Samba as a gateway to OpenAFS

Steve Langasek vorlon at
Wed May 29 08:26:01 GMT 2002

On Wed, May 29, 2002 at 11:31:34PM +1000, Andrew Bartlett wrote:
> > Andrew Bartlett <abartlet at> writes:

> > > > > > > 1. Get rid of AFS's need for plaintext passwords.
> > [....]
> > > > Ah, of course credential forwarding/proxying would be a requirement for
> > > > making this work without giving the gateway special privileges; I'd
> > > > completely overlooked that.  I'm afraid I don't know the answer, though.
> > > > Perhaps someone currently doing Samba 3.0 work has run into this and can
> > > > say?
> > >
> > > I see no reason why this would not be possible.  We would need to do a
> > > little bit of work on the smbd side of things, but credential forwarding
> > > is pretty standard.  This assumes either a AD domain, or Samba modified
> > > to correctlly function with krb5 but without AD (which also implies
> > > windows clients joined to such a domain).

> > So, so how do you tell the client to forward creds to the fileserver, and
> > can you chose want creds you want to forward ?

> This assumes krb5, where this is all quite standard.  

Credentials forwarding is a standard feature of KRB5; but in all
applications I can think of, the default behavior is to /not/ forward
credentials unless the client explicitly requests (permits) it.  There
are many cases where you don't want to forward credentials to Kerberos
services, because doing so allows the service to impersonate you to one
or more other services on the network.  Now for AFS support we would
certainly want that; but how does the Microsoft client know how and when
to forward credentials?

The easy -- and less secure -- solution is to forward a TGT to the
fileserver; then you just need to decide when to do the forwarding.
This has the drawback that the server can completely impersonate you to
any service in the realm (except those with DISALLOW_TGT_BASED set).
The other option is to only forward the credentials needed for a
particular service, e.g., AFS.  But then you need some way of
configuring the client to know which credentials those are.

Steve Langasek
postmodern programmer
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 232 bytes
Desc: not available
Url :

More information about the samba-technical mailing list