Jeffrey Altman wrote: > OpenAFS for Windows' Integrated Login behaves the same way. You will > obtain an AFS token and not have any Kerberos 5 tickets in the logon > session.
Perfect (*) > I am a developer. You are a user. You read the documentation that > I write to answer your questions. Otherwise, I have no time to develop > the software. :) Yes, but it's not so clear that the same things will work in a windows domain. > Part of the problem is that you are not asking the right question. As I said, I'm trying to explain myself... just don't have experience on the MS-side. I know I lack some terminology used in that world. > The other part is that you are asking about the functionality of the > OpenAFS for Windows Integrated Login even though you do not think you > are. Please read the installation notes for OpenAFS for Windows. > You might also consider searching the openafs-info mailing list > archives. The thing is that coming from linux, AFS and Kerberos are a well separated thing, and I do kerberos authentication, in first and only instance. The AFS token will be gained after a successful authentication, having stored a kerberos credential. > End user authentication to a Samba (NT4) PDC does not use Kerberos, it > uses either plaintext passwords or NTLM. I know kerberos is in AD, not available until samba 4. A long road. > If you are configuring Samba > to use PAM to validate the username/password combination, then you are > using plaintext passwords. In other words, I can sniff the network and > watch every username/password combination used on your Windows domain > and there in your Kerberos realm. DO NOT DO THIS!!! I'd like to avoid this. I know I can authenticate on a kerberos kdc directly, but the user must exist locally. At least, that's what I understand from MS documentation for kerberos interaction. I have tried KFW with ksetup from MS. It works. Just create a matching local user with the kerberos principal, you can leave the password blank, and choose at the login window, to authenticate over the KDC, not on windows. I can log in, gaining the ticket, correctly shown in kfw leash. > In order to use NTLMv2, you must have a copy of the password database > available to Samba. That's a thing I don't know how it is possible. I can also say, don't use kerberos for authentication, but at least, don't use plain text passwords. > If you want to use Kerberos to authenticate end users, then you must use > Kerberos. Either deploy an Active Directory with a cross-realm trust > to a non-AD KDC or deploy one of the AD workalikes. You can travel to > the future and bring back a copy of Samba 4. That will do what you > desire. I don't have a time machine now, sorry :) Again there's the fact that AD should be away from me. I know samba can use ldap for authentication, but anyway, will the password run in plain text? Hope not... AD and x-realms add layers, and adding things will just result in more complexity and probable errors... That's why I'm desperately trying to use samba as AFS gateway, along with kerberos. I know there are projects like kSamba & co, but I'd like to stay with my debian stable for server-side hosts. It seems that there's really no way of avoiding AD, isn't it? -- Franco Milicchio <mailto:[EMAIL PROTECTED]> No keyboard found. Press F1 to continue... (Almost every BIOS available in this world... even yours!) ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
