[OpenAFS] Evaluating AFS for in house use, RFCs...

Volker Lendecke Volker.Lendecke@SerNet.DE
Thu, 2 Feb 2006 23:25:32 +0100

Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

On Thu, Feb 02, 2006 at 05:14:46PM -0500, Gordon Bowersox wrote:
> Any hidden gotchas on my path?  Any obvious mistakes on my part?

The main gotcha in this picture is that even with an AD environment you can not
rely on the XP workstation always sending you a kerberos token. If you connect
to the server via any alias that is not in the AD's servicePrincipalName list
for that machine it will immediately fall back to NTLM. Connecting to an IP
address counts as this.

There is a service that _should_ make it possible for Samba to acquire an AFS
krb5 and then via krb524d a krb4 ticket given only the ntlm credentials, but
this is not done yet. The only way around this I am aware of right now is the
fake-kaserver option, but this kind of defeats the AFS model of security,
essentially you have to trust root on the Samba servers.

I'd be happy to be proven wrong, but I'm not aware of a solution for the
"missing krb5 ticket" problem of Samba servers on AFS clients.


Content-Type: application/pgp-signature
Content-Disposition: inline

Version: GnuPG v1.2.5 (GNU/Linux)