[OpenAFS] SMB AFS Gateway

Cameron, Frank cameron@ctc.com
Thu, 31 May 2001 16:46:28 -0400 

> what sort of gateway? are you looking to just serve stuff anonymously?
> since you're playing with passwords, I assume you need more access
> controls. Can you use an IP acl to allow the samba server to access
> certain directories, and serve them anonymously? 
	Access to AFS space with just the standard Microsoft network client
	without losing the existing AFS access controls.

> I think you just lose. you might be able to do something with ksamba,
> but I have no idea how maintained or current it
> is. (http://rsug.itd.umich.edu/software/ksamba.html)
	Kevin Coffman gave me a heads-up on ksamba; I have it downloaded
	and plan to take a look at it.

> I'd also be concerend that samba may not keep different ticket files
> and PAGs for each user's session.
	I have to do more testing; but, it looks like samba is keeping
	different sessions seperated.  The PAM module I'm using is supposed
	to properly handle PAGs (not that I've looked closely at the source
	to verify that it does; or, that I would know what to look for if
	it didn't).  Samba does include a --with-afs option to handle
	authenticating to AFS; but, I did not have all of the extra files
	it was lookin for (specifically stds.h and kautils.h, at least).
	I've seen mention of using PAM on a few mailing lists, so I decided
	to try that route.

> just using the windows openafs client would be simpler.
	So far we've rolled-out the IBM 3.6 client to about 90% of the
	Windows machines at our main location.  We hve had several technical
	problems and still have a few unresolved with certain workstations.
	And, we have had some problems with the AFS Gateways for our 9x
	clients running out of virtual memory (afsd_service.exe gradually
	consumes it all); we're working aroung that by scheduling nightly
	reboots of the gateways.  And we have some political infighting over
	the AFS system in general, and access for our other sites is one
	particular fighting ground (one main anti-AFS argument is that
	installing and supporting the client installations at the remoe
	offices is too mush to handle).  But mostly, I wanted to try this
	out for recreational purposes.

Thanks for your reply.

-frank