[OpenAFS] Evaluating OpenAFS: Questions

Sven Oehme oehmes@de.ibm.com
Wed, 12 Jan 2005 20:30:38 +0100 

This is a multipart message in MIME format.
--=_alternative 006B1E23C1256F87_=
Content-Type: text/plain; charset="US-ASCII"

> Sven Oehme wrote:
> 
> > 
> >  >
> >  > You do not want to use an intermediary server with Samba as a go 
between.
> >  >
> > 
> > why ?
> > if the Samba Server understand's afs, this is something you want, 
> > because you don't have to maintain a AFS client on each System  ...
> > 
> > Sven
> 
> First, the Samba server then needs to know the Kerberos key for AFS
> in order to be able to generate tokens on behalf of the authenticated
> end user.  Since the Samba server is on a machine which is to be 
> considered more vulnerable to attack then the KDC, this should not be
> allowed.

yes do you trust your Openafs Fileservers ? they also need the key ...
and if you run that in a controlled environment (a linux cluster) this is 
not a problem at all.

> 
> Second, Samba supports SMB features such as byte range locking and
> Unicode which are currently not supported by AFS file servers.
> Clients will rely on the fact that the SMB server states that these
> features are supported and expect them to work when the reality is
> they cannot.

if you use the afs built-in lock mechanism used by a samba instance, 
that's not a problem. 
the drawback is, you can't use a file at the same time exported over 
multiple samba instances.

> 
> If you are willing to risk the compromise of your data both from
> unauthorized access as well as from write collisions, go ahead and
> use Samba as a gateway.  Otherwise, stick to using a true AFS client.
> 
> Jeffrey Altman
> 
> 

we have several installations with multiple thousand users, exporting 
multiple T-byte of data over multiple samba hosts.
btw. we work with multiple members of the samba team on that project. 
believe me, it works.

Sven


-------------------------------------------------------------------------------------------------------------------------
Dept. A141,  TG/SSG EMEA AIS Strategy and Architecture
Development Leader Stonehenge 
IBM intranet ---> http://w3.ais.mainz.de.ibm.com/stonehenge/
internet ---> http://www-5.ibm.com/services/de/storage/stonehenge.html
Phone (+49)-6131-84-3151
Fax      (+49)-6131-84-6708
Mobil   (+49)-171-970-6664
E-Mail : oehmes@de.ibm.com


--=_alternative 006B1E23C1256F87_=
Content-Type: text/html; charset="US-ASCII"


<br><font size=2><tt>&gt; Sven Oehme wrote:<br>
&gt; <br>
&gt; &gt; <br>
&gt; &gt; &nbsp;&gt;<br>
&gt; &gt; &nbsp;&gt; You do not want to use an intermediary server with
Samba as a go between.<br>
&gt; &gt; &nbsp;&gt;<br>
&gt; &gt; <br>
&gt; &gt; why ?<br>
&gt; &gt; if the Samba Server understand's afs, this is something you want,
<br>
&gt; &gt; because you don't have to maintain a AFS client on each System
&nbsp;...<br>
&gt; &gt; <br>
&gt; &gt; Sven<br>
&gt; <br>
&gt; First, the Samba server then needs to know the Kerberos key for AFS<br>
&gt; in order to be able to generate tokens on behalf of the authenticated<br>
&gt; end user. &nbsp;Since the Samba server is on a machine which is to
be <br>
&gt; considered more vulnerable to attack then the KDC, this should not
be<br>
&gt; allowed.</tt></font>
<br>
<br><font size=2><tt>yes do you trust your Openafs Fileservers ? they also
need the key ...</tt></font>
<br><font size=2><tt>and if you run that in a controlled environment (a
linux cluster) this is not a problem at all.<br>
</tt></font>
<br><font size=2><tt>&gt; <br>
&gt; Second, Samba supports SMB features such as byte range locking and<br>
&gt; Unicode which are currently not supported by AFS file servers.<br>
&gt; Clients will rely on the fact that the SMB server states that these<br>
&gt; features are supported and expect them to work when the reality is<br>
&gt; they cannot.<br>
</tt></font>
<br><font size=2><tt>if you use the afs built-in lock mechanism used by
a samba instance, that's not a problem. </tt></font>
<br><font size=2><tt>the drawback is, you can't use a file at the same
time exported over multiple samba instances.</tt></font>
<br>
<br><font size=2><tt>&gt; <br>
&gt; If you are willing to risk the compromise of your data both from<br>
&gt; unauthorized access as well as from write collisions, go ahead and<br>
&gt; use Samba as a gateway. &nbsp;Otherwise, stick to using a true AFS
client.<br>
&gt; <br>
&gt; Jeffrey Altman<br>
&gt; <br>
&gt; <br>
</tt></font>
<br><font size=2><tt>we have several installations with multiple thousand
users, exporting multiple T-byte of data over multiple samba hosts.</tt></font>
<br><font size=2><tt>btw. we work with multiple members of the samba team
on that project. believe me, it works.</tt></font>
<br>
<br><font size=2><tt>Sven</tt></font>
<br>
<br><font size=2 face="sans-serif"><br>
-------------------------------------------------------------------------------------------------------------------------<br>
Dept. A141, &nbsp;TG/SSG EMEA AIS Strategy and Architecture<br>
Development Leader Stonehenge <br>
IBM intranet ---&gt; http://w3.ais.mainz.de.ibm.com/stonehenge/<br>
internet ---&gt; http://www-5.ibm.com/services/de/storage/stonehenge.html<br>
Phone (+49)-6131-84-3151<br>
Fax &nbsp; &nbsp; &nbsp;(+49)-6131-84-6708<br>
Mobil &nbsp; (+49)-171-970-6664<br>
E-Mail : oehmes@de.ibm.com</font>
<br>
<br>
--=_alternative 006B1E23C1256F87_=--