[OpenAFS] afs and samba

George Mamalakis mamalos@eng.auth.gr
Mon, 30 Mar 2009 20:23:16 +0300

Hello everybody,

in our department, we have decided to move our configuration from 
NFS/SAMBA to LDAP, OpenAFS, heimdal and samba on our labs. Our servers 
run FreeBSD, while our clients are dual boot machines, running linux and 
Windows XP. The book "Distributed services with openafs" has been a 
great aid to our venture, but there is a big thing that needs to be 
resolved, that the aforementioned book seems to not be able to cover.

Heimdal, OpenAFS and LDAP worked (after long hours of testing and 
debugging) like a charm, which means that users are now able to login on 
linux boxes using their kerberos credentials (through pam), retrieve all 
needed information (nsswitch) from ldap, and have their home folders 
stored in afs space.

Samba, on the other hand, seems much more difficult to configure. The 
book takes an approach of the following concept: All machine/user/group 
information is stored on the LDAP server and Samba is configured to 
function via LDAP (OpenLDAP, of course). Users are required to join the 
Samba domain, and access their home folders/profiles via the Samba 
server. Since authentication/authorization is completely left to samba, 
there is no direct communication of the user with the KDC (or afs 
whatsoever). For users to access their folders and profiles, samba has 
to become a kerberos/afs client with all needed privileges to perform 
its actions. Therefore, instead of storing files in our ufs filesystem, 
samba stores them in afs space. I will not delve into more details, 
since the problem starts quite soon.

User homedirs are located in /afs/mydomain/users/<userdirs>. Machines 
join our domain without any problems. A user "windows" along with its 
principal have been created in the samba machine and the KDC 
respectively. The same user has been created in the afs server as well, 
and that users has all (afs) permissions granted on the users' home 
directories (via acls).  On the samba server,  after /afs has been 
mounted, user windows is able to access everything as should, once I 
"kinit windows" and then "afslog mydomain". So, I changed samba's rc 
script so as to "kinit windows" and then obtain the afs token through 
"afslog mydomain". The first problem was that when I first connected 
with my testuser on samba through smbclient, samba refused to give me 
any sort of access on my home folder. After setting "fs setacl 
/afs/mydomain/users/testuser system:anyone all", I was able to connect 
with smbclient, and when I created a directory, the directory's owner 
was 32766, which stands of course for system:anyone..

I have changed my samba rc script so that once samba gets started, the 
script touches a file in /afs/mydomain/users/testuser. The file's owner 
is "windows" indeed!

I don't understand why this happens. I suppose that once the samba 
processes (smbd, nmbd) have been forked by the rc script, for some 
reason that I miss, tokens are not "passed" to them, and hence the 
problem exists.

The book describes this procedure through the use of MIT Kerberos 
implementation and not heimdal. In this case, "aklog -setpag" may 
probably result to something different than afslog...I really don't know.

In any case, does anybody know how one may resolve this issue? And if 
not, is there an alternate way to configure my systems?

Thank you all for your time in advance, and I hope that somebody will help

George Mamalakis

IT Officer
Electrical and Computer Engineer (Aristotle Un. of Thessaloniki),
MSc (Imperial College of London)

Department of Electrical and Computer Engineering
Faculty of Engineering
Aristotle University of Thessaloniki

phone number : +30 (2310) 994379