[OpenAFS] Windows client options

omalleys@msu.edu omalleys@msu.edu
Mon, 20 Dec 2010 10:49:30 -0500 

Quoting omalleys@msu.edu:

> Quoting Jaap Winius <jwinius@umrk.nl>:
>
>> Quoting omalleys@msu.edu:
>>
>>> You might be able to use pgina which is a windows login screen replacement.
>>>
>>> There was someone working on a kerberos plugin for it. I am not  
>>> sure how far they got. (I haven't tried the 2.x series) I do know  
>>> I had openldap (with failover) working with it via a sasl-pam  
>>> mech.   I didn't get the kerberos plugin working but that was in  
>>> the 1.6.x or 1.8.x series. ) ...
>>
>>> Here is what I found for the pgina krb5 plugin:
>>> http://pages.cs.wisc.edu/~timc/pgina/
>>
>> Although it would not be as ideal as Samba4 with a working AD  
>> domain controller, pGina sounds like a great alternative. However,  
>> since I'm using Windows XP only, that means I would still be  
>> restricted to the last version of pGina 1.x: v1.8.8 from December  
>> the 6th, 2006. See these pGina pages:
>
>>   http://www.pgina.org/index.php/Main_Page
>>   http://www.pgina.org/index.php/PGina_1.x_Downloads
>>
>> In addition, judging from the contents of the link you supplied,  
>> timc meant his plugin to work with pGina 2.x, and he hasn't updated  
>> his plugin since October the 6th, 2008.
>>
>> Therefore, I'm going to conclude that pGina v1.8.8 does not support  
>> Kerberos out of the box, or else timc would not have bothered, and  
>> that his plugin will not work with it either, just as you  
>> discovered for yourself earlier. Pity.
>
> I didn't get to spend a lot of time on it, by the time I got to try  
> it, they had already killed the project. IIRC I never even got a  
> krb5 ticket with the mit kfw 3.2.2.
>
>> Thanks anyway, though. If, in lieu of Samba4, a Vista machine, or a  
>> more modern Windows client, appears on any of my  
>> Kerberos/OpenLDAP/OpenAFS networks, then I will certainly remember  
>> to give your solution a try!
>
> Samba4 says it already supports 'Active Directory' logon and  
> administration protocols.  Since they started with auth, I am  
> guessing that part is fairly stable. The whole suite for sure isn't  
> production ready.
>
> If you do try it, grab it out of the git repo, they have a tendency  
> not to push out release tarballs and not to update the  
> documentation. :)
>

I should add, the easiest is to use pgina with just the ldap plugin,  
turn on plain text passwords on the clients, and write a bat file to  
map drives to a samba share with pam krb5/pam afs session stack. You  
can get identical ssid's acrossed all the samba servers if you use  
identical windows hostnames. You can use pam_ldap or nss ldap to get  
your usernames to the unix user accts.(AD doesnt let you do that.) (It  
can be the same server as your ldap auth server.)

We set it up to run out of inetd so it autorestarts. Windows can cache  
the creds and auto reconnect if you need to replace the machine and  
firewall off a lot of the chatter the protocol does. But you can  
probably run it as a stand alone server.

We have/had this running with stripped down solaris 8 sparc  
400mhz/128M of ram reliably for years (compiled a few things out of  
samba as well). If you want a small cheap machine, I'm guessing a  
guruplug (which is cheap and only uses 5-10w of power max. and < .5w  
idle and has esata) would give similar performance, but I haven't  
tested it yet.

On a side note, the ARM Cortex-a15's 2.5ghz quad cores should come out  
in less then a year and there are a couple of companies interested in  
pushing these out as low E servers.