[OpenAFS] Evaluating OpenAFS: Questions

Kris Van Hees aedil-afs@alchar.org
Wed, 12 Jan 2005 14:29:02 -0500


On Wed, Jan 12, 2005 at 02:13:11PM -0500, Jeffrey Altman wrote:
> Sven Oehme wrote:
> >why ?
> >if the Samba Server understand's afs, this is something you want, 
> >because you don't have to maintain a AFS client on each System  ...
> 
> First, the Samba server then needs to know the Kerberos key for AFS
> in order to be able to generate tokens on behalf of the authenticated
> end user.  Since the Samba server is on a machine which is to be 
> considered more vulnerable to attack then the KDC, this should not be
> allowed.

Actually, it is perfectly possible to have Samba get AFS tokens the normal
way by using PAM, and letting Samba authenticate the user through pam.  The
Samba instance that serves that particular connection from a Windows client
will then have an AFS token for the user if it was able to authenticate the
user.  This is similar to how a user can get AFS tokens by logging in on the
Unix system directly.

> Second, Samba supports SMB features such as byte range locking and
> Unicode which are currently not supported by AFS file servers.
> Clients will rely on the fact that the SMB server states that these
> features are supported and expect them to work when the reality is
> they cannot.

The feature mapping between Samba and AFS is indeed the big problem in the
long run.  And although it is technically possible to resolve most (if not
all) of that, it is far from trivial.

	Kris