[OpenAFS] status of samba serving AFS file space? other non-native windows access?

Volker Lendecke Volker.Lendecke@SerNet.DE
Tue, 17 Oct 2006 22:39:51 +0200

Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline


On Mon, Oct 16, 2006 at 05:05:20PM -0400, Jeffrey Altman wrote:
> In answer to your question regarding Samba.  There are several sites
> that I work with who have used Samba as a gateway for users on MacOS X
> and Windows that do not have AFS clients installed.  The number one
> issue that they complain about is the fact that in order to use the
> --fake-kaserver functionality in conjunction with either a Kerberos
> KDC authentication or an LDAP authentication, the clients have to be
> configured to send username/password in the clear.  Sending the user's

Hmmmm. I don't understand what you are saying here.
--fake-kaserver was explicitly written to not force plain
text passwords sent from the clients. This is certainly
traded for having the server keyfile stored on the Samba

Samba itself does have all capabilities of making
authentication as secure as Windows gets. If you mean by
"ldap authentication" that Samba should do a simple bind to
an LDAP server to figure out if a user has his pw correct,
then sure, you need plain text passwords to be sent by the
clients. But this an entirely orthogonal issue to the
--fake-kaserver thing.

And, Samba can nowadays be configured to accept kerberos
tickets even without being an ADS member, but Windows
clients will not appreciate this. But that's just Windows.

> Kerberos password in the clear is not a desirable solution.  This may be
> improved with Vista clients since Vista will negotiate TLS first and
> then perform the SMB authentication on top of that.   Even if you are

Wait a second -- Vista will do TLS-protected SMB? Where can
I read more about this, this sounds VERY interesting. I've
never heard of that!


Content-Type: application/pgp-signature
Content-Disposition: inline

Version: GnuPG v1.4.2 (GNU/Linux)