[OpenAFS] Another Doubt - LDAP and SMB

Jason C. Wells jcw@highperformance.net
Tue, 25 May 2004 21:48:35 -0700 (PDT)


On Wed, 26 May 2004, lbramos wrote:

> Hi,
>
> Now that i have afs running, is it possible to "add" LDAP and SMB?

yes, but why?  see below

> Or i have to do everything from scratch again? (please say no... :S)

no, see below

> Where can i look up for this?

many places, the edu domains are a great resource for this sort of info.

> For LDAP do i really need kerberos5? Or can i work with the original
> version that comes with afs?

no, see below.  You are confusing things.  OpenAFS does not come with
LDAP.

> Please let me know if you need more information.

You choose OpenAFS instead of SMB.  You can certainly run an SMB server on
your network if you so choose.  OpenAFS and SMB are not related. (not in
a way that matters to your question)

You can also run an LDAP server on your network.  You can also run a
Kerberos server on your network.  For LDAP, you do not need kerberos.  For
kerberos, you do not need LDAP.  However, Kerberos and LDAP can be made to
interoperate in vary flexible ways.

When you say "original version" do you mean to say "use the kaserver to
authenticate users?"

Do every_what_ by scratch again?

If my answers seem cryptic it is because the questions that you are asking
relate to about 40 different possible answers that you may desire.  You
need to separate the different functionalities of the different servers
that you spoke of.  Let me clarify:

1 - OpenAFS is a distributed file system, like CIFS but way more powerful.
2 - SMB (aka CIFS) is a networked file system.
3 - Kerberos is an authentication system.
4 - LDAP is a directory protocol.  It's a glorified phone book.

The real question you are driving at is, "How can I use all of these
different protocols on my network?"  Or perhaps, "Can these different
protocols interoperate on my network?"

To address the interoperability issue I can give you some examples.  I do
not use the OpenAFS native authentication called "kaserver".  I use the
MIT Kerberos V5 server for authentication.  I have one OpenLDAP server
running on my network but it is purely experimental at this time and none
of my other systems interoperate with it.  I don't run SMB at all on my
network.

Some users store Kerberos data in an LDAP directory.  Some users might
grant access to an LDAP directory based on a proper authentication via
Kerberos.

Windows Active Directory perform both LDAP and Kerberos functions.  Based
on AD authentication, Windows SMB servers grant access to clients.

You have to first understand that each piece of software you asked about
performs a specific function.  Do you need that specific function on your
network?

Making all of this stuff interoperate is not a task for the faint hearted.
It is extremely difficult.  It requires a pretty good understanding of
each individual component before you can really start making things
interoperate in way that is useful to you.

Later,
Jason C. Wells