[OpenAFS-devel] [Win] Status of remote logins
Mike Fedyk
mfedyk@matchmail.com
Fri, 25 Feb 2005 12:08:05 -0800
Franco "Sensei" wrote:
> Jeffrey Altman wrote:
>
>> You do not seem to understand how integrated login works. You login to
>> Windows and Windows finds the account. The account indicates where the
>> profile is located including the User's Registry Hive. Windows calls
>> the network provider to enable the provider to obtain credentials to
>> access network services in case they are required to load the profile.
>> Windows then loads the profile.
>
>
> Yes, I know it...
>
>> There is no interaction by anything provided by MIT KFW or OpenAFS which
>> can determine what the account is and where its profile is located. Now
>> you can map a Kerberos 5 principal to a local account via the registry
>> and you can point the profile for that account to AFS, but you can't
>> use a non-Windows Kerberos 5 principal to define a new account.
>
>
> ...and the interaction is what I'd like. Loggin into windows should be
> something a la pam_krb5afs + ldap, without AD. Somehow, active
> directory makes remote users possible, no mapping at all since no
> local account is needed on the local machine. Is it possible to create
> something I'm describing? They do it (with AD kerberos as you pointed,
> but it's always kerberos), we can do it (probably). How to retrieve
> where the profile is located, is a matter of ldap, so we could be able
> to use ldap is some way, so they do with AD.
>
> I'm not telling that it is possible here and now with the tools we
> have (kfw and openafs client), but I'm asking if you think it would be
> possible and/or useful.
Yes, I think it would be useful. I want a setup just like that without
AD in the middle also. It should be a project separate from OpenAFS
though, since they are concentrating on kerberos authentication. The
project should just be a connector between windows clients and standard
ldap+kerberos.
I'd suggest getting some documentation on the internals of AD and
Kerberos so this project can move forward. Can anyone suggest some good
books for this (and maybe for the SCSI protocol too -- separate issue
entirely though)?
I also think you will find a few people with like minds on the samba lists.
Mike