On 12/15/2010 11:13 AM, Andrew Deason wrote: > On Wed, 15 Dec 2010 10:35:19 -0500 > [email protected] wrote: > >> You used to be able to do straight krb5 auth in samba like 3.0.12 or >> so was the first version to support it and if you want me to look >> -somewhere- I have a link for the "how-to". Then you could probably >> do the preexec to get the token. I never actually thought about that >> part. The krb5 piece worked. I tested that a long while ago like >> 3.0.24ish. > > Samba can do krb5 auth, but you would need the client to forward > tickets, too, in order to get tokens. I find it less likely that Samba > can do that, but I do not really know; maybe it can.
Its not a question of whether Samba can do it. Its a question of whether the SMB clients will delegate credentials and the answer is that they do not. The choices are to either configure Samba to require clear test password authentication which permits Samba to acquire the AFS token on its own using the user's name and password; or to use GSS/SPNEGO authentication (either NTLM or KRB5) and then use kimpersonate to generate a token for the user. kimpersonate has the downside that it requires that the AFS KeyFile be shared with Samba and if Samba is compromised the AFS key is vulnerable. Other things to be aware of: * Samba over AFS does not properly enforce Windows locking semantics which can result in data corruption from multiple clients accessing the same file (one via Samba, one not Samba) * Do not use the host name "afs" for your Samba server. Doing so will cause severe problems when mixed with native clients that expect their UNC server name to be "AFS". Jeffrey Altman
signature.asc
Description: OpenPGP digital signature
