Hello. I guess it is unusual to follow up one's own message, however,
I've learned a little more about the problem and have more questions.
The samba distribution (1.9.18p3) is capable of doing encrypted
password authentication between the samba client and server. The protocol
used to perform this authentication involves formulating a hashed 16-byte
value from the clear text password, then having the server store that value
so that it can see if the challenge response nonce which is used during the
authentication process was encrypted using the 16-byte one-way hash of the
original password. The 16-byte token is never transmitted over the wire,
but the token isn't itself the clear text password.
Since I believe we need a clear text password, or key, to get an AFS
ticket from a Kerberos server, it occurs to me that this mechanism, out of
the box, canot be used to fetch an AFS credential, which is essentially a
Kerberos service ticket.
One possible solution I've considered is to have a principal in
Kerberos whose tgt password is the 16-byte value stored on the samba
server. The problem is that I'd like to use a different password for the
same principal when fetching tgts for other purposes. So, my questions are
these:
1. Is it possible to have more than one tgt principal per password?
2. If not, could I setup two principals in Kerberos and modify MIT's aklog
program to smash those principals into the same AFS token?
3. Is there something obvious I'm missing in this puzzle which would make
the problem easier?
Any thoughts, expert opinions, etc. would be greatly appreciated.
-thanks
-Brian
On Feb 25, 6:25pm, Brian Buhrow wrote:
} Subject: AFS, samba, and clear text passwords
} Hello fellow AFS users. Today's topic is Samba. I believe some of
} the folks on this list are serving their clients through samba servers hung
} from AFS clients. Could those people describe solutions they've cooked up
} for keeping the clear text AFS authentication passwords off the wire
} between the samba servers and clients? I've heard reports that it couldnt
} be done. However, it seems so popular among AFS sites, that I can't
} believe there isn't a solution which works reasonably well.
} -thanks in advance.
} -brian
>-- End of excerpt from Brian Buhrow
