[OpenAFS] SAMBA as a CIFS <-> AFS gateway

Charles Clancy mgrtcc@cs.rose-hulman.edu
Wed, 18 Apr 2001 14:02:23 -0500 (EST)

> As long as you're using Win95b or newer, set
> 	encrypt passwords = yes
> in smb.conf.

This only works if you're using the smbpasswd authentication system.
Unless you're using AFS for authentication, it has to get the password
plaintext in order to check it with the kaserver and get a token.

> Samba doesn't need to be a PDC.  If you already have an NT
> domain controller, you should also add
> 	security = domain
> and then make sure you've joined the domain by running
> 	smbpasswd -j {NTDOMAIN} -r {PDC Netbios Name}

Again, samba has to authenticate to AFS, not an existing domain controller
in order to get an AFS token for the user connecting.

Back when Transarc licensed the AFS client on a per-platform basis, we
wanted to get by without the NT AFS client.  To do this, you need a domain
controller.  When Samba is set up as a domain controller, it requires you
to use the smbpasswd authentication system, which of course won't then do
AFS authentication.

> If you've build Samba with AFS support, it *should* work for you.

I've never had good luck compiling "--with-afs" on anything (samba, ssh,
etc).  On Solaris, I get conflicts between AFS, Solaris, and kerberos
header files and libraries, although I haven't tried with include and lib
files newer than Transarc AFS 3.4.  I've found that PAM is by far the best
way to go.
      Charles Clancy -- mgrtcc@cs.rose-hulman.edu
Senior UNIX Administrator, Rose-Hulman Computer Science