[OpenAFS] Windows client options
Mon, 20 Dec 2010 10:49:30 -0500
> Quoting Jaap Winius <email@example.com>:
>> Quoting firstname.lastname@example.org:
>>> You might be able to use pgina which is a windows login screen replacement.
>>> There was someone working on a kerberos plugin for it. I am not
>>> sure how far they got. (I haven't tried the 2.x series) I do know
>>> I had openldap (with failover) working with it via a sasl-pam
>>> mech. I didn't get the kerberos plugin working but that was in
>>> the 1.6.x or 1.8.x series. ) ...
>>> Here is what I found for the pgina krb5 plugin:
>> Although it would not be as ideal as Samba4 with a working AD
>> domain controller, pGina sounds like a great alternative. However,
>> since I'm using Windows XP only, that means I would still be
>> restricted to the last version of pGina 1.x: v1.8.8 from December
>> the 6th, 2006. See these pGina pages:
>> In addition, judging from the contents of the link you supplied,
>> timc meant his plugin to work with pGina 2.x, and he hasn't updated
>> his plugin since October the 6th, 2008.
>> Therefore, I'm going to conclude that pGina v1.8.8 does not support
>> Kerberos out of the box, or else timc would not have bothered, and
>> that his plugin will not work with it either, just as you
>> discovered for yourself earlier. Pity.
> I didn't get to spend a lot of time on it, by the time I got to try
> it, they had already killed the project. IIRC I never even got a
> krb5 ticket with the mit kfw 3.2.2.
>> Thanks anyway, though. If, in lieu of Samba4, a Vista machine, or a
>> more modern Windows client, appears on any of my
>> Kerberos/OpenLDAP/OpenAFS networks, then I will certainly remember
>> to give your solution a try!
> Samba4 says it already supports 'Active Directory' logon and
> administration protocols. Since they started with auth, I am
> guessing that part is fairly stable. The whole suite for sure isn't
> production ready.
> If you do try it, grab it out of the git repo, they have a tendency
> not to push out release tarballs and not to update the
> documentation. :)
I should add, the easiest is to use pgina with just the ldap plugin,
turn on plain text passwords on the clients, and write a bat file to
map drives to a samba share with pam krb5/pam afs session stack. You
can get identical ssid's acrossed all the samba servers if you use
identical windows hostnames. You can use pam_ldap or nss ldap to get
your usernames to the unix user accts.(AD doesnt let you do that.) (It
can be the same server as your ldap auth server.)
We set it up to run out of inetd so it autorestarts. Windows can cache
the creds and auto reconnect if you need to replace the machine and
firewall off a lot of the chatter the protocol does. But you can
probably run it as a stand alone server.
We have/had this running with stripped down solaris 8 sparc
400mhz/128M of ram reliably for years (compiled a few things out of
samba as well). If you want a small cheap machine, I'm guessing a
guruplug (which is cheap and only uses 5-10w of power max. and < .5w
idle and has esata) would give similar performance, but I haven't
tested it yet.
On a side note, the ARM Cortex-a15's 2.5ghz quad cores should come out
in less then a year and there are a couple of companies interested in
pushing these out as low E servers.