[OpenAFS] Windows client options

omalleys@msu.edu omalleys@msu.edu
Sun, 19 Dec 2010 18:33:59 -0500 

You might be able to use pgina which is a windows login screen replacement.

There was someone working on a kerberos plugin for it. I am not sure  
how far they got. (I haven't tried the 2.x series) I do know I had  
openldap (with failover) working with it via a sasl-pam mech.   I  
didn't get the kerberos plugin working but that was in the 1.6.x or  
1.8.x series. )the kerberos plugin I saw was from u wisconsin. I have  
a link for it if you want if it isn't included in the pgina  
distribution already.

If you want more fine grained control, you can actually do "chaining"  
so you auth against both or either.  IE the user has to exist both  
places or a user has to exist in either place.  It makes sense if you  
only want a say a few of your few hundred users to login to that  
particular workstation or a user only has to exist in either place so  
you can add users without giving them afs space like a visitor.

If you really want to run AD then I would probably try Samba 4.x (I  
dont think they backported the AD server portion to the 3.x series)  
first since you are an open source project.







Quoting Jaap Winius <jwinius@umrk.nl>:

> Hi folks,
>
> So far, I've been able to get Linux clients to work perfectly with  
> my MIT Kerberos V / OpenLDAP / OpenAFS servers. No need to create  
> any local accounts: anyone with a network account can login to any  
> workstation and none of their personal files are stored locally.
>
> I hope I'm wrong, but the same doesn't seem to be possible with  
> Windows clients. I've been experimenting with a WinXP (SP3) Pro test  
> machine running Kerberos for Windows 3.2.2 and OpenAFS for Windows  
> 1.5.7800. It seems to work fine, as I can authenticate and access  
> all of my files on the network. However, I still have to start by  
> logging in to a local Windows account.
>
> Is it possible to configure a Windows XP client for single-sign-on,  
> so that locally no pre-existing account or knowledge of any users is  
> required? If so, can it also be set up so that the user's home  
> directories are stored in OpenAFS?
>
> Thanks,
>
> Jaap
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info
>



-- 
"The information in this email, and attachment(s) thereto, is strictly  
confidential and may be legally privileged. It is intended solely for  
the named recipient(s), and access to this e-mail, or any  
attachment(s) thereto, by anyone else is unauthorized. Violations  
hereof may result in legal actions. Any attachment(s) to this e-mail  
have been checked for viruses, but please rely on your own  
virus-checker and procedures. If you contact us by e-mail, we will  
store your name and address to facilitate communications in the matter  
concerned. If you do not consent to us storing your name and address  
for above stated purpose, please notify the sender promptly. Also, if  
you are not the intended recipient please inform the sender by  
replying to this transmission, and delete the e-mail, its  
attachment(s), and any copies of it without, disclosing it."