[OpenAFS] Windows client options

omalleys@msu.edu omalleys@msu.edu
Mon, 20 Dec 2010 08:55:31 -0500 

Quoting Jaap Winius <jwinius@umrk.nl>:

> Quoting omalleys@msu.edu:
>
>> You might be able to use pgina which is a windows login screen replacement.
>>
>> There was someone working on a kerberos plugin for it. I am not  
>> sure how far they got. (I haven't tried the 2.x series) I do know I  
>> had openldap (with failover) working with it via a sasl-pam mech.    
>> I didn't get the kerberos plugin working but that was in the 1.6.x  
>> or 1.8.x series. ) ...
>
>> Here is what I found for the pgina krb5 plugin:
>> http://pages.cs.wisc.edu/~timc/pgina/
>
> Although it would not be as ideal as Samba4 with a working AD domain  
> controller, pGina sounds like a great alternative. However, since  
> I'm using Windows XP only, that means I would still be restricted to  
> the last version of pGina 1.x: v1.8.8 from December the 6th, 2006.  
> See these pGina pages:

>    http://www.pgina.org/index.php/Main_Page
>    http://www.pgina.org/index.php/PGina_1.x_Downloads
>
> In addition, judging from the contents of the link you supplied,  
> timc meant his plugin to work with pGina 2.x, and he hasn't updated  
> his plugin since October the 6th, 2008.
>
> Therefore, I'm going to conclude that pGina v1.8.8 does not support  
> Kerberos out of the box, or else timc would not have bothered, and  
> that his plugin will not work with it either, just as you discovered  
> for yourself earlier. Pity.

I didn't get to spend a lot of time on it, by the time I got to try  
it, they had already killed the project. IIRC I never even got a krb5  
ticket with the mit kfw 3.2.2.

> Thanks anyway, though. If, in lieu of Samba4, a Vista machine, or a  
> more modern Windows client, appears on any of my  
> Kerberos/OpenLDAP/OpenAFS networks, then I will certainly remember  
> to give your solution a try!

Samba4 says it already supports 'Active Directory' logon and  
administration protocols.  Since they started with auth, I am guessing  
that part is fairly stable. The whole suite for sure isn't production  
ready.

If you do try it, grab it out of the git repo, they have a tendency  
not to push out release tarballs and not to update the documentation. :)