Opportunities for Samba4 based CIFS proxies

Matt Benjamin matt at linuxbox.com
Thu Nov 3 19:27:08 GMT 2005


As I had someone the same question as Volker, I'm also still trying to 
grasp this. 

I don't see how to take advantage of this in an environment I 
unfortunately must support:

a) must proxy afs access to w9x clients
b) have krb5
c) do not have w2k+/AD, and never will have

I have a variant of the NPLogon redirection mechanism, which employs 
krb5.  I do not find it satisfying, however.

Are you saying that S4U2Self offers something for those clients?  Or did 
you mean that w9x and nt4 are legacy produts and S4U2Self offers no 
assistance with them?

Matt

Love wrote:

>Volker Lendecke <Volker.Lendecke at SerNet.DE> writes:
>
>  
>
>>On Thu, Nov 03, 2005 at 01:16:36PM +0100, Love wrote:
>>    
>>
>>>>Assuming that all clients send us Kerberos tickets. What can we do if
>>>>they fall back to ntlm?
>>>>        
>>>>
>>>Seems to be an excellent time to stop using NTLM :)
>>>      
>>>
>>Hmmmm. But what do you do with the existing clients such as NT4, Win9x?
>>    
>>
>
>For those sites that want less scaryness and don't run legacy products,
>using delegated credentials excellent and wonderful upgrade.
>
>  
>
>>I'm not aware of any extension that would allow these systems to send
>>Kerberos tickets. 
>>    
>>
>
>You should look closer at S4U2Self.
>
>  
>
>>And I'm coming across a lot of NT4 domains. I think it
>>would not be wise to drop support for these environments.
>>    
>>
>
>I'm not proposing droping support, just not make it the only option for
>those that don't need it.
>
>Love
>
>  
>



More information about the samba-technical mailing list