[Samba] Is possible? --- reposting + new
senseiwa at tin.it
Tue Mar 8 21:57:03 GMT 2005
I'm trying to find a solution for our windows clients. I will explain my
We have kerberos 5 (mit) kdc, openafs without kaserver (authentication
using kerberos), openldap, everything on debian stable servers. What do
our unix/linux clients do? They authenticate over kerberos (pam), gain
tickets and consequently gain the afs token (krb5afs or
openafs_session), call ldap and find their home under
/afs/cell/usr/username (posixAccount, posixGroup). Nothing is local.
Every file, desktop and stuff, is stored under afs (no matter what, a
user sees just a directory /afs... nothing different from any other
directory they will see).
I'd like to do the same thing on windows using samba, but I need some
advices because I'm not sure. Just two points before asking. These
things apply clearly for windows only, since linux, unix (aix, irix, and
solaris), and macosx do what I've said before (all remotely).
- Kerberos for Windows:
KFW after a successful windows login, if the username and password
match the kerberos principal and password, automatically gains all
- OpenAFS for Windows:
AFS after a successful windows login, if the username and password
match the kaserver principal and password, automatically gains the AFS
token. --- If OpenAFS is installed under a kerberos environment, so with
KFW present on the system, will convert the previously obtained kerberos
ticket into an AFS token. --- OpenAFS uses a UNC name \\AFS in windows,
so no letter Z: Y: or whatever is needed anymore, anyway, they can be
Now, I'd like to have the same thing without a windows server, doing the
same thing with samba, having remote profiles and all the user's stuff
on afs, and authenticating users NOT locally... is that possible?
I'd like to know some things. My user authentication and authorization
data is created on kerberos, afs and ldap servers. I'd like to create
users just on samba, not modifying users locally on each machine...
would be quite crazy (and not feasable... ~500 users...).
Can samba help me? In what way?
I know I can create an NT4 domain with samba alone. Good. Can samba tell
the windows client to use \\AFS or have I to export a drive for afs? Are
there issues in doing that?
If I specify ``\\AFS\cellname\users\username'' as the profile storing
directory, will windows go on afs or will samba screw it up all since
samba do not understand \\AFS since it is working on linux? I mean,
windows understands \\AFS\blah\blah but I don't know if it's a
I know the answer is no, but I will ask it anyway :) Can samba have no
password and get authentication/authorization from a kerberos kdc?
How can I sinchronize passwords? I mean, if samba can't use kerberos,
the user will change just the samba password... I need to modify also
kerberos passwords since they should be able to use the same username
and password on every pc in the department.
In particular... I was discouraged to use samba, because all windows
clients would be using plain text passowrds, sending them clear-text on
the network. Is it true? Is there a way of avoiding this?
Any help, even if little, is really appreciated!!!
Sensei <mailto:senseiwa at tin.it> <pgp:8998A2DB>
<msn-id:sensei_sen at hotmail.com>
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 256 bytes
Desc: OpenPGP digital signature
Url : http://lists.samba.org/archive/samba/attachments/20050308/83f2b63e/signature.bin
More information about the samba