[OpenAFS] Windows client options

omalleys@msu.edu omalleys@msu.edu
Sun, 19 Dec 2010 20:27:43 -0500 

Here is what I found for the pgina krb5 plugin:
http://pages.cs.wisc.edu/~timc/pgina/



Quoting omalleys@msu.edu:

> You might be able to use pgina which is a windows login screen replacement.
>
> There was someone working on a kerberos plugin for it. I am not sure  
> how far they got. (I haven't tried the 2.x series) I do know I had  
> openldap (with failover) working with it via a sasl-pam mech.   I  
> didn't get the kerberos plugin working but that was in the 1.6.x or  
> 1.8.x series. )the kerberos plugin I saw was from u wisconsin. I  
> have a link for it if you want if it isn't included in the pgina  
> distribution already.
>
> If you want more fine grained control, you can actually do  
> "chaining" so you auth against both or either.  IE the user has to  
> exist both places or a user has to exist in either place.  It makes  
> sense if you only want a say a few of your few hundred users to  
> login to that particular workstation or a user only has to exist in  
> either place so you can add users without giving them afs space like  
> a visitor.
>
> If you really want to run AD then I would probably try Samba 4.x (I  
> dont think they backported the AD server portion to the 3.x series)  
> first since you are an open source project.
>
>
>
>
>
>
>
> Quoting Jaap Winius <jwinius@umrk.nl>:
>
>> Hi folks,
>>
>> So far, I've been able to get Linux clients to work perfectly with  
>> my MIT Kerberos V / OpenLDAP / OpenAFS servers. No need to create  
>> any local accounts: anyone with a network account can login to any  
>> workstation and none of their personal files are stored locally.
>>
>> I hope I'm wrong, but the same doesn't seem to be possible with  
>> Windows clients. I've been experimenting with a WinXP (SP3) Pro  
>> test machine running Kerberos for Windows 3.2.2 and OpenAFS for  
>> Windows 1.5.7800. It seems to work fine, as I can authenticate and  
>> access all of my files on the network. However, I still have to  
>> start by logging in to a local Windows account.
>>
>> Is it possible to configure a Windows XP client for single-sign-on,  
>> so that locally no pre-existing account or knowledge of any users  
>> is required? If so, can it also be set up so that the user's home  
>> directories are stored in OpenAFS?
>>
>> Thanks,
>>
>> Jaap
>> _______________________________________________
>> OpenAFS-info mailing list
>> OpenAFS-info@openafs.org
>> https://lists.openafs.org/mailman/listinfo/openafs-info
>>
>
>
>
> -- 
> "The information in this email, and attachment(s) thereto, is  
> strictly confidential and may be legally privileged. It is intended  
> solely for the named recipient(s), and access to this e-mail, or any  
> attachment(s) thereto, by anyone else is unauthorized. Violations  
> hereof may result in legal actions. Any attachment(s) to this e-mail  
> have been checked for viruses, but please rely on your own  
> virus-checker and procedures. If you contact us by e-mail, we will  
> store your name and address to facilitate communications in the  
> matter concerned. If you do not consent to us storing your name and  
> address for above stated purpose, please notify the sender promptly.  
> Also, if you are not the intended recipient please inform the sender  
> by replying to this transmission, and delete the e-mail, its  
> attachment(s), and any copies of it without, disclosing it."
>
>
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info
>



-- 
"The information in this email, and attachment(s) thereto, is strictly  
confidential and may be legally privileged. It is intended solely for  
the named recipient(s), and access to this e-mail, or any  
attachment(s) thereto, by anyone else is unauthorized. Violations  
hereof may result in legal actions. Any attachment(s) to this e-mail  
have been checked for viruses, but please rely on your own  
virus-checker and procedures. If you contact us by e-mail, we will  
store your name and address to facilitate communications in the matter  
concerned. If you do not consent to us storing your name and address  
for above stated purpose, please notify the sender promptly. Also, if  
you are not the intended recipient please inform the sender by  
replying to this transmission, and delete the e-mail, its  
attachment(s), and any copies of it without, disclosing it."