[OpenAFS] Re: Serving AFS to Windows boxes w/o OpenAFS client (Samba)?

Andrew Deason adeason@sinenomine.net
Wed, 15 Dec 2010 11:03:39 -0600

On Wed, 15 Dec 2010 11:47:29 -0500
Jeffrey Altman <jaltman@secure-endpoints.com> wrote:

> > Samba can do krb5 auth, but you would need the client to forward
> > tickets, too, in order to get tokens. I find it less likely that
> > Samba can do that, but I do not really know; maybe it can.
> Its not a question of whether Samba can do it.  Its a question of
> whether the SMB clients will delegate credentials and the answer is
> that they do not.

Ah, yes. I was thinking Samba clients, but obviously we're not talking
about Samba clients, and we don't have much control over the clients.

> The choices are to either configure Samba to require clear test password
> authentication which permits Samba to acquire the AFS token on its own
> using the user's name and password; or to use GSS/SPNEGO authentication
> (either NTLM or KRB5) and then use kimpersonate to generate a token for
> the user.  kimpersonate has the downside that it requires that the AFS
> KeyFile be shared with Samba and if Samba is compromised the AFS key is
> vulnerable.

Just one more note: I believe aklog itself has had kimpersonate support
since around 1.4.5-ish. It doesn't appear to be documented yet... but if
you have a keytab with the afs service princ, I think you can just give
it -keytab and -principal options and it'll do what you expect.

Andrew Deason