[OpenAFS] afs and samba
Mon, 30 Mar 2009 20:23:16 +0300
in our department, we have decided to move our configuration from
NFS/SAMBA to LDAP, OpenAFS, heimdal and samba on our labs. Our servers
run FreeBSD, while our clients are dual boot machines, running linux and
Windows XP. The book "Distributed services with openafs" has been a
great aid to our venture, but there is a big thing that needs to be
resolved, that the aforementioned book seems to not be able to cover.
Heimdal, OpenAFS and LDAP worked (after long hours of testing and
debugging) like a charm, which means that users are now able to login on
linux boxes using their kerberos credentials (through pam), retrieve all
needed information (nsswitch) from ldap, and have their home folders
stored in afs space.
Samba, on the other hand, seems much more difficult to configure. The
book takes an approach of the following concept: All machine/user/group
information is stored on the LDAP server and Samba is configured to
function via LDAP (OpenLDAP, of course). Users are required to join the
Samba domain, and access their home folders/profiles via the Samba
server. Since authentication/authorization is completely left to samba,
there is no direct communication of the user with the KDC (or afs
whatsoever). For users to access their folders and profiles, samba has
to become a kerberos/afs client with all needed privileges to perform
its actions. Therefore, instead of storing files in our ufs filesystem,
samba stores them in afs space. I will not delve into more details,
since the problem starts quite soon.
User homedirs are located in /afs/mydomain/users/<userdirs>. Machines
join our domain without any problems. A user "windows" along with its
principal have been created in the samba machine and the KDC
respectively. The same user has been created in the afs server as well,
and that users has all (afs) permissions granted on the users' home
directories (via acls). On the samba server, after /afs has been
mounted, user windows is able to access everything as should, once I
"kinit windows" and then "afslog mydomain". So, I changed samba's rc
script so as to "kinit windows" and then obtain the afs token through
"afslog mydomain". The first problem was that when I first connected
with my testuser on samba through smbclient, samba refused to give me
any sort of access on my home folder. After setting "fs setacl
/afs/mydomain/users/testuser system:anyone all", I was able to connect
with smbclient, and when I created a directory, the directory's owner
was 32766, which stands of course for system:anyone..
I have changed my samba rc script so that once samba gets started, the
script touches a file in /afs/mydomain/users/testuser. The file's owner
is "windows" indeed!
I don't understand why this happens. I suppose that once the samba
processes (smbd, nmbd) have been forked by the rc script, for some
reason that I miss, tokens are not "passed" to them, and hence the
The book describes this procedure through the use of MIT Kerberos
implementation and not heimdal. In this case, "aklog -setpag" may
probably result to something different than afslog...I really don't know.
In any case, does anybody know how one may resolve this issue? And if
not, is there an alternate way to configure my systems?
Thank you all for your time in advance, and I hope that somebody will help
Electrical and Computer Engineer (Aristotle Un. of Thessaloniki),
MSc (Imperial College of London)
Department of Electrical and Computer Engineering
Faculty of Engineering
Aristotle University of Thessaloniki
phone number : +30 (2310) 994379