[OpenAFS] Samba & aklog

[Anders Magnusson]

Craig Huckabee skrev 2014-08-06 17:45:
>
>   I had a request from a small group locally that needs to access 
> their AFS space(s) via a Windows file share - installing the AFS 
> client on these systems is not an option.
>
>   So I started looking into doing this via Samba, using a dedicated 
> server (RHEL6).  I've got normal shares working, using Kerberos 
> authentication to connect (works from OSX, Windows, etc).
>
>   A little research turned up a suggestion of doing something like 
> this in the smb.conf for AFS shares:
>
> ...
> root preexec = /usr/bin/aklog -setpag -cell mycell.mil -keytab 
> /usr/afs/etc/rxkad.keytab -principal %u
> ...
>
>   This almost works but I think I'm running into either PAG issues or 
> some other weirdness.  Testing the connection it appears that 
> sometimes I get tokens, sometimes I don't.  Not sure if I need to 
> force the smbd into a new PAG on startup.
I did setup a quite well functioning samba gateway for AFS some years 
ago.  If memory serves correct it worked like this:

- Kerberos auth to smbd (no NTLM auth at all).
- Did not use PAGs on the file server.
- root preexec and kimpersonate was used to get AFS tokens.

I also run into problems with setting the PAG, but since it do not 
matter to have it on the file server it could as well be skipped.

-- Ragge