[OpenAFS] Windows client options
Sun, 19 Dec 2010 18:33:59 -0500
You might be able to use pgina which is a windows login screen replacement.
There was someone working on a kerberos plugin for it. I am not sure
how far they got. (I haven't tried the 2.x series) I do know I had
openldap (with failover) working with it via a sasl-pam mech. I
didn't get the kerberos plugin working but that was in the 1.6.x or
1.8.x series. )the kerberos plugin I saw was from u wisconsin. I have
a link for it if you want if it isn't included in the pgina
If you want more fine grained control, you can actually do "chaining"
so you auth against both or either. IE the user has to exist both
places or a user has to exist in either place. It makes sense if you
only want a say a few of your few hundred users to login to that
particular workstation or a user only has to exist in either place so
you can add users without giving them afs space like a visitor.
If you really want to run AD then I would probably try Samba 4.x (I
dont think they backported the AD server portion to the 3.x series)
first since you are an open source project.
Quoting Jaap Winius <firstname.lastname@example.org>:
> Hi folks,
> So far, I've been able to get Linux clients to work perfectly with
> my MIT Kerberos V / OpenLDAP / OpenAFS servers. No need to create
> any local accounts: anyone with a network account can login to any
> workstation and none of their personal files are stored locally.
> I hope I'm wrong, but the same doesn't seem to be possible with
> Windows clients. I've been experimenting with a WinXP (SP3) Pro test
> machine running Kerberos for Windows 3.2.2 and OpenAFS for Windows
> 1.5.7800. It seems to work fine, as I can authenticate and access
> all of my files on the network. However, I still have to start by
> logging in to a local Windows account.
> Is it possible to configure a Windows XP client for single-sign-on,
> so that locally no pre-existing account or knowledge of any users is
> required? If so, can it also be set up so that the user's home
> directories are stored in OpenAFS?
> OpenAFS-info mailing list
"The information in this email, and attachment(s) thereto, is strictly
confidential and may be legally privileged. It is intended solely for
the named recipient(s), and access to this e-mail, or any
attachment(s) thereto, by anyone else is unauthorized. Violations
hereof may result in legal actions. Any attachment(s) to this e-mail
have been checked for viruses, but please rely on your own
virus-checker and procedures. If you contact us by e-mail, we will
store your name and address to facilitate communications in the matter
concerned. If you do not consent to us storing your name and address
for above stated purpose, please notify the sender promptly. Also, if
you are not the intended recipient please inform the sender by
replying to this transmission, and delete the e-mail, its
attachment(s), and any copies of it without, disclosing it."