Samba and AFS

Ken Weiss ken.weiss at
Mon Apr 5 15:31:00 GMT 1999

>Date: Sat, 03 Apr 1999 15:45:11 +0100
>From: Nuno Miguel Neves <nneves at>
>To: samba at
>Subject: Samba and AFS
>Message-ID: <37062977.81EA3BE6 at>
>I use Windows NT 4.0 SP4 and Windows 98, and I would like to connect via
>Samba to a file(or directory) in AFS.
>However, samba doesn't appear to validate my password against the AFS
>database. I'm using (forced by NT, and for security reasons) encrypted
>passwords, what forces me to have a smbpasswd file. Is that the problem?
>If it is, is there anyway that samba can accept the encrypted password from
>Windows, decrypt it, and verify it against the AFS database?
>If someone has this working, please give me a hint!


No, there is no existing mechanism to use encrypted passwords with Samba's
AFS authentication. All the AFS tools do is take the cleartext password
supplied by the user and present it to the PTS server to obtain AFS tokens.
If the password is encrypted, this process fails.

Two basic stratagies have been proposed to get around this. One is to
maintain a table of both the encrypted and unencrypted passwords on the
Samba server, and hack the AFS authentication module to match up the
encrypted passwords in this file and get the corresponding unencrypted
password for use in the klog process. The other is a sidecar approach,
adding some separate client to the windows box and server to the UNIX box
to negotiate the AFS authentication in some secure fashion. I'm not aware
of anybody that has really cleanly implemented either solution.


Ken Weiss                                                ken.weiss at
California Digital Library Technologies
UC Office of the President	                      (510) 710-3356 (voice)
1111 Franklin Street #7313B		ken.weiss.pager at (text page)
Oakland, CA  94607-5200

More information about the samba mailing list