[OpenAFS] Re: Serving AFS to Windows boxes w/o OpenAFS client (Samba)?
Andrew Deason
adeason@sinenomine.net
Wed, 15 Dec 2010 11:03:39 -0600
On Wed, 15 Dec 2010 11:47:29 -0500
Jeffrey Altman <jaltman@secure-endpoints.com> wrote:
> > Samba can do krb5 auth, but you would need the client to forward
> > tickets, too, in order to get tokens. I find it less likely that
> > Samba can do that, but I do not really know; maybe it can.
>
> Its not a question of whether Samba can do it. Its a question of
> whether the SMB clients will delegate credentials and the answer is
> that they do not.
Ah, yes. I was thinking Samba clients, but obviously we're not talking
about Samba clients, and we don't have much control over the clients.
> The choices are to either configure Samba to require clear test password
> authentication which permits Samba to acquire the AFS token on its own
> using the user's name and password; or to use GSS/SPNEGO authentication
> (either NTLM or KRB5) and then use kimpersonate to generate a token for
> the user. kimpersonate has the downside that it requires that the AFS
> KeyFile be shared with Samba and if Samba is compromised the AFS key is
> vulnerable.
Just one more note: I believe aklog itself has had kimpersonate support
since around 1.4.5-ish. It doesn't appear to be documented yet... but if
you have a keytab with the afs service princ, I think you can just give
it -keytab and -principal options and it'll do what you expect.
--
Andrew Deason
adeason@sinenomine.net