[OpenAFS] New "B" question: Samba versus AFS.

Charles Clancy security@xauth.net
Mon, 2 Dec 2002 11:45:40 -0600 (CST) 

> > IMHO, Samba should only be used sparingly, for clients who abosultely
> > can't run the OpenAFS client.  If all your clients are Windows machines
> > and you don't want to run the OpenAFS client, you might as well just set
> > up an active directory server and stick with a pure Microsoft environment.
>
> forgetting samba advantages
> 1) client software for winblows is already there -- you don't need to
> added any software
> 2) samba plays well in existing ms controlled environments with domain
> style accounts
> 3) samba has file locking!!! something afs cant and wont do
> 4) samba is a more secure server than a microsoft server -- you can run
> samba under its own uid/gid, you can run it jailed and chroot if on bsd,
> you can allow/deny specific networks -- and most important
> 5) the configuration is transparent, ie is well documented, in plain
> text, and the code has been peer reviewed (something you will never get
> with non-open source software)
> 6) samba plays well in the unix realm -- as an add on application -- if
> you already know unix, samba is just another app... not a whole new os.
> 7) we can fight over security issues but samba IS secure when setup that
> way, ie to use nt password hashes only instead of lanman -- (kerberos is
> a probably a better authentication mechanism, but nt hashing still okay
> -- chances that you'll have a poor password is greater than cracking an
> nt hash)

... but #2, #3, #7 don't apply to using as an OpenAFS translator, and #4,
#5, and #6 are reasons to use it over a Microsoft PDC, not over OpenAFS.

When Samba is doing AFS<->SMB translation, the file locking is gone
(because the local AFS client actually accessing the files can't do it),
it must use unencrypted passwords, and it can't be configured as a PDC
because of the unencrypted passwords.  The only advantage left is not
having to install the OpenAFS client in the first place.

The argument for better/worse than a plain-old microsoft server is a bit
more complicated.  Certainly points 4-6 are valid for comparison to an NT4
PDC.  However, there are many more features and security functionality of
an ADS realm on Win2K, that I doubt Samba will support for some time.

[ t charles clancy ]--[ tclancy@uiuc.edu ]--[ www.uiuc.edu/~tclancy ]