[OpenAFS-devel] How can this happen, and how can I fix it...

Robertson, Jason V jason.v.robertson@intel.com
Thu, 28 Jun 2001 09:30:51 -0700


I'd defiintely be willing to share it, but I'd have to get permission from
my employer.

Initial login is done through standard NT authentication through a resource
domain.

Jason

-----Original Message-----
From: Neulinger, Nathan [mailto:nneul@umr.edu]
Sent: Thursday, June 28, 2001 9:13 AM
To: 'Robertson, Jason V'
Cc: 'openafs-devel@openafs.org'
Subject: RE: [OpenAFS-devel] How can this happen, and how can I fix
it...


Sounds like a good way of doing things. Are you planning on sharing your
changes?

How do you manage the initial login? Or do you let anyone connect
anonymously initially?

-- Nathan

> -----Original Message-----
> From: Robertson, Jason V [mailto:jason.v.robertson@intel.com]
> Sent: Thursday, June 28, 2001 11:10 AM
> To: 'Nathan Neulinger'; Robertson, Jason V
> Cc: 'openafs-devel@openafs.org'
> Subject: RE: [OpenAFS-devel] How can this happen, and how can I fix
> it...
> 
> 
> Nathan - the server sends the client an RSA public key - the 
> client encrypts
> the password with the public key and sends it to the server, 
> which then
> decrypts it.  There is a trust issue, but in this environment 
> that's not a
> problem.  So we just have the server generate the RSA keypair 
> at startup.  I
> used the OpenSSL library for this.
> 
> Jason
> 
> -----Original Message-----
> From: Nathan Neulinger [mailto:nneul@umr.edu]
> Sent: Wednesday, June 27, 2001 5:39 PM
> To: Robertson, Jason V
> Cc: 'openafs-devel@openafs.org'
> Subject: Re: [OpenAFS-devel] How can this happen, and how can I fix
> it...
> 
> 
> "Robertson, Jason V" wrote:
> > I've written an RPC service extension to Samba that allows 
> you to klog
> > through a GUI interface from Windows.  It works fine, but 
> for one odd
> quirk
> > - WTS
> > machines use one process, so user's seem to be able to 
> "see" (_but_!! not
> > use !!) other users' tokens.
> 
> I assume you are doing klog/krb stuff alongside the samba 
> connection so
> that the plaintext password or token is not passed cleartext over the
> samba connection? If so, how are you authenticating the initial samba
> connection, and what mechanism are you using to transmit the
> token/ticket? If you're just sending the ticket directly over RPC that
> really isn't gaining you much over sending the password clear.
> 
> -- Nathan
> 
> ------------------------------------------------------------
> Nathan Neulinger                       EMail:  nneul@umr.edu
> University of Missouri - Rolla         Phone: (573) 341-4841
> CIS - Systems Programming                Fax: (573) 341-4216
>