[Samba] Is it feasable?

Franco "Sensei" senseiwa at tin.it
Sun Feb 27 16:26:00 GMT 2005


I'm trying to find a solution for our windows clients. I will explain my 

We have kerberos 5 (mit) kdc, openafs without kaserver (authentication 
using kerberos), openldap, everything on debian stable servers. What do 
our unix/linux clients do? They authenticate over kerberos (pam), gain 
tickets and consequently gain the afs token (krb5afs or 
openafs_session), call ldap and find their home under 
/afs/cell/usr/username (posixAccount, posixGroup). Nothing is local. 
Every file, desktop and stuff, is stored under afs (no matter what, a 
user sees just a directory /afs... nothing different from any other 
directory they will see).

I'd like to do the same thing on windows using samba, but I need some 
advices because I'm not sure. Just two points before asking. These 
things apply clearly for windows only, since linux, unix (aix, irix, and 
solaris), and macosx do what I've said before (all remotely).

- Kerberos for Windows:
    KFW after a successful windows login, if the username and password 
match the kerberos principal and password, automatically gains all 
kerberos tickets.

- OpenAFS for Windows:
    AFS after a successful windows login, if the username and password 
match the kaserver principal and password, automatically gains the AFS 
token. --- If OpenAFS is installed under a kerberos environment, so with 
KFW present on the system, will convert the previously obtained kerberos 
ticket into an AFS token. --- OpenAFS uses a UNC name \\AFS in windows, 
so no letter Z: Y: or whatever is needed anymore, anyway, they can be 

Now, I'd like to have the same thing without a windows server, doing the 
same thing with samba, having remote profiles and all the user's stuff 
on afs, and authenticating users NOT locally... is that possible?

I'd like to know some things. My user authentication and authorization 
data is created on kerberos, afs and ldap servers. I'd like to create 
users just on samba, not modifying users locally on each machine... 
would be quite crazy (and not feasable... ~500 users...).

Can samba help me? In what way?

I know I can create an NT4 domain with samba alone. Good. Can samba tell 
the windows client to use \\AFS or have I to export a drive for afs? Are 
there issues in doing that?

If I specify ``\\AFS\cellname\users\username'' as the profile storing 
directory, will windows go on afs or will samba screw it up all since 
samba do not understand \\AFS since it is working on linux? I mean, 
windows understands \\AFS\blah\blah but I don't know if it's a

I know the answer is no, but I will ask it anyway :) Can samba have no 
password and get authentication/authorization from a kerberos kdc?

How can I sinchronize passwords? I mean, if samba can't use kerberos, 
the user will change just the samba password... I need to modify also 
kerberos passwords since they should be able to use the same username 
and password on every pc in the department.

Any help, even if little, is really appreciated!!!
Sensei <mailto:senseiwa at tin.it> <pgp:8998A2DB>
        <msn-id:sensei_sen at hotmail.com>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 256 bytes
Desc: OpenPGP digital signature
Url : http://lists.samba.org/archive/samba/attachments/20050227/5755b48d/signature.bin

More information about the samba mailing list