On Wed, 15 Dec 2010 11:47:29 -0500 Jeffrey Altman <[email protected]> wrote:
> > Samba can do krb5 auth, but you would need the client to forward > > tickets, too, in order to get tokens. I find it less likely that > > Samba can do that, but I do not really know; maybe it can. > > Its not a question of whether Samba can do it. Its a question of > whether the SMB clients will delegate credentials and the answer is > that they do not. Ah, yes. I was thinking Samba clients, but obviously we're not talking about Samba clients, and we don't have much control over the clients. > The choices are to either configure Samba to require clear test password > authentication which permits Samba to acquire the AFS token on its own > using the user's name and password; or to use GSS/SPNEGO authentication > (either NTLM or KRB5) and then use kimpersonate to generate a token for > the user. kimpersonate has the downside that it requires that the AFS > KeyFile be shared with Samba and if Samba is compromised the AFS key is > vulnerable. Just one more note: I believe aklog itself has had kimpersonate support since around 1.4.5-ish. It doesn't appear to be documented yet... but if you have a keytab with the afs service princ, I think you can just give it -keytab and -principal options and it'll do what you expect. -- Andrew Deason [email protected] _______________________________________________ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
