[OpenAFS] Evaluating OpenAFS: Questions
Sven Oehme
oehmes@de.ibm.com
Wed, 12 Jan 2005 20:43:09 +0100
This is a multipart message in MIME format.
--=_alternative 006C3E71C1256F87_=
Content-Type: text/plain; charset="US-ASCII"
> Kris Van Hees wrote:
> > Actually, it is perfectly possible to have Samba get AFS tokens the
normal
> > way by using PAM, and letting Samba authenticate the user through pam.
The
> > Samba instance that serves that particular connection from a Windows
client
> > will then have an AFS token for the user if it was able to
authenticate the
> > user. This is similar to how a user can get AFS tokens by loggingin
on the
> > Unix system directly.
>
> In which case you are sending passwords across the network. In my
> opinion this is worse. There was once a time when the Windows OpenAFS
> client was not being developed or supported where I could have justified
> the notion that a Samba gateway should be used simply because the client
> was too unstable to use. This is no longer true.
>
> Jeffrey Altman
we don't send password of the network !
we authenticate the user with windows mechanism and create a token for the
user in the samba session.
so you can use Kerberos authentication between ADS <-> our Samba afs
gateway.
i think you are doing good work with your windows client, don't
misunderstand me.
it's more a preference by me, to not try to manage software on a
workstation, if you can do it central on the server.
Sven
-------------------------------------------------------------------------------------------------------------------------
Dept. A141, TG/SSG EMEA AIS Strategy and Architecture
Development Leader Stonehenge
IBM intranet ---> http://w3.ais.mainz.de.ibm.com/stonehenge/
internet ---> http://www-5.ibm.com/services/de/storage/stonehenge.html
Phone (+49)-6131-84-3151
Fax (+49)-6131-84-6708
Mobil (+49)-171-970-6664
E-Mail : oehmes@de.ibm.com
--=_alternative 006C3E71C1256F87_=
Content-Type: text/html; charset="US-ASCII"
<br><font size=2><tt><br>
> Kris Van Hees wrote:<br>
> > Actually, it is perfectly possible to have Samba get AFS tokens
the normal<br>
> > way by using PAM, and letting Samba authenticate the user through
pam. The<br>
> > Samba instance that serves that particular connection from a
Windows client<br>
> > will then have an AFS token for the user if it was able to authenticate
the<br>
> > user. This is similar to how a user can get AFS tokens
by loggingin on the<br>
> > Unix system directly.<br>
> <br>
> In which case you are sending passwords across the network. In
my <br>
> opinion this is worse. There was once a time when the Windows
OpenAFS<br>
> client was not being developed or supported where I could have justified<br>
> the notion that a Samba gateway should be used simply because the
client<br>
> was too unstable to use. This is no longer true.<br>
> <br>
> Jeffrey Altman<br>
</tt></font>
<br><font size=2><tt>we don't send password of the network !</tt></font>
<br><font size=2><tt>we authenticate the user with windows mechanism and
create a token for the user in the samba session.</tt></font>
<br><font size=2><tt>so you can use Kerberos authentication between ADS
<-> our Samba afs gateway.</tt></font>
<br>
<br><font size=2><tt>i think you are doing good work with your windows
client, don't misunderstand me. </tt></font>
<br><font size=2><tt>it's more a preference by me, to not try to manage
software on a workstation, if you can do it central on the server. </tt></font>
<br>
<br><font size=2 face="sans-serif">Sven</font>
<br><font size=2 face="sans-serif"><br>
-------------------------------------------------------------------------------------------------------------------------<br>
Dept. A141, TG/SSG EMEA AIS Strategy and Architecture<br>
Development Leader Stonehenge <br>
IBM intranet ---> http://w3.ais.mainz.de.ibm.com/stonehenge/<br>
internet ---> http://www-5.ibm.com/services/de/storage/stonehenge.html<br>
Phone (+49)-6131-84-3151<br>
Fax (+49)-6131-84-6708<br>
Mobil (+49)-171-970-6664<br>
E-Mail : oehmes@de.ibm.com</font>
<br>
--=_alternative 006C3E71C1256F87_=--