[OpenAFS] Re: Serving AFS to Windows boxes w/o OpenAFS client
(Samba)?
omalleys@msu.edu
omalleys@msu.edu
Wed, 15 Dec 2010 11:43:35 -0500
Quoting Andrew Deason <adeason@sinenomine.net>:
> On Wed, 15 Dec 2010 10:35:19 -0500
> omalleys@msu.edu wrote:
>
>> You used to be able to do straight krb5 auth in samba like 3.0.12 or
>> so was the first version to support it and if you want me to look
>> -somewhere- I have a link for the "how-to". Then you could probably
>> do the preexec to get the token. I never actually thought about that
>> part. The krb5 piece worked. I tested that a long while ago like
>> 3.0.24ish.
>
> Samba can do krb5 auth, but you would need the client to forward
> tickets, too, in order to get tokens. I find it less likely that Samba
> can do that, but I do not really know; maybe it can.
This isnt the how-to I found but from the list..
With MIT Kerberos, you need to put the following settings in
smb.conf:
realm = KERBEROS.REALM.NAME
security = ads
encrypt passwords = yes
use kerberos keytab = yes
and to add the appropriate service principals in /etc/krb5.keytab. Which
service principals are appropriate is something of a black art, because
Windows clients think that principal names are case-insensitive. You will
probably need to add
server$@REALM
host/server.example.com at REALM
cifs/server.example.com at REALM
plus some case variations such as
HOST/server.example.com at REALM
host/SERVER.example.com at REALM
You can easily see which service principal a Windows client is requesting
by using Ethereal to capture the traffic between the Windows client and
the KDC.
You'll need at least Samba 3.0.11 to avoid a segfault when the client
connects. Current SVN has a patch that makes Samba accept any case
combination in the Kerberos principal name; previously it would accept
only a few variations.