Samba as a gateway to OpenAFS

Steve Holstead Steve.Holstead at ualberta.ca
Fri May 24 09:48:02 GMT 2002 

Unfotunately, we have the need to offer AFS space to our users via SAMBA.
In doing so, we have had to introduce a number of patches to accomplish
this task. The methodology was discussed at the LISA 2000 conference re:
http://www.usenix.org/events/lisa2000/full_papers/beck/beck_html/index.html

The introduction of the fokstraut DB allowed us to store the plaintext
password along with the HASH forms.

I would like to say that since that time, I have introduced an additional
module to re-authenticate those users who insist on not logging out. This
module will ensure that their token sticks around.

It is my intention to rid myself of the fokstraut DB by establishing a
"trust" between the AFS server and my samba server such that I can get a
token without having to send a clear text password. This will allow me to
migrate all fokstraut DB records to the SAMBA password tdb.

I am also working on a routine that ties into our password management
functions (ie our krb5, krb4, and AFSkrb). This will enable the creation
of a passwd tdb record which stays in sync with all the other passwd
records.

To re-phrase, I am trying to:

1. Get rid of AFS's need for plaintext passwords.
2. Establish a "registration" mechanism for new samba users and those that
   change their passwords.
3. Turn on encrypted password support.

The patches that will give you AFS support with plaintext turned on can be
found at www.ualberta.ca/~sholstea

The routines that will allow me to turn on encrypted pasword support for
AFS users are still under developement.

On Thu, 23 May 2002, Steve Langasek wrote:

> On Thu, May 23, 2002 at 11:17:41AM +0200, Toens Bueker wrote:
>
> > in order to make an easy migration from SMB-based fileservers to an
> > OpenAFS-filesystem (in order to support various branch offices), I'd like to
> > setup Samba as a gateway to OpenAFS.
>
> > For unknown reasons documentation on this topic is a little thin. Furthermore
> > the AFS-patches for Samba seem to be a little out of date (they don't even
> > mention OpenAFS).
>
> > I'm sure, that there are several people, who have accomplished to build such a
> > gateway.
>
> The primary reason why existing AFS+Samba stuff is so out-of-date is
> that AFS security is quite incompatible with the password hashes used
> when 'encrypted passwords = yes' is enabled, as must be the case for
> Samba to work with all stock Windows clients since about 1997.
>
> This leaves people wanting to implement Samba AFS gateways with three
> choices:
>
> - Create a gateway that only works with public, anonymous AFS resources.
>
> - Create a gateway that allows authenticated access to the wonderful
>   world of secure AFS, but does so by sending plaintext passwords across
>   the network from the Windows client to the Samba server.
>
> - (New option) Do a whole lot of work to integrate AFS with a Kerberos
>   realm that uses the same type of encryption as NT, à la Active
>   Directory.
>
> Apparently, the AFS community hasn't been keen enough on any of these
> options for anyone to be motivated to implement an open solution.
>
> Steve Langasek
> postmodern programmer
>

More information about the samba-technical mailing list