Samba as a gateway to OpenAFS

Andrew Bartlett abartlet at pcug.org.au
Wed May 29 03:45:02 GMT 2002 

Steve Langasek wrote:
> 
> On Tue, May 28, 2002 at 11:09:00AM +0200, Love wrote:
> > Steve Langasek <vorlon at netexpress.net> writes:
> 
> > > > To re-phrase, I am trying to:
> 
> > > > 1. Get rid of AFS's need for plaintext passwords.
> > > > 2. Establish a "registration" mechanism for new samba users and those that
> > > >    change their passwords.
> > > > 3. Turn on encrypted password support.
> 
> > > > The patches that will give you AFS support with plaintext turned on can be
> > > > found at www.ualberta.ca/~sholstea
> 
> > > > The routines that will allow me to turn on encrypted pasword support for
> > > > AFS users are still under developement.
> 
> > > Unfortunately, my interest in this is strictly academic, since my
> > > current employer doesn't use AFS and won't any time soon, either.
> > > Nevertheless, I'm quite pleased to see development in this area.  I
> > > assume that as a large university, you have a need for supporting old
> > > Windows clients that precludes a pure Active Directory+AFS style of
> > > integration (NT password hashes only)?
> 
> > Is there credtioal forwardation i smb/cifs or is there a need to send that
> > out of band ?
> 
> Ah, of course credential forwarding/proxying would be a requirement for
> making this work without giving the gateway special privileges; I'd
> completely overlooked that.  I'm afraid I don't know the answer, though.
> Perhaps someone currently doing Samba 3.0 work has run into this and can
> say?

I see no reason why this would not be possible.  We would need to do a
little bit of work on the smbd side of things, but credential forwarding
is pretty standard.  This assumes either a AD domain, or Samba modified
to correctlly function with krb5 but without AD (which also implies
windows clients joined to such a domain).

> > The solution I've been using is giving the samba gateway priveliges into
> > the afs-space (by storing the afs KeyFile on the gateway and cooking cred's
> > on the fly).
> 
> Hmm, this solution certainly seems less bad than many of the other
> possibilities.  I'm sure I'd rather trust one server with full access to
> the filesystem, than trusting that server with full access to the
> plaintext passwords of all users.

Yes, most of the current solutions are pretty nasty...

Andrew Bartlett
-- 
Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net

More information about the samba-technical mailing list