Samba as a gateway to OpenAFS
lha at stacken.kth.se
Tue May 28 02:13:02 GMT 2002
Steve Langasek <vorlon at netexpress.net> writes:
> > To re-phrase, I am trying to:
> > 1. Get rid of AFS's need for plaintext passwords.
> > 2. Establish a "registration" mechanism for new samba users and those that
> > change their passwords.
> > 3. Turn on encrypted password support.
> > The patches that will give you AFS support with plaintext turned on can be
> > found at www.ualberta.ca/~sholstea
> > The routines that will allow me to turn on encrypted pasword support for
> > AFS users are still under developement.
> Unfortunately, my interest in this is strictly academic, since my
> current employer doesn't use AFS and won't any time soon, either.
> Nevertheless, I'm quite pleased to see development in this area. I
> assume that as a large university, you have a need for supporting old
> Windows clients that precludes a pure Active Directory+AFS style of
> integration (NT password hashes only)?
Is there credtioal forwardation i smb/cifs or is there a need to send that
out of band ?
The solution I've been using is giving the samba gateway priveliges into
the afs-space (by storing the afs KeyFile on the gateway and cooking cred's
on the fly).
> I'd be tickled pink if someone were actually implementing a Samba-AFS
> gateway using pure Kerberos 5, but AIUI there's still quite a lot of
> work involved in getting OpenAFS to use /anything/ other than DES.
Its not talking des, its using fcrypt. And yes there is work in progress to
make it talk something better then fcrypt, and no, its not that hard.
More information about the samba-technical