[OpenAFS] ADS and Samba + OpenAFS

[Eric Chris Garrison]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

So, my cell's conversion to the ADS realm continues to have snags.

We solved one... we have sftp access to the AFS area using PAM and the
pam_krb5 module.  As it turns out, we had to add both "no_krb4_use_as_req"
and "no_krb4_convert_524" arguments to this, for both session and auth, in
order to make it work.

We also got mod_waklog to work pretty much as it did on the MIT Kerberos
system.

However, when trying to get Samba to work on top of AFS, we're having
problems getting a valid AFS token.  We're running OpenAFS 1.4.11 and
Samba version 3.0.33 on RHEL4.  In the past, recompiling Samba with
- --with-fake-kaserver has worked great, but with the change of having ADS,
the fake-kaserver is not working.

With logging set to 10 (too bad there's not an "11", hmm?), Samba shows
the following as evidence of not getting a token:

- ----------------
[2009/07/22 16:55:13, 5] smbd/uid.c:change_to_user(273)
  change_to_user uid=(37302,37302) gid=(0,37302)
[2009/07/22 16:55:13, 10] lib/afs.c:afs_login(251)
  Trying to log into AFS for user ecgarris@afstest.iu.edu
[2009/07/22 16:55:13, 10] lib/afs.c:afs_encode_token(65)
  Got ticket string:
  afstest.iu.edu
  8
  mjeIXRYCQ0Y=
  37302
  1248296113
  1248900913
  BA7gMPPHnYu3/m1Ky+vhUVbN3kdlHmxo9RsBt4Hby0dBnH5d72vX2o3RiWn1549x

[2009/07/22 16:55:13, 10] lib/afs_settoken.c:afs_settoken(207)
  afs VIOCSETTOK returned -1
- ----------------

I can log in with smbclient, but without tokens, I get this:

ecgarris@moria:~$ smbclient //rufus2.uits.iupui.edu/ecgarris -U ADS\\ecgarris
Password:
Domain=[ADS] OS=[Unix] Server=[Samba 3.0.33-0.17]
smb: \> ls
NT_STATUS_NETWORK_ACCESS_DENIED listing \*

                0 blocks of size 0. 61680 blocks available

In smb.conf, I've made sure that the realm and cell are specified:

- -----------
   security = ADS
   password server = ads.iu.edu
   client ntlmv2 auth = yes
   client lanman auth = no
   realm = ADS.IU.EDU
   afs username map = %u@afstest.iu.edu
   afs token lifetime = 604800
- ----------

My suspicion is that the fake-kaserver is suffering from the same problem
we had initially with PAM... it's somehow trying to convert a krb5 ticket
to a krb4 one (or really does need to) and while the MIT Kerberos server
does have a 524 facility, the ADS kerberos server does not.

Any ideas?

Thanks yet again!

Chris
- --
Eric Chris Garrison             | Principal Mass Storage Specialist
ecgarris@iupui.edu              | Indiana University - Research Storage
W: 317-278-1207 M: 317-250-8649 | Jabber IM: ecgarris@iupui.edu
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iD8DBQFKadQRG2WsK8XoJWURAg6bAJ9QapJMHOeNr4KswjTenxLQzYK3pACfRTJO
TQYLh8dcL6H5ftPd8BcZBU8=
=8B3C
-----END PGP SIGNATURE-----