Franco Milicchio wrote:
> What happens when, in the *same* situation stated above (openafs for > windows integrated login with kerberos for windows), a NT4 domain user > logs in? > > So we have, a NT4 domain with users and machines, a KDC, an AFS cell (no > kaserver), a windows client authenticating on a NT4 domain. On the > client we install KFW, then OpenAFS enabling integrating login. Now, > will a remote user gain the token and all the tickets just the way a > local user does? OpenAFS for Windows' Integrated Login behaves the same way. You will obtain an AFS token and not have any Kerberos 5 tickets in the logon session. > User docs are for users... I'm on the other side, trying to find > documents and simple answers, like yes or no :) I am a developer. You are a user. You read the documentation that I write to answer your questions. Otherwise, I have no time to develop the software. :) Part of the problem is that you are not asking the right question. The other part is that you are asking about the functionality of the OpenAFS for Windows Integrated Login even though you do not think you are. Please read the installation notes for OpenAFS for Windows. You might also consider searching the openafs-info mailing list archives. https://lists.openafs.org/pipermail/openafs-info/ > I'm just trying to find a good way of having windows authenticate > remotely on our kerberos/afs infrastructure, so enabling the same user > name and password work on every operating system a user wants to use, > finding always the same home directory, trying not to have MS servers, > but just our linux ones. Samba will act as NT4 PDC, if we can handle > that, samba will not store any password using pam for authentication. End user authentication to a Samba (NT4) PDC does not use Kerberos, it uses either plaintext passwords or NTLM. If you are configuring Samba to use PAM to validate the username/password combination, then you are using plaintext passwords. In other words, I can sniff the network and watch every username/password combination used on your Windows domain and there in your Kerberos realm. DO NOT DO THIS!!! In order to use NTLMv2, you must have a copy of the password database available to Samba. If you want to use Kerberos to authenticate end users, then you must use Kerberos. Either deploy an Active Directory with a cross-realm trust to a non-AD KDC or deploy one of the AD workalikes. You can travel to the future and bring back a copy of Samba 4. That will do what you desire. Jeffrey Altman ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
