[OpenAFS] status of samba serving AFS file space? other non-native windows access?

Volker Lendecke Volker.Lendecke@SerNet.DE
Wed, 18 Oct 2006 08:19:03 +0200

Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Tue, Oct 17, 2006 at 05:02:47PM -0400, Jeffrey Altman wrote:
> > And, Samba can nowadays be configured to accept kerberos
> > tickets even without being an ADS member, but Windows
> > clients will not appreciate this. But that's just Windows.
> This discussion is specifically related to Windows client access to
> AFS.  Since Windows CIFS clients won't talk Kerberos to Samba if you
> want to authenticate the users against the Kerberos database you must
> configure the Windows clients to send username and password in the
> clear so that Samba can perform the equivalent of a kinit operation.

Ok, sorry, then I just misunderstood you. I thought you were
talking about the --fake-kaserver option of Samba instead of
the --with-afs option which indeed requires plain text
passwords from the clients.

> I don't know where you can read about it but it is in fact true.
> The reason it took so long to get OpenAFS for Windows to work on
> Vista was because of the TLS support.  Every Vista workstation whether
> part of a domain or not is given an X.509 server certificate which
> is used to protect the File and Print Sharing, Remote Desktop, IIS, and
> other remote services.

Really interesting. Do you have a sniff of such a connection
you could share with us? I would like to know how Vista
would start negotiating TLS encrypted SMB connections.

Also CC'ing samba-technical@samba.org, I'm sure that the
Samba community would love to see Windows finally doing SMB
bulk encryption properly.



Content-Type: application/pgp-signature
Content-Disposition: inline

Version: GnuPG v1.4.2 (GNU/Linux)