[OpenAFS] Serving AFS to Windows boxes w/o OpenAFS client (Samba)?

omalleys@msu.edu omalleys@msu.edu
Wed, 15 Dec 2010 10:35:19 -0500

You used to be able to do straight krb5 auth in samba like 3.0.12 or  
so was the first version to support it and if you want me to look  
-somewhere- I have a link for the "how-to".  Then you could probably  
do the preexec to get the token. I never actually thought about that  
part. The krb5 piece worked. I tested that a long while ago like  

Quoting Christof Hanke <christof.hanke@rzg.mpg.de>:

> There is some stuff about this in the Wiki :
> http://wiki.openafs.org/AFSLore/SMBtoAFS/
> but a lot of stuff is outdated (dead links etc.)
> The apparently preferred method is with kimpersonate, which I
> don't like that much.
> I hope it is possible to create a ticket file using pam and then
> use "aklog -setpag" in smb.conf (preexec).
> We will also use this for Windows7 clients until 1.8 is out.
> However I'm on holiday soon, so I'll get to it in February earliest.
> HTH,
> Christof
> Am 14.12.2010 01:12, schrieb Jeff Blaine:
>> This Windows 7 thing has us looking for alternate temporary
>> solutions, as 7 is the only OS being pushed to new corporate
>> PCs and our OpenAFS from Windows usage is niche enough to
>> not warrant concern from corporate IT. So, every few weeks
>> we get another user opening a support ticket with us about
>> their new PC and non-functioning OpenAFS.
>> What is the correct (or at least functioning) way to get
>> OpenAFS access from Windows using Samba?
>> We do not care about tying to any AD servers, etc. It's
>> purely a UNIX/Linux shop from our end.
>> I see Samba has:
>> --with-afs
>> Include AFS clear-text auth support (default=no)
>> --with-fake-kaserver
>> Include AFS fake-kaserver support (default=no)
>> We don't currently run a fake-kaserver, as we have no need.
>> It's safe to say that any sort of clear-text auth via
>> whatever --with-afs does is unacceptable to us.
>> Any guidance would be most appreciated, and I'd be happy
>> to write up what works if I get to that point, assuming
>> there is nothing written up yet.
>> Jeff
>> _______________________________________________
>> OpenAFS-info mailing list
>> OpenAFS-info@openafs.org
>> https://lists.openafs.org/mailman/listinfo/openafs-info
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info

"The information in this email, and attachment(s) thereto, is strictly  
confidential and may be legally privileged. It is intended solely for  
the named recipient(s), and access to this e-mail, or any  
attachment(s) thereto, by anyone else is unauthorized. Violations  
hereof may result in legal actions. Any attachment(s) to this e-mail  
have been checked for viruses, but please rely on your own  
virus-checker and procedures. If you contact us by e-mail, we will  
store your name and address to facilitate communications in the matter  
concerned. If you do not consent to us storing your name and address  
for above stated purpose, please notify the sender promptly. Also, if  
you are not the intended recipient please inform the sender by  
replying to this transmission, and delete the e-mail, its  
attachment(s), and any copies of it without, disclosing it."