Quoting [email protected]:

Quoting Jaap Winius <[email protected]>:

Quoting [email protected]:

You might be able to use pgina which is a windows login screen replacement.

There was someone working on a kerberos plugin for it. I am not sure how far they got. (I haven't tried the 2.x series) I do know I had openldap (with failover) working with it via a sasl-pam mech. I didn't get the kerberos plugin working but that was in the 1.6.x or 1.8.x series. ) ...

Here is what I found for the pgina krb5 plugin:
http://pages.cs.wisc.edu/~timc/pgina/

Although it would not be as ideal as Samba4 with a working AD domain controller, pGina sounds like a great alternative. However, since I'm using Windows XP only, that means I would still be restricted to the last version of pGina 1.x: v1.8.8 from December the 6th, 2006. See these pGina pages:

  http://www.pgina.org/index.php/Main_Page
  http://www.pgina.org/index.php/PGina_1.x_Downloads

In addition, judging from the contents of the link you supplied, timc meant his plugin to work with pGina 2.x, and he hasn't updated his plugin since October the 6th, 2008.

Therefore, I'm going to conclude that pGina v1.8.8 does not support Kerberos out of the box, or else timc would not have bothered, and that his plugin will not work with it either, just as you discovered for yourself earlier. Pity.

I didn't get to spend a lot of time on it, by the time I got to try it, they had already killed the project. IIRC I never even got a krb5 ticket with the mit kfw 3.2.2.

Thanks anyway, though. If, in lieu of Samba4, a Vista machine, or a more modern Windows client, appears on any of my Kerberos/OpenLDAP/OpenAFS networks, then I will certainly remember to give your solution a try!

Samba4 says it already supports 'Active Directory' logon and administration protocols. Since they started with auth, I am guessing that part is fairly stable. The whole suite for sure isn't production ready.

If you do try it, grab it out of the git repo, they have a tendency not to push out release tarballs and not to update the documentation. :)


I should add, the easiest is to use pgina with just the ldap plugin, turn on plain text passwords on the clients, and write a bat file to map drives to a samba share with pam krb5/pam afs session stack. You can get identical ssid's acrossed all the samba servers if you use identical windows hostnames. You can use pam_ldap or nss ldap to get your usernames to the unix user accts.(AD doesnt let you do that.) (It can be the same server as your ldap auth server.)

We set it up to run out of inetd so it autorestarts. Windows can cache the creds and auto reconnect if you need to replace the machine and firewall off a lot of the chatter the protocol does. But you can probably run it as a stand alone server.

We have/had this running with stripped down solaris 8 sparc 400mhz/128M of ram reliably for years (compiled a few things out of samba as well). If you want a small cheap machine, I'm guessing a guruplug (which is cheap and only uses 5-10w of power max. and < .5w idle and has esata) would give similar performance, but I haven't tested it yet.

On a side note, the ARM Cortex-a15's 2.5ghz quad cores should come out in less then a year and there are a couple of companies interested in pushing these out as low E servers.




_______________________________________________
OpenAFS-info mailing list
[email protected]
https://lists.openafs.org/mailman/listinfo/openafs-info

Reply via email to