Volker Lendecke wrote: > And, Samba can nowadays be configured to accept kerberos > tickets even without being an ADS member, but Windows > clients will not appreciate this. But that's just Windows.
This discussion is specifically related to Windows client access to AFS. Since Windows CIFS clients won't talk Kerberos to Samba if you want to authenticate the users against the Kerberos database you must configure the Windows clients to send username and password in the clear so that Samba can perform the equivalent of a kinit operation. >> Kerberos password in the clear is not a desirable solution. This may be >> improved with Vista clients since Vista will negotiate TLS first and >> then perform the SMB authentication on top of that. Even if you are > > Wait a second -- Vista will do TLS-protected SMB? Where can > I read more about this, this sounds VERY interesting. I've > never heard of that! I don't know where you can read about it but it is in fact true. The reason it took so long to get OpenAFS for Windows to work on Vista was because of the TLS support. Every Vista workstation whether part of a domain or not is given an X.509 server certificate which is used to protect the File and Print Sharing, Remote Desktop, IIS, and other remote services. Jeffrey Altman _______________________________________________ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
