Quoting [email protected]:
Quoting Jaap Winius <[email protected]>:
Quoting [email protected]:
You might be able to use pgina which is a windows login screen replacement.
There was someone working on a kerberos plugin for it. I am not
sure how far they got. (I haven't tried the 2.x series) I do know
I had openldap (with failover) working with it via a sasl-pam
mech. I didn't get the kerberos plugin working but that was in
the 1.6.x or 1.8.x series. ) ...
Here is what I found for the pgina krb5 plugin:
http://pages.cs.wisc.edu/~timc/pgina/
Although it would not be as ideal as Samba4 with a working AD
domain controller, pGina sounds like a great alternative. However,
since I'm using Windows XP only, that means I would still be
restricted to the last version of pGina 1.x: v1.8.8 from December
the 6th, 2006. See these pGina pages:
http://www.pgina.org/index.php/Main_Page
http://www.pgina.org/index.php/PGina_1.x_Downloads
In addition, judging from the contents of the link you supplied,
timc meant his plugin to work with pGina 2.x, and he hasn't updated
his plugin since October the 6th, 2008.
Therefore, I'm going to conclude that pGina v1.8.8 does not support
Kerberos out of the box, or else timc would not have bothered, and
that his plugin will not work with it either, just as you
discovered for yourself earlier. Pity.
I didn't get to spend a lot of time on it, by the time I got to try
it, they had already killed the project. IIRC I never even got a
krb5 ticket with the mit kfw 3.2.2.
Thanks anyway, though. If, in lieu of Samba4, a Vista machine, or a
more modern Windows client, appears on any of my
Kerberos/OpenLDAP/OpenAFS networks, then I will certainly remember
to give your solution a try!
Samba4 says it already supports 'Active Directory' logon and
administration protocols. Since they started with auth, I am
guessing that part is fairly stable. The whole suite for sure isn't
production ready.
If you do try it, grab it out of the git repo, they have a tendency
not to push out release tarballs and not to update the
documentation. :)
I should add, the easiest is to use pgina with just the ldap plugin,
turn on plain text passwords on the clients, and write a bat file to
map drives to a samba share with pam krb5/pam afs session stack. You
can get identical ssid's acrossed all the samba servers if you use
identical windows hostnames. You can use pam_ldap or nss ldap to get
your usernames to the unix user accts.(AD doesnt let you do that.) (It
can be the same server as your ldap auth server.)
We set it up to run out of inetd so it autorestarts. Windows can cache
the creds and auto reconnect if you need to replace the machine and
firewall off a lot of the chatter the protocol does. But you can
probably run it as a stand alone server.
We have/had this running with stripped down solaris 8 sparc
400mhz/128M of ram reliably for years (compiled a few things out of
samba as well). If you want a small cheap machine, I'm guessing a
guruplug (which is cheap and only uses 5-10w of power max. and < .5w
idle and has esata) would give similar performance, but I haven't
tested it yet.
On a side note, the ARM Cortex-a15's 2.5ghz quad cores should come out
in less then a year and there are a couple of companies interested in
pushing these out as low E servers.
_______________________________________________
OpenAFS-info mailing list
[email protected]
https://lists.openafs.org/mailman/listinfo/openafs-info
