[OpenAFS] Re: Serving AFS to Windows boxes w/o OpenAFS client (Samba)?

Jeffrey Altman jaltman@secure-endpoints.com
Wed, 15 Dec 2010 11:47:29 -0500

This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

On 12/15/2010 11:13 AM, Andrew Deason wrote:
> On Wed, 15 Dec 2010 10:35:19 -0500
> omalleys@msu.edu wrote:
>> You used to be able to do straight krb5 auth in samba like 3.0.12 or  =

>> so was the first version to support it and if you want me to look =20
>> -somewhere- I have a link for the "how-to".  Then you could probably  =

>> do the preexec to get the token. I never actually thought about that  =

>> part. The krb5 piece worked. I tested that a long while ago like =20
>> 3.0.24ish.
> Samba can do krb5 auth, but you would need the client to forward
> tickets, too, in order to get tokens. I find it less likely that Samba
> can do that, but I do not really know; maybe it can.

Its not a question of whether Samba can do it.  Its a question of
whether the SMB clients will delegate credentials and the answer is that
they do not.

The choices are to either configure Samba to require clear test password
authentication which permits Samba to acquire the AFS token on its own
using the user's name and password; or to use GSS/SPNEGO authentication
(either NTLM or KRB5) and then use kimpersonate to generate a token for
the user.  kimpersonate has the downside that it requires that the AFS
KeyFile be shared with Samba and if Samba is compromised the AFS key is

Other things to be aware of:

 * Samba over AFS does not properly enforce Windows locking
   semantics which can result in data corruption from multiple
   clients accessing the same file (one via Samba, one not Samba)

 * Do not use the host name "afs" for your Samba server.  Doing
   so will cause severe problems when mixed with native clients
   that expect their UNC server name to be "AFS".

Jeffrey Altman

Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

Version: GnuPG v1.4.9 (MingW32)