[OpenAFS] status of samba serving AFS file space? other non-native windows access?

Jeffrey Altman jaltman@secure-endpoints.com
Tue, 17 Oct 2006 17:02:47 -0400


Volker Lendecke wrote:

> And, Samba can nowadays be configured to accept kerberos
> tickets even without being an ADS member, but Windows
> clients will not appreciate this. But that's just Windows.

This discussion is specifically related to Windows client access to
AFS.  Since Windows CIFS clients won't talk Kerberos to Samba if you
want to authenticate the users against the Kerberos database you must
configure the Windows clients to send username and password in the
clear so that Samba can perform the equivalent of a kinit operation.

>> Kerberos password in the clear is not a desirable solution.  This may be
>> improved with Vista clients since Vista will negotiate TLS first and
>> then perform the SMB authentication on top of that.   Even if you are
> 
> Wait a second -- Vista will do TLS-protected SMB? Where can
> I read more about this, this sounds VERY interesting. I've
> never heard of that!

I don't know where you can read about it but it is in fact true.
The reason it took so long to get OpenAFS for Windows to work on
Vista was because of the TLS support.  Every Vista workstation whether
part of a domain or not is given an X.509 server certificate which
is used to protect the File and Print Sharing, Remote Desktop, IIS, and
other remote services.

Jeffrey Altman