Samba as a gateway to OpenAFS
Andrew Bartlett
abartlet at pcug.org.au
Wed May 29 03:45:02 GMT 2002
Steve Langasek wrote:
>
> On Tue, May 28, 2002 at 11:09:00AM +0200, Love wrote:
> > Steve Langasek <vorlon at netexpress.net> writes:
>
> > > > To re-phrase, I am trying to:
>
> > > > 1. Get rid of AFS's need for plaintext passwords.
> > > > 2. Establish a "registration" mechanism for new samba users and those that
> > > > change their passwords.
> > > > 3. Turn on encrypted password support.
>
> > > > The patches that will give you AFS support with plaintext turned on can be
> > > > found at www.ualberta.ca/~sholstea
>
> > > > The routines that will allow me to turn on encrypted pasword support for
> > > > AFS users are still under developement.
>
> > > Unfortunately, my interest in this is strictly academic, since my
> > > current employer doesn't use AFS and won't any time soon, either.
> > > Nevertheless, I'm quite pleased to see development in this area. I
> > > assume that as a large university, you have a need for supporting old
> > > Windows clients that precludes a pure Active Directory+AFS style of
> > > integration (NT password hashes only)?
>
> > Is there credtioal forwardation i smb/cifs or is there a need to send that
> > out of band ?
>
> Ah, of course credential forwarding/proxying would be a requirement for
> making this work without giving the gateway special privileges; I'd
> completely overlooked that. I'm afraid I don't know the answer, though.
> Perhaps someone currently doing Samba 3.0 work has run into this and can
> say?
I see no reason why this would not be possible. We would need to do a
little bit of work on the smbd side of things, but credential forwarding
is pretty standard. This assumes either a AD domain, or Samba modified
to correctlly function with krb5 but without AD (which also implies
windows clients joined to such a domain).
> > The solution I've been using is giving the samba gateway priveliges into
> > the afs-space (by storing the afs KeyFile on the gateway and cooking cred's
> > on the fly).
>
> Hmm, this solution certainly seems less bad than many of the other
> possibilities. I'm sure I'd rather trust one server with full access to
> the filesystem, than trusting that server with full access to the
> plaintext passwords of all users.
Yes, most of the current solutions are pretty nasty...
Andrew Bartlett
--
Andrew Bartlett abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team abartlet at samba.org
Student Network Administrator, Hawker College abartlet at hawkerc.net
http://samba.org http://build.samba.org http://hawkerc.net
More information about the samba-technical
mailing list