[OpenAFS] SMB AFS Gateway

Brandon S. Allbery KF8NH allbery@ece.cmu.edu
Thu, 31 May 2001 17:30:54 -0400

On Thursday, May 31, 2001 16:46:28 -0400, "Cameron, Frank" 
<cameron@ctc.com> wrote:
| > what sort of gateway? are you looking to just serve stuff anonymously?
| > since you're playing with passwords, I assume you need more access
| > controls. Can you use an IP acl to allow the samba server to access
| > certain directories, and serve them anonymously?
| 	Access to AFS space with just the standard Microsoft network client
| 	without losing the existing AFS access controls.
| > I think you just lose. you might be able to do something with ksamba,
| > but I have no idea how maintained or current it
| > is. (http://rsug.itd.umich.edu/software/ksamba.html)
| 	Kevin Coffman gave me a heads-up on ksamba; I have it downloaded
| 	and plan to take a look at it.
| > I'd also be concerend that samba may not keep different ticket files
| > and PAGs for each user's session.
| 	I have to do more testing; but, it looks like samba is keeping
| 	different sessions seperated.  The PAM module I'm using is supposed
| 	to properly handle PAGs (not that I've looked closely at the source
| 	to verify that it does; or, that I would know what to look for if
| 	it didn't).  Samba does include a --with-afs option to handle
| 	authenticating to AFS; but, I did not have all of the extra files
| 	it was lookin for (specifically stds.h and kautils.h, at least).
| 	I've seen mention of using PAM on a few mailing lists, so I decided
| 	to try that route.

Samba mostly does the right thing, but it can't if you use encrypted (LM or 
NT) hashes instead of plaintext passwords.  I'm currently adding srvtab 
support to Samba 2.2.0 to allow this to work transparently; while this is 
somewhat annoying, I've already had to do the same thing to make recent 
netatalk work nicely with AFS when using ASIP and the encrypted password 

brandon s. allbery     [os/2][linux][solaris][japh]   allbery@kf8nh.apk.net
system administrator        [WAY too many hats]         allbery@ece.cmu.edu
electrical and computer engineering                                   KF8NH
carnegie mellon university     ["better check the oblivious first" -ke6sls]