[OpenAFS] Re: Serving AFS to Windows boxes w/o OpenAFS client
Wed, 15 Dec 2010 11:47:29 -0500
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
Content-Type: text/plain; charset=UTF-8
On 12/15/2010 11:13 AM, Andrew Deason wrote:
> On Wed, 15 Dec 2010 10:35:19 -0500
> firstname.lastname@example.org wrote:
>> You used to be able to do straight krb5 auth in samba like 3.0.12 or =
>> so was the first version to support it and if you want me to look =20
>> -somewhere- I have a link for the "how-to". Then you could probably =
>> do the preexec to get the token. I never actually thought about that =
>> part. The krb5 piece worked. I tested that a long while ago like =20
> Samba can do krb5 auth, but you would need the client to forward
> tickets, too, in order to get tokens. I find it less likely that Samba
> can do that, but I do not really know; maybe it can.
Its not a question of whether Samba can do it. Its a question of
whether the SMB clients will delegate credentials and the answer is that
they do not.
The choices are to either configure Samba to require clear test password
authentication which permits Samba to acquire the AFS token on its own
using the user's name and password; or to use GSS/SPNEGO authentication
(either NTLM or KRB5) and then use kimpersonate to generate a token for
the user. kimpersonate has the downside that it requires that the AFS
KeyFile be shared with Samba and if Samba is compromised the AFS key is
Other things to be aware of:
* Samba over AFS does not properly enforce Windows locking
semantics which can result in data corruption from multiple
clients accessing the same file (one via Samba, one not Samba)
* Do not use the host name "afs" for your Samba server. Doing
so will cause severe problems when mixed with native clients
that expect their UNC server name to be "AFS".
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
-----END PGP SIGNATURE-----