[OpenAFS] Re: Serving AFS to Windows boxes w/o OpenAFS client (Samba)?

omalleys@msu.edu omalleys@msu.edu
Wed, 15 Dec 2010 11:43:35 -0500

Quoting Andrew Deason <adeason@sinenomine.net>:

> On Wed, 15 Dec 2010 10:35:19 -0500
> omalleys@msu.edu wrote:
>> You used to be able to do straight krb5 auth in samba like 3.0.12 or
>> so was the first version to support it and if you want me to look
>> -somewhere- I have a link for the "how-to".  Then you could probably
>> do the preexec to get the token. I never actually thought about that
>> part. The krb5 piece worked. I tested that a long while ago like
>> 3.0.24ish.
> Samba can do krb5 auth, but you would need the client to forward
> tickets, too, in order to get tokens. I find it less likely that Samba
> can do that, but I do not really know; maybe it can.

This isnt the how-to I found but from the list..

With MIT Kerberos, you need to put the following settings in

    security = ads
    encrypt passwords = yes
    use kerberos keytab = yes

and to add the appropriate service principals in /etc/krb5.keytab.  Which
service principals are appropriate is something of a black art, because
Windows clients think that principal names are case-insensitive.  You will
probably need to add

    host/server.example.com at REALM
    cifs/server.example.com at REALM

plus some case variations such as

    HOST/server.example.com at REALM
    host/SERVER.example.com at REALM

You can easily see which service principal a Windows client is requesting
by using Ethereal to capture the traffic between the Windows client and
the KDC.

You'll need at least Samba 3.0.11 to avoid a segfault when the client
connects.  Current SVN has a patch that makes Samba accept any case
combination in the Kerberos principal name; previously it would accept
only a few variations.