Samba as a gateway to OpenAFS

Steve Langasek vorlon at
Tue May 28 15:52:11 GMT 2002

On Tue, May 28, 2002 at 11:09:00AM +0200, Love wrote:
> Steve Langasek <vorlon at> writes:

> > > To re-phrase, I am trying to:

> > > 1. Get rid of AFS's need for plaintext passwords.
> > > 2. Establish a "registration" mechanism for new samba users and those that
> > >    change their passwords.
> > > 3. Turn on encrypted password support.

> > > The patches that will give you AFS support with plaintext turned on can be
> > > found at

> > > The routines that will allow me to turn on encrypted pasword support for
> > > AFS users are still under developement.

> > Unfortunately, my interest in this is strictly academic, since my
> > current employer doesn't use AFS and won't any time soon, either.
> > Nevertheless, I'm quite pleased to see development in this area.  I
> > assume that as a large university, you have a need for supporting old
> > Windows clients that precludes a pure Active Directory+AFS style of
> > integration (NT password hashes only)?

> Is there credtioal forwardation i smb/cifs or is there a need to send that
> out of band ?

Ah, of course credential forwarding/proxying would be a requirement for
making this work without giving the gateway special privileges; I'd
completely overlooked that.  I'm afraid I don't know the answer, though.
Perhaps someone currently doing Samba 3.0 work has run into this and can

> The solution I've been using is giving the samba gateway priveliges into
> the afs-space (by storing the afs KeyFile on the gateway and cooking cred's
> on the fly).

Hmm, this solution certainly seems less bad than many of the other
possibilities.  I'm sure I'd rather trust one server with full access to
the filesystem, than trusting that server with full access to the
plaintext passwords of all users.

Steve Langasek
postmodern programmer
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 232 bytes
Desc: not available
Url :

More information about the samba-technical mailing list