connect and authenticate themselves. Unsure of the security of this solution. - Another possibility would be a web application behind an SSL server running on the same host as the Samba server. - Passwords must be stored in cleartext on the Samba server. ## New: More secure options ### Samba 3 built-in AFS support It looks like Samba 3.0.4 has built-in AFS support (perhaps only for the Kerberos 4 kaserver on GNU/Linux with [[OpenAFS]] however). The relevant configure option looks like: --with-fake-kaserver Include AFS fake-kaserver support (default=no) References: - - - - [http://marc.theaimsgroup.com/?l=samba&m=108238783519493&w=2](http://marc.theaimsgroup.com/?l=samba&m=108238783519493&w=2) - [http://marc.theaimsgroup.com/?l=samba&m=108119099330691&w=2](http://marc.theaimsgroup.com/?l=samba&m=108119099330691&w=2) - Also based on it looks like Samba 3.0.5 will have support to display and set AFS acls via the NT security editor. Here are some relevant comments from the Samba 3.0.4 code (author's homepage is at ): ./source/lib/afs.c: /* This routine takes a radical approach completely bypassing the Kerberos idea of security and using AFS simply as an intelligent file backend. Samba has persuaded itself somehow that the user is actually correctly identified and then we create a ticket that the AFS server hopefully accepts using its KeyFile that the admin has kindly stored to our secrets.tdb. Thanks to the book "Network Security -- PRIVATE Communication in a PUBLIC World" by Charlie Kaufman, Radia Perlman and Mike Speciner Kerberos 4 tickets are not really hard to construct. For the comments "Alice" is the User to be auth'ed, and "Bob" is the AFS server. */ ./source/lib/afs_settoken.c: /* Put an AFS token into the Kernel so that it can authenticate against the AFS server. This assumes correct local uid settings. This is currently highly Linux and OpenAFS-specific. The correct API call for this would be ktc_SetToken. But to do that we would have to import a REALLY big bunch of libraries which I would currently like to avoid. */ ### kimpersonate The major problem when exporting the AFS filespace read-write to SMB (Windows fileshareing) using Samba is the transfer of the user token to the smb-server. The simple may is to use clear-text password between the Windows client and the samba-server, and then to get tokens for the user with this password. This solution is clearly not acceptable for security aware AFS administrators. On solution is to use \`kimpersonate' + store afs key on fileserver. To obtain the kimersonate code contact "Love H�rnquist-�strand" < lha () stacken ! kth ! se > Here are some references to this technique: - - - - Here is the kimpersonate **README**: kimpersonate ============ kimpersonate takes a keytab/srvtab/AFS KeyFile and impersonates kerberos credental case for a user. See manpage for documentation. Very useful when using with samba. Using kimpersonate with SAMBA ============================= entry in smb.conf root preexec = /usr/samba/bin/su-user-login '%u' Also see the su-user-login file, note that this file contains hacks that parses the %u for samba 3.0-alpha22 something using domain logins. Check that is matches your usage. You need to make sure that somehow the samba does a afs setpag call before calling afslog/aklog. See the patch samba-setpag-patch-linux-and-freebsd above. Here is a text rendition the kimpersonate-1.0 **man page**: KERBEROS(SECTION) LOCAL KERBEROS(SECTION) NAME kimpersonate - impersonate a user when there exist a srvtab, keyfile or KeyFile SYNOPSIS kimpersonate [-s string | --server=string] [-c string | --client=string] [-k string | --keytab=string] [-4 | --krb4] [-5 | --krb5] [-e integer | --expire-time=integer] [-a string | --client-address=string] [-t string | --enc-type=string] [-f string | --ticket-flags=string] [--verbose] [--version] [--help] DESCRIPTION The kimpersonate program create a "fake" ticket using the service-key of the service, the service key can be read from a Kerberos 5 keytab, AFS KeyFile or (if compiled with support for Kerberos 4) a Kerberos 4 srvtab. Supported options: -s string, --server=string name of server principal -c string, --client=string name of client principal -k string, --keytab=string name of keytab file -4, --krb4 create a kerberos 4 ticket -5, --krb5 create a kerberos 5 ticket -e integer, --expire-time=integer lifetime of ticket in seconds -a string, --client-address=string address of client -t string, --enc-type=string encryption type -f string, --ticket-flags=string ticket flags for krb5 ticket --verbose Verbose output --version Print version --help FILES Uses /etc/krb5.keytab, /etc/srvtab and /usr/afs/etc/KeyFile when avalible and the the -k is used with appropriate prefix. EXAMPLES kimpersonate can be used in samba root preexec option or for debugging. kimpersonate -s host/hummel.e.kth.se@E.KTH.SE -c lha@E.KTH.SE -5 --no- krb4 will create a Kerberos 5 ticket for lha@E.KTH.SE for the host hum- mel.e.kth.se if there exist a keytab entry for it in /etc/krb5.keytab kimpersonate -k krb4:/etc/srvtab -s host/hummel.e.kth.se@E.KTH.SE -c lha@E.KTH.SE --no-krb5 -4 will create a Kerberos 4 ticket for lha@E.KTH.SE for the host hummel.e.kth.se if there exist a srvtab entry for it in /etc/srvtab Note the Kerberos 5 syntax of the server. SEE ALSO kinit(1) AUTHORS Love H�rnquist-�strand < lha () stacken ! kth ! se > Heimdal July 30, 2000 Heimdal ## Random Links 2002-05 discussion on samba-technical: [http://marc.theaimsgroup.com/?l=samba-technical&m=102214554108308&w=2](http://marc.theaimsgroup.com/?l=samba-technical&m=102214554108308&w=2) ## Attachments [http://www.shop263.com/i-4/207.htm A级表面SMC树脂] [http://www.shop263.com/i-4/208.htm B型硅胶] [http://www.shop263.com/i-4/209.htm DG膜纺织面料] [http://www.shop263.com/i-4/210.htm DNA细胞重生系列] [http://www.shop263.com/i-4/211.htm NMF因子肌肤平] [http://www.shop263.com/i-4/212.htm 艾芦植物平衡系列] [http://www.shop263.com/i-4/213.htm 氨基酸] [http://www.shop263.com/i-4/214.htm 按摩霜] [http://www.shop263.com/i-4/215.htm 巴豆酸] [http://www.shop263.com/i-4/216.htm 巴豆酸酐] [http://www.shop263.com/i-4/217.htm 白凡士林] [http://www.shop263.com/i-4/218.htm 包装用硅胶] [http://www.shop263.com/i-4/219.htm 宝宝绿色护理] [http://www.shop263.com/i-4/220.htm 保湿] [http://www.shop263.com/i-4/221.htm 保湿防裂润唇膏] [http://www.shop263.com/i-4/222.htm 保湿剂] [http://www.shop263.com/i-4/223.htm 保养喷蜡] [http://www.shop263.com/i-4/224.htm 杯垫] [http://www.shop263.com/i-4/225.htm 苯二胺] [http://www.shop263.com/i-4/226.htm 苯亚磺酸钠] [http://www.shop263.com/i-4/227.htm 畚箕刷] [http://www.shop263.com/i-4/228.htm 变色唇膏] [http://www.shop263.com/i-4/229.htm 变压器油] [http://www.shop263.com/i-4/230.htm 表面活性] [http://www.shop263.com/i-4/231.htm 表面活性剂] [http://www.shop263.com/i-4/232.htm 表面脂] [http://www.shop263.com/i-4/233.htm 表面脂药用] [http://www.shop263.com/i-4/234.htm 薄膜包衣剂] [http://www.shop263.com/i-4/235.htm 不饱和聚酯树脂] [http://www.shop263.com/i-4/236.htm 不锈底漆] [http://www.shop263.com/i-4/237.htm 不锈钢抛光液] [http://www.shop263.com/i-4/238.htm 擦铜水] [http://www.shop263.com/i-4/239.htm 彩妆] [http://www.shop263.com/i-4/240.htm 菜粕] [http://www.shop263.com/i-4/241.htm 菜油] [http://www.shop263.com/i-4/242.htm 菜籽色拉油] [http://www.shop263.com/i-4/243.htm 餐具洗涤剂] [http://www.shop263.com/i-4/244.htm 餐具洗涤用品] [http://www.shop263.com/i-4/245.htm 茶香酮] [http://www.shop263.com/i-4/246.htm 超级机油精] [http://www.shop263.com/i-4/247.htm 车用香水] [http://www.shop263.com/i-4/248.htm 成膜定型剂] [http://www.shop263.com/i-4/249.htm 宠物清洁杀虫剂] [http://www.shop263.com/i-4/250.htm 除虫菊素] [http://www.shop263.com/i-4/251.htm 厨房地面去油剂] [http://www.shop263.com/i-4/252.htm 厨房高效油污清洁剂] [http://www.shop263.com/i-4/253.htm 窗帘护脚垫] [http://www.shop263.com/i-4/254.htm 纯天然除虫菊] [http://www.shop263.com/i-4/255.htm 唇彩] [http://www.shop263.com/i-4/256.htm 唇油] [http://www.shop263.com/i-4/257.htm 带电清洗工程] [http://www.shop263.com/i-4/258.htm 单元卫生间用SMC树脂] [http://www.shop263.com/i-4/259.htm 低钠营养盐] [http://www.shop263.com/i-4/260.htm 低泡地毯清洁剂] [http://www.shop263.com/i-4/261.htm 低烟指数阻燃树脂] [http://www.shop263.com/i-4/262.htm 底蜡] [http://www.shop263.com/i-4/263.htm 电发] [http://www.shop263.com/i-4/264.htm 电器绝缘油] [http://www.shop263.com/i-4/265.htm 电清洗] [http://www.shop263.com/i-4/266.htm 电热驱蚊液] [http://www.shop263.com/i-4/267.htm 电热蚊香] [http://www.shop263.com/i-4/268.htm 电子蜡] [http://www.shop263.com/i-4/269.htm 调理剂] [http://www.shop263.com/i-4/270.htm 动物药业] [http://www.shop263.com/i-4/271.htm 多色唇彩] [http://www.shop263.com/i-4/272.htm 儿童护肤系列] [http://www.shop263.com/i-4/273.htm 儿童阶段护理] [http://www.shop263.com/i-4/274.htm 二氯异氰尿酸钠] [http://www.shop263.com/i-4/275.htm 二氧化氯] [http://www.shop263.com/i-4/276.htm 凡士林] [http://www.shop263.com/i-4/277.htm 防尘地垫] [http://www.shop263.com/i-4/278.htm 防虫防蛀片] [http://www.shop263.com/i-4/279.htm 防滑地垫] [http://www.shop263.com/i-4/280.htm 防集装箱摇晃系统] [http://www.shop263.com/i-4/281.htm 防晒隔离霜] [http://www.shop263.com/i-4/282.htm 防晒剂] [http://www.shop263.com/i-4/283.htm 防晒霜] [http://www.shop263.com/i-4/284.htm 防锈蜡] [http://www.shop263.com/i-4/285.htm 防锈润滑] [http://www.shop263.com/i-4/286.htm 防皱] [http://www.shop263.com/i-4/287.htm 纺织蜡] [http://www.shop263.com/i-4/288.htm 非医药日用品] [http://www.shop263.com/i-4/289.htm 酚类致敏物] [http://www.shop263.com/i-4/290.htm 粉饼] [http://www.shop263.com/i-4/291.htm 粉底霜] [http://www.shop263.com/i-4/292.htm 粉条] [http://www.shop263.com/i-4/293.htm 氟硅酸钠] [http://www.shop263.com/i-4/294.htm 氟西汀] [http://www.shop263.com/i-4/295.htm 富马酸单乙酯] [http://www.shop263.com/i-4/296.htm 钙强化营养盐] [http://www.shop263.com/i-4/297.htm 甘宝素] [http://www.shop263.com/i-4/298.htm 甘油液] [http://www.shop263.com/i-4/299.htm 感光材料] [http://www.shop263.com/i-4/300.htm 高固免抛面蜡] [http://www.shop263.com/i-4/301.htm 羧甲基纤维素钠] [http://www.shop263.com/i-4/302.htm 胎盘系列] [http://www.shop263.com/i-4/303.htm 特殊化学品] [http://www.shop263.com/i-4/304.htm 特殊添加剂] [http://www.shop263.com/i-4/305.htm 特种煤油] [http://www.shop263.com/i-4/306.htm 特种溶剂] [http://www.shop263.com/i-4/307.htm 体膏] [http://www.shop263.com/i-4/308.htm 天然提取物系列] [http://www.shop263.com/i-4/309.htm 天然植物型化妆品] [http://www.shop263.com/i-4/310.htm 铁强化营养盐] [http://www.shop263.com/i-4/311.htm 高级固蜡] [http://www.shop263.com/i-4/312.htm 高级免抛面蜡] [http://www.shop263.com/i-4/313.htm 高级软蜡] [http://www.shop263.com/i-4/314.htm 高级砂蜡] [http://www.shop263.com/i-4/315.htm 高级洗洁精] [http://www.shop263.com/i-4/316.htm 高级香水] [http://www.shop263.com/i-4/317.htm 高泡地毯清洁剂] [http://www.shop263.com/i-4/318.htm 高奇通洁灵] [http://www.shop263.com/i-4/319.htm 高速磨光面蜡] [http://www.shop263.com/i-4/320.htm 高效复合肥] [http://www.shop263.com/i-4/321.htm 高效广谱] [http://www.shop263.com/i-4/322.htm 高效回复液蜡] [http://www.shop263.com/i-4/323.htm 高效美白去角质凝霜] [http://www.shop263.com/i-4/324.htm 高新分离技术设备] [http://www.shop263.com/i-4/325.htm 膏霜] [http://www.shop263.com/i-4/326.htm 个人洗护用品] [http://www.shop263.com/i-4/327.htm 工控自动化] [http://www.shop263.com/i-4/328.htm 工业凡士林] [http://www.shop263.com/i-4/329.htm 工业清洁剂] [http://www.shop263.com/i-4/330.htm 工业清洗机] [http://www.shop263.com/i-4/331.htm 工业清洗剂] [http://www.shop263.com/i-4/332.htm 工业清洗用品] [http://www.shop263.com/i-4/333.htm 工业用粘合剂] [http://www.shop263.com/i-4/334.htm 工艺品树脂] [http://www.shop263.com/i-4/335.htm 共聚物] [http://www.shop263.com/i-4/336.htm 固体清香] [http://www.shop263.com/i-4/337.htm 硅胶猫砂] [http://www.shop263.com/i-4/338.htm 果冻蜡] [http://www.shop263.com/i-4/339.htm 合成洗衣粉] [http://www.shop263.com/i-4/340.htm 护发素] [http://www.shop263.com/i-4/341.htm 护肤品] [http://www.shop263.com/i-4/342.htm 护甲油] [http://www.shop263.com/i-4/343.htm 护理用品] [http://www.shop263.com/i-4/344.htm 花卉环保杀虫剂] [http://www.shop263.com/i-4/345.htm 化妆盒] [http://www.shop263.com/i-4/346.htm 化妆品] [http://www.shop263.com/i-4/347.htm 化妆套刷] [http://www.shop263.com/i-4/348.htm 化妆洗涤品] [http://www.shop263.com/i-4/349.htm 环保甲油] [http://www.shop263.com/i-4/350.htm 环保桶] [http://www.shop263.com/i-4/351.htm 黄凡士林] [http://www.shop263.com/i-4/352.htm 活粒子精华倒膜] [http://www.shop263.com/i-4/353.htm 机械设备清洁剂] [http://www.shop263.com/i-4/354.htm 积碳净] [http://www.shop263.com/i-4/355.htm 季胺碱] [http://www.shop263.com/i-4/356.htm 加碘精制盐] [http://www.shop263.com/i-4/357.htm 家居清洁用品] [http://www.shop263.com/i-4/358.htm 家居卫生杀虫剂] [http://www.shop263.com/i-4/359.htm 家居洗涤用品] [http://www.shop263.com/i-4/360.htm 家庭消毒药水] [http://www.shop263.com/i-4/361.htm 甲基纤维素] [http://www.shop263.com/i-4/362.htm 减肥霜] [http://www.shop263.com/i-4/363.htm 娇肤特效眼膜] [http://www.shop263.com/i-4/364.htm 洁肤凝露] [http://www.shop263.com/i-4/365.htm 洁面乳] [http://www.shop263.com/i-4/366.htm 洁阴液] [http://www.shop263.com/i-4/367.htm 睫毛膏] [http://www.shop263.com/i-4/368.htm 金属加工用油] [http://www.shop263.com/i-4/369.htm 精华素] [http://www.shop263.com/i-4/370.htm 精炼棉籽油] [http://www.shop263.com/i-4/371.htm 精细化工助剂] [http://www.shop263.com/i-4/372.htm 桔色硅胶] [http://www.shop263.com/i-4/373.htm 焗油发膜] [http://www.shop263.com/i-4/374.htm 聚胺脂泡沫填缝剂] [http://www.shop263.com/i-4/375.htm 聚丙烯酰胺] [http://www.shop263.com/i-4/376.htm 聚羧酸] [http://www.shop263.com/i-4/377.htm 莰烷酮] [http://www.shop263.com/i-4/378.htm 抗皱美白] [http://www.shop263.com/i-4/379.htm 空气清新剂] [http://www.shop263.com/i-4/380.htm 口红] [http://www.shop263.com/i-4/381.htm 口红笔] [http://www.shop263.com/i-4/382.htm 口腔护理品] [http://www.shop263.com/i-4/383.htm 矿物质] [http://www.shop263.com/i-4/384.htm 拉挤树脂] [http://www.shop263.com/i-4/385.htm 蜡和香精] [http://www.shop263.com/i-4/386.htm 蜡烛蜡] [http://www.shop263.com/i-4/387.htm 蓝色硅胶] [http://www.shop263.com/i-4/388.htm 老年斑霜] [http://www.shop263.com/i-4/389.htm 离子类烫] [http://www.shop263.com/i-4/390.htm 立净洗洁精] [http://www.shop263.com/i-4/391.htm 亮丽玻璃清洁剂] [http://www.shop263.com/i-4/392.htm 邻苯二甲醛] [http://www.shop263.com/i-4/393.htm 邻氯苯甲醛] [http://www.shop263.com/i-4/394.htm 磷酸一铵] [http://www.shop263.com/i-4/395.htm 流体瓜尔豆胶悬浮液] [http://www.shop263.com/i-4/396.htm 漏电保护神] [http://www.shop263.com/i-4/397.htm 芦荟保湿] [http://www.shop263.com/i-4/398.htm 芦荟干粉] [http://www.shop263.com/i-4/399.htm 芦荟果丁] [http://www.shop263.com/i-4/400.htm 芦荟胶囊] [http://www.shop263.com/i-4/401.htm 芦荟酒] [http://www.shop263.com/i-4/402.htm 芦荟矿物晶] [http://www.shop263.com/i-4/403.htm 芦荟面膜] [http://www.shop263.com/i-4/404.htm 芦荟凝胶] [http://www.shop263.com/i-4/405.htm 芦荟润肤] [http://www.shop263.com/i-4/406.htm 芦荟系列] [http://www.shop263.com/i-4/407.htm 芦荟系列化妆品] [http://www.shop263.com/i-4/408.htm 芦荟牙膏] [http://www.shop263.com/i-4/409.htm 水性甲油] [http://www.shop263.com/i-4/410.htm 速消眼角皱纹蜜] [http://www.shop263.com/i-4/411.htm 塑料衣夹] [http://www.shop263.com/i-4/412.htm 羧甲淀粉钠]