[OpenAFS] openafs - samba

Jeffrey Altman jaltman@your-file-system.com
Tue, 29 Nov 2011 18:30:21 -0500


This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enigA1D8DDBF75AF9EEAECA6E6D1
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

On 11/29/2011 11:01 AM, Mike Legg wrote:
> Hi,
>=20
> I am currently testing OpenAFS on Debian 1.14.12 and would like some
> advice on how to expose OpenAFS via Samba for Windows clients. Is there=

> an OpenAFS/Samba guide to help with this? Is Samba used by many
> installations for this purpose or is the advise to use the Windows 1.7
> client, if so, why?

Mike:

Samba is not used by many organizations as a primary means of serving
the /afs file system name space to end users on Windows.  While it would
nice if there was a Microsoft supported file system to access /afs in
the box, there are several problems with the Samba gateway approach:

1. The AFS support in Samba is so rarely used it frequently breaks in
the upstream because it isn't tested by the developers.   Sites
deploying the AFS support frequently must maintain local patches.

2. Authentication of clients to AFS is a problem.  There are two methods
that are regularly used:

  a. configure clients to send their Kerberos password in plaintext
     to Samba so it can use it to obtain an AFS token.

  b. configure Samba to authenticate using GSS-API SPNEGO Kerberos v5
     and give Samba the AFS cell KeyFile so that kimpersonate can
     forge AFS tokens.

Both of these approaches have significant downsides.  Long term Kerberos
password are not supposed to be sent over the network.  That is the
point of Kerberos.  Giving Samba the AFS KeyFile and the ability to
forge AFS tokens means that anyone that can compromise Samba can
impersonate any user.

3. The SMB protocol and AFS protocols do not have the same semantics and
while I and others have spent the last eight years integrating AFS into
the Windows file system stack to produce an integrated solution, none of
that effort has been put into Samba.  Some critical functionality such
as byte range locking simply does not work safely when used via the
Samba AFS gateway.

4. AFS Integration with the Explorer Shell does not exist for Samba.

The only situation that I would use the Samba AFS gateway for is to
distribute world readable readonly data to anonymous users.

Jeffrey Altman


--------------enigA1D8DDBF75AF9EEAECA6E6D1
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)

iQEcBAEBAgAGBQJO1WsPAAoJENxm1CNJffh4eBAIAMBnlHDZdCLeuVUAu8UY1em7
I/9IeK2iK7FEyt+Ws8DusEO58uYJGt8NhiVzO8sqItLojq3qh8VPSPeccs7BiWdZ
a4bP6n56RCHAMGL51aWVtrYIibQBvbjcD+cW31iipd0q+V1hnXZbrCWfR+yS+tFm
+HlIz1lDURymwOBGDHD2twuh1O60colft47rBaRE7zza6Me43W0oK5BV4uOTd1od
zd3hzEDjNOqW1vtuc492+gMg0v0/F1/N6izSphZE5yWeSMoWRrfnHpn1VpUdMjuM
gnMpSse3F0w6Tn6+4Pqqw7Qjmg8zxrp3KCdf0RFwNeJzy/noUdyG0eC8N4990Do=
=Tsvq
-----END PGP SIGNATURE-----

--------------enigA1D8DDBF75AF9EEAECA6E6D1--