On Tue, Oct 17, 2006 at 05:02:47PM -0400, Jeffrey Altman wrote: > > And, Samba can nowadays be configured to accept kerberos > > tickets even without being an ADS member, but Windows > > clients will not appreciate this. But that's just Windows. > > This discussion is specifically related to Windows client access to > AFS. Since Windows CIFS clients won't talk Kerberos to Samba if you > want to authenticate the users against the Kerberos database you must > configure the Windows clients to send username and password in the > clear so that Samba can perform the equivalent of a kinit operation.
Ok, sorry, then I just misunderstood you. I thought you were talking about the --fake-kaserver option of Samba instead of the --with-afs option which indeed requires plain text passwords from the clients. > I don't know where you can read about it but it is in fact true. > The reason it took so long to get OpenAFS for Windows to work on > Vista was because of the TLS support. Every Vista workstation whether > part of a domain or not is given an X.509 server certificate which > is used to protect the File and Print Sharing, Remote Desktop, IIS, and > other remote services. Really interesting. Do you have a sniff of such a connection you could share with us? I would like to know how Vista would start negotiating TLS encrypted SMB connections. Also CC'ing [EMAIL PROTECTED], I'm sure that the Samba community would love to see Windows finally doing SMB bulk encryption properly. Thanks, Volker
pgps2wvL3FVA3.pgp
Description: PGP signature
