[OpenAFS] afs and samba

Jason Edgecombe jason@rampaginggeek.com
Mon, 30 Mar 2009 20:10:17 -0400

George Mamalakis wrote:
> Hello everybody,
> in our department, we have decided to move our configuration from 
> NFS/SAMBA to LDAP, OpenAFS, heimdal and samba on our labs. Our servers 
> run FreeBSD, while our clients are dual boot machines, running linux 
> and Windows XP. The book "Distributed services with openafs" has been 
> a great aid to our venture, but there is a big thing that needs to be 
> resolved, that the aforementioned book seems to not be able to cover.
> Heimdal, OpenAFS and LDAP worked (after long hours of testing and 
> debugging) like a charm, which means that users are now able to login 
> on linux boxes using their kerberos credentials (through pam), 
> retrieve all needed information (nsswitch) from ldap, and have their 
> home folders stored in afs space.
> Samba, on the other hand, seems much more difficult to configure. The 
> book takes an approach of the following concept: All 
> machine/user/group information is stored on the LDAP server and Samba 
> is configured to function via LDAP (OpenLDAP, of course). Users are 
> required to join the Samba domain, and access their home 
> folders/profiles via the Samba server. Since 
> authentication/authorization is completely left to samba, there is no 
> direct communication of the user with the KDC (or afs whatsoever). For 
> users to access their folders and profiles, samba has to become a 
> kerberos/afs client with all needed privileges to perform its actions. 
> Therefore, instead of storing files in our ufs filesystem, samba 
> stores them in afs space. I will not delve into more details, since 
> the problem starts quite soon.
> User homedirs are located in /afs/mydomain/users/<userdirs>. Machines 
> join our domain without any problems. A user "windows" along with its 
> principal have been created in the samba machine and the KDC 
> respectively. The same user has been created in the afs server as 
> well, and that users has all (afs) permissions granted on the users' 
> home directories (via acls).  On the samba server,  after /afs has 
> been mounted, user windows is able to access everything as should, 
> once I "kinit windows" and then "afslog mydomain". So, I changed 
> samba's rc script so as to "kinit windows" and then obtain the afs 
> token through "afslog mydomain". The first problem was that when I 
> first connected with my testuser on samba through smbclient, samba 
> refused to give me any sort of access on my home folder. After setting 
> "fs setacl /afs/mydomain/users/testuser system:anyone all", I was able 
> to connect with smbclient, and when I created a directory, the 
> directory's owner was 32766, which stands of course for system:anyone..
> I have changed my samba rc script so that once samba gets started, the 
> script touches a file in /afs/mydomain/users/testuser. The file's 
> owner is "windows" indeed!
> I don't understand why this happens. I suppose that once the samba 
> processes (smbd, nmbd) have been forked by the rc script, for some 
> reason that I miss, tokens are not "passed" to them, and hence the 
> problem exists.
> The book describes this procedure through the use of MIT Kerberos 
> implementation and not heimdal. In this case, "aklog -setpag" may 
> probably result to something different than afslog...I really don't know.
> In any case, does anybody know how one may resolve this issue? And if 
> not, is there an alternate way to configure my systems?
> Thank you all for your time in advance, and I hope that somebody will 
> help
Why aren't you just using the native OpenAFS client for windows?

If you must do samba, have you configured windows and samba to use 
clear-text passwords? Samba must pass the raw password to OpenAFS, not 
the lanman-hashed version that samba receives from the client.