Samba as a gateway to OpenAFS

Steve Langasek vorlon at netexpress.net
Fri May 24 11:35:02 GMT 2002 

On Fri, May 24, 2002 at 10:44:54AM -0600, Steve Holstead wrote:

> Unfotunately, we have the need to offer AFS space to our users via SAMBA.
> In doing so, we have had to introduce a number of patches to accomplish
> this task. The methodology was discussed at the LISA 2000 conference re:
> http://www.usenix.org/events/lisa2000/full_papers/beck/beck_html/index.html

> The introduction of the fokstraut DB allowed us to store the plaintext
> password along with the HASH forms.

> I would like to say that since that time, I have introduced an additional
> module to re-authenticate those users who insist on not logging out. This
> module will ensure that their token sticks around.

> It is my intention to rid myself of the fokstraut DB by establishing a
> "trust" between the AFS server and my samba server such that I can get a
> token without having to send a clear text password. This will allow me to
> migrate all fokstraut DB records to the SAMBA password tdb.

> I am also working on a routine that ties into our password management
> functions (ie our krb5, krb4, and AFSkrb). This will enable the creation
> of a passwd tdb record which stays in sync with all the other passwd
> records.

> To re-phrase, I am trying to:

> 1. Get rid of AFS's need for plaintext passwords.
> 2. Establish a "registration" mechanism for new samba users and those that
>    change their passwords.
> 3. Turn on encrypted password support.

> The patches that will give you AFS support with plaintext turned on can be
> found at www.ualberta.ca/~sholstea

> The routines that will allow me to turn on encrypted pasword support for
> AFS users are still under developement.

Unfortunately, my interest in this is strictly academic, since my
current employer doesn't use AFS and won't any time soon, either.
Nevertheless, I'm quite pleased to see development in this area.  I
assume that as a large university, you have a need for supporting old
Windows clients that precludes a pure Active Directory+AFS style of
integration (NT password hashes only)?

I'd be tickled pink if someone were actually implementing a Samba-AFS
gateway using pure Kerberos 5, but AIUI there's still quite a lot of
work involved in getting OpenAFS to use /anything/ other than DES.

Steve Langasek
postmodern programmer
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 232 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba-technical/attachments/20020524/533bc7cc/attachment.bin

More information about the samba-technical mailing list