Samba as a gateway to OpenAFS

Steve Holstead Steve.Holstead at
Thu Aug 8 08:35:02 GMT 2002

On Sun, 4 Aug 2002, Daniel Clark/Cambridge/IBM wrote:

> I also have two questions for Steve Holstead:
> On Fri, May 24, 2002 at 10:44:54AM -0600, Steve Holstead wrote:
> > The patches that will give you AFS support with plaintext turned on can
> be
> > found at
> What version of Samba are these patches against?

Sorry the patch URL should read

These have been applied to 2.2.4
> >From reading your paper I was under the impression that the following was
> working:
> (1) User primes Samba server with cleartext password somehow - this can be
> done out-of-band in a secure manner.

You are correct in what you are thinking. We are getting the clear text by
adding a routine to our change passord web page, and our student
registration processes. This means that any time a new user is registered,
or a user is deleted, or a user changes a password, we get a signal on our
samba server and do the necessary Fokstraut update. I hope to have this in
production by the fall.

> (2) Using Samba + the Fokstraut code, a DBM database is maintained on the
> Samba server that contains the user's username, cleartext password, and
> Windows password hash.

That is correct.

> (3) The user connects to the Samba server using normal SMB encrypted
> authentication. The Samba server authenticates the user using the windows
> password hash in the DBM database, and then gets the user AFS tokens by
> using the cleartext password in the DBM database.

That is correct.

> Is this functionality what is still under developement, or are you refering
> to some of the new development work you are doing to get rid of the need
> for cleartext passwords all together? I'm working on a web account
> management framework that could take care of (1), so your solution looks
> really good to me as it stands.

As stated above, the "registration" process (ie. your web account stuff)
is just about finished.

The new work will be to get rid fo the need for clear text passords when
getting a token. This will allow me to get rid of Fokstraut and start
using the tdb's that come with samba.

> Thanks,
> --
> Daniel Clark # Sys Admin & Release Engineer
> IBM > Lotus > Messaging Technology Group

More information about the samba-technical mailing list