AFS with Samba PDC

Johan Hedin johanh at
Thu Sep 16 15:25:08 GMT 1999

On Fri, 17 Sep 1999, Allan Bjorklund wrote:

> --On Thursday, September 16, 1999, 10:35 PM +1000 Johan Hedin
> <johanh at> wrote:
>     Yes, but what we've done is a bit ugly and we are looking for a better
> way.

Still looks a lot better than what I was planning to do. Are you
planning on giving this away?

I will propably do the clear text password patch anyway, we will propably
use it for some Win95 boxes.

> > 1. Store the users Kerberos passwords as srvtabs on the local disk of the
> >    Samba PDC, and then obtain a ticket after the NT password validation is
> >    done.
>     The potential security breakdown here scares me.  Do you really want
> to place the srvtabs for all your users on a machine where the users will
> have the ability to manipulate files?  Who knows what clever little tricks
> the less honest may discover.

Yes I know this is not the best of all solutions. Since we have mostly Sun
users here and a few NT machines, it will be only the srvtabs of those,
but still, I agree, it's not satisfactory. Your way sound a lot better.

> > 2. Run the Samba PDC with an common AFS ticket on the local Samba machine,
> >    turn off wide links and tell the intereseted users to set the ACL such
> >    that Samba can read and write on their directories. In this scheme
> >    users must be prevented from mounting each other's volumes in their
> >    homes.
>     Which prevents collaboration between people.  The ability to share
> data files with others is a feature users demand to have.  That is too big
> of a lose. Also if that one global account is compromised you really
> lose.

Ok. This does not look like the way to do it.

> > The second issue is with the ticket lifetime. After the ticket has
> > expired, Samba should die forcing the NT machine to open a new connection
> > with a new ticket. This is not a problem for NT choosing the first scheme
> > above, but will be for the clear text password version.
>     What if you also share local UNIX files?  Cut them off also?

We are planning a pure AFS user space here, but yes, there should maybe
be an option in smb.conf controling on which share to do this.

>     One of the design goals for the new authentication methods we're
> working on, is to have a method of prompting the user to refresh their
> expired tokens.

Sounds like the way to do it. There should be a public interest in this
(unless people just buy Transarc NT-client). Since I have no knowledge in
NT programming, I'll propably stick to the dirty and somewhat unsecure
(but not worse than our previous NFS solution) srvtab solution, but I
would love to test your software if you release it.

What about preformance? Would Transarc NT-client and Samba for printing
be a lot faster, than Samba for both files and printing?

/Johan Hedin

| Johan Hedin                      | johanh at             |
| Ph.D. Student and System Manager | |

More information about the samba-ntdom mailing list