[OpenAFS] afs and samba
Mon, 30 Mar 2009 20:10:17 -0400
George Mamalakis wrote:
> Hello everybody,
> in our department, we have decided to move our configuration from
> NFS/SAMBA to LDAP, OpenAFS, heimdal and samba on our labs. Our servers
> run FreeBSD, while our clients are dual boot machines, running linux
> and Windows XP. The book "Distributed services with openafs" has been
> a great aid to our venture, but there is a big thing that needs to be
> resolved, that the aforementioned book seems to not be able to cover.
> Heimdal, OpenAFS and LDAP worked (after long hours of testing and
> debugging) like a charm, which means that users are now able to login
> on linux boxes using their kerberos credentials (through pam),
> retrieve all needed information (nsswitch) from ldap, and have their
> home folders stored in afs space.
> Samba, on the other hand, seems much more difficult to configure. The
> book takes an approach of the following concept: All
> machine/user/group information is stored on the LDAP server and Samba
> is configured to function via LDAP (OpenLDAP, of course). Users are
> required to join the Samba domain, and access their home
> folders/profiles via the Samba server. Since
> authentication/authorization is completely left to samba, there is no
> direct communication of the user with the KDC (or afs whatsoever). For
> users to access their folders and profiles, samba has to become a
> kerberos/afs client with all needed privileges to perform its actions.
> Therefore, instead of storing files in our ufs filesystem, samba
> stores them in afs space. I will not delve into more details, since
> the problem starts quite soon.
> User homedirs are located in /afs/mydomain/users/<userdirs>. Machines
> join our domain without any problems. A user "windows" along with its
> principal have been created in the samba machine and the KDC
> respectively. The same user has been created in the afs server as
> well, and that users has all (afs) permissions granted on the users'
> home directories (via acls). On the samba server, after /afs has
> been mounted, user windows is able to access everything as should,
> once I "kinit windows" and then "afslog mydomain". So, I changed
> samba's rc script so as to "kinit windows" and then obtain the afs
> token through "afslog mydomain". The first problem was that when I
> first connected with my testuser on samba through smbclient, samba
> refused to give me any sort of access on my home folder. After setting
> "fs setacl /afs/mydomain/users/testuser system:anyone all", I was able
> to connect with smbclient, and when I created a directory, the
> directory's owner was 32766, which stands of course for system:anyone..
> I have changed my samba rc script so that once samba gets started, the
> script touches a file in /afs/mydomain/users/testuser. The file's
> owner is "windows" indeed!
> I don't understand why this happens. I suppose that once the samba
> processes (smbd, nmbd) have been forked by the rc script, for some
> reason that I miss, tokens are not "passed" to them, and hence the
> problem exists.
> The book describes this procedure through the use of MIT Kerberos
> implementation and not heimdal. In this case, "aklog -setpag" may
> probably result to something different than afslog...I really don't know.
> In any case, does anybody know how one may resolve this issue? And if
> not, is there an alternate way to configure my systems?
> Thank you all for your time in advance, and I hope that somebody will
Why aren't you just using the native OpenAFS client for windows?
If you must do samba, have you configured windows and samba to use
clear-text passwords? Samba must pass the raw password to OpenAFS, not
the lanman-hashed version that samba receives from the client.