Franco "Sensei" wrote:
Jeffrey Altman wrote:
You do not seem to understand how integrated login works. You login to Windows and Windows finds the account. The account indicates where the profile is located including the User's Registry Hive. Windows calls the network provider to enable the provider to obtain credentials to access network services in case they are required to load the profile. Windows then loads the profile.
Yes, I know it...
There is no interaction by anything provided by MIT KFW or OpenAFS which can determine what the account is and where its profile is located. Now you can map a Kerberos 5 principal to a local account via the registry and you can point the profile for that account to AFS, but you can't use a non-Windows Kerberos 5 principal to define a new account.
...and the interaction is what I'd like. Loggin into windows should be something a la pam_krb5afs + ldap, without AD. Somehow, active directory makes remote users possible, no mapping at all since no local account is needed on the local machine. Is it possible to create something I'm describing? They do it (with AD kerberos as you pointed, but it's always kerberos), we can do it (probably). How to retrieve where the profile is located, is a matter of ldap, so we could be able to use ldap is some way, so they do with AD.
I'm not telling that it is possible here and now with the tools we have (kfw and openafs client), but I'm asking if you think it would be possible and/or useful.
Yes, I think it would be useful. I want a setup just like that without AD in the middle also. It should be a project separate from OpenAFS though, since they are concentrating on kerberos authentication. The project should just be a connector between windows clients and standard ldap+kerberos.
I'd suggest getting some documentation on the internals of AD and Kerberos so this project can move forward. Can anyone suggest some good books for this (and maybe for the SCSI protocol too -- separate issue entirely though)?
I also think you will find a few people with like minds on the samba lists.
Mike _______________________________________________ OpenAFS-devel mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-devel
