Samba as a gateway to OpenAFS
abartlet at pcug.org.au
Wed May 29 03:45:02 GMT 2002
Steve Langasek wrote:
> On Tue, May 28, 2002 at 11:09:00AM +0200, Love wrote:
> > Steve Langasek <vorlon at netexpress.net> writes:
> > > > To re-phrase, I am trying to:
> > > > 1. Get rid of AFS's need for plaintext passwords.
> > > > 2. Establish a "registration" mechanism for new samba users and those that
> > > > change their passwords.
> > > > 3. Turn on encrypted password support.
> > > > The patches that will give you AFS support with plaintext turned on can be
> > > > found at www.ualberta.ca/~sholstea
> > > > The routines that will allow me to turn on encrypted pasword support for
> > > > AFS users are still under developement.
> > > Unfortunately, my interest in this is strictly academic, since my
> > > current employer doesn't use AFS and won't any time soon, either.
> > > Nevertheless, I'm quite pleased to see development in this area. I
> > > assume that as a large university, you have a need for supporting old
> > > Windows clients that precludes a pure Active Directory+AFS style of
> > > integration (NT password hashes only)?
> > Is there credtioal forwardation i smb/cifs or is there a need to send that
> > out of band ?
> Ah, of course credential forwarding/proxying would be a requirement for
> making this work without giving the gateway special privileges; I'd
> completely overlooked that. I'm afraid I don't know the answer, though.
> Perhaps someone currently doing Samba 3.0 work has run into this and can
I see no reason why this would not be possible. We would need to do a
little bit of work on the smbd side of things, but credential forwarding
is pretty standard. This assumes either a AD domain, or Samba modified
to correctlly function with krb5 but without AD (which also implies
windows clients joined to such a domain).
> > The solution I've been using is giving the samba gateway priveliges into
> > the afs-space (by storing the afs KeyFile on the gateway and cooking cred's
> > on the fly).
> Hmm, this solution certainly seems less bad than many of the other
> possibilities. I'm sure I'd rather trust one server with full access to
> the filesystem, than trusting that server with full access to the
> plaintext passwords of all users.
Yes, most of the current solutions are pretty nasty...
Andrew Bartlett abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team abartlet at samba.org
Student Network Administrator, Hawker College abartlet at hawkerc.net
http://samba.org http://build.samba.org http://hawkerc.net
More information about the samba-technical