[OpenAFS] Another Doubt - LDAP and SMB

[Luis Bivar Ramos]

Hi,

Thanks for your help, and sorry, cause i didn't explain myself well...

I know that they're all different services. And want I want to do it's put
all of them working together, OpenAFS + LDAP and SMB + LDAP.

I think that OpenAFS and SMB don't have to work together /and they're not
made to work together either), but I have to use LDAP to "synchronize" all
the account on both services (SMB and OpenAFS).

My doubt was, if I could now install LDAP and use it with OpenAFS that is
already installed! Hope I don't have problem with it...

Not having to use kerberos5 it's good news! This is an academic project, and
I only need the other things working, I don't need lot's of security!

Joining SMB with LDAp is easy? Where can I found a manual for that? And how
do I integrate LDAP in Openafs now?

Once again, thanks for your help!

Luis Bivar Ramos

-----Original Message-----
From: Jason C. Wells [mailto:jcw@highperformance.net] 
Sent: quarta-feira, 26 de Maio de 2004 5:49
To: lbramos
Cc: afs
Subject: Re: [OpenAFS] Another Doubt - LDAP and SMB

On Wed, 26 May 2004, lbramos wrote:

> Hi,
>
> Now that i have afs running, is it possible to "add" LDAP and SMB?

yes, but why?  see below

> Or i have to do everything from scratch again? (please say no... :S)

no, see below

> Where can i look up for this?

many places, the edu domains are a great resource for this sort of info.

> For LDAP do i really need kerberos5? Or can i work with the original
> version that comes with afs?

no, see below.  You are confusing things.  OpenAFS does not come with
LDAP.

> Please let me know if you need more information.

You choose OpenAFS instead of SMB.  You can certainly run an SMB server on
your network if you so choose.  OpenAFS and SMB are not related. (not in
a way that matters to your question)

You can also run an LDAP server on your network.  You can also run a
Kerberos server on your network.  For LDAP, you do not need kerberos.  For
kerberos, you do not need LDAP.  However, Kerberos and LDAP can be made to
interoperate in vary flexible ways.

When you say "original version" do you mean to say "use the kaserver to
authenticate users?"

Do every_what_ by scratch again?

If my answers seem cryptic it is because the questions that you are asking
relate to about 40 different possible answers that you may desire.  You
need to separate the different functionalities of the different servers
that you spoke of.  Let me clarify:

1 - OpenAFS is a distributed file system, like CIFS but way more powerful.
2 - SMB (aka CIFS) is a networked file system.
3 - Kerberos is an authentication system.
4 - LDAP is a directory protocol.  It's a glorified phone book.

The real question you are driving at is, "How can I use all of these
different protocols on my network?"  Or perhaps, "Can these different
protocols interoperate on my network?"

To address the interoperability issue I can give you some examples.  I do
not use the OpenAFS native authentication called "kaserver".  I use the
MIT Kerberos V5 server for authentication.  I have one OpenLDAP server
running on my network but it is purely experimental at this time and none
of my other systems interoperate with it.  I don't run SMB at all on my
network.

Some users store Kerberos data in an LDAP directory.  Some users might
grant access to an LDAP directory based on a proper authentication via
Kerberos.

Windows Active Directory perform both LDAP and Kerberos functions.  Based
on AD authentication, Windows SMB servers grant access to clients.

You have to first understand that each piece of software you asked about
performs a specific function.  Do you need that specific function on your
network?

Making all of this stuff interoperate is not a task for the faint hearted.
It is extremely difficult.  It requires a pretty good understanding of
each individual component before you can really start making things
interoperate in way that is useful to you.

Later,
Jason C. Wells