[OpenAFS] openafs - samba

Jeffrey Altman jaltman@your-file-system.com
Tue, 29 Nov 2011 18:30:21 -0500

This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

On 11/29/2011 11:01 AM, Mike Legg wrote:
> Hi,
> I am currently testing OpenAFS on Debian 1.14.12 and would like some
> advice on how to expose OpenAFS via Samba for Windows clients. Is there=

> an OpenAFS/Samba guide to help with this? Is Samba used by many
> installations for this purpose or is the advise to use the Windows 1.7
> client, if so, why?


Samba is not used by many organizations as a primary means of serving
the /afs file system name space to end users on Windows.  While it would
nice if there was a Microsoft supported file system to access /afs in
the box, there are several problems with the Samba gateway approach:

1. The AFS support in Samba is so rarely used it frequently breaks in
the upstream because it isn't tested by the developers.   Sites
deploying the AFS support frequently must maintain local patches.

2. Authentication of clients to AFS is a problem.  There are two methods
that are regularly used:

  a. configure clients to send their Kerberos password in plaintext
     to Samba so it can use it to obtain an AFS token.

  b. configure Samba to authenticate using GSS-API SPNEGO Kerberos v5
     and give Samba the AFS cell KeyFile so that kimpersonate can
     forge AFS tokens.

Both of these approaches have significant downsides.  Long term Kerberos
password are not supposed to be sent over the network.  That is the
point of Kerberos.  Giving Samba the AFS KeyFile and the ability to
forge AFS tokens means that anyone that can compromise Samba can
impersonate any user.

3. The SMB protocol and AFS protocols do not have the same semantics and
while I and others have spent the last eight years integrating AFS into
the Windows file system stack to produce an integrated solution, none of
that effort has been put into Samba.  Some critical functionality such
as byte range locking simply does not work safely when used via the
Samba AFS gateway.

4. AFS Integration with the Explorer Shell does not exist for Samba.

The only situation that I would use the Samba AFS gateway for is to
distribute world readable readonly data to anonymous users.

Jeffrey Altman

Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

Version: GnuPG v1.4.9 (MingW32)