On Wed, May 29, 2002 at 11:31:34PM +1000, Andrew Bartlett wrote: > > Andrew Bartlett <[EMAIL PROTECTED]> writes:
> > > > > > > 1. Get rid of AFS's need for plaintext passwords. > > [....] > > > > Ah, of course credential forwarding/proxying would be a requirement for > > > > making this work without giving the gateway special privileges; I'd > > > > completely overlooked that. I'm afraid I don't know the answer, though. > > > > Perhaps someone currently doing Samba 3.0 work has run into this and can > > > > say? > > > > > > I see no reason why this would not be possible. We would need to do a > > > little bit of work on the smbd side of things, but credential forwarding > > > is pretty standard. This assumes either a AD domain, or Samba modified > > > to correctlly function with krb5 but without AD (which also implies > > > windows clients joined to such a domain). > > So, so how do you tell the client to forward creds to the fileserver, and > > can you chose want creds you want to forward ? > This assumes krb5, where this is all quite standard. Credentials forwarding is a standard feature of KRB5; but in all applications I can think of, the default behavior is to /not/ forward credentials unless the client explicitly requests (permits) it. There are many cases where you don't want to forward credentials to Kerberos services, because doing so allows the service to impersonate you to one or more other services on the network. Now for AFS support we would certainly want that; but how does the Microsoft client know how and when to forward credentials? The easy -- and less secure -- solution is to forward a TGT to the fileserver; then you just need to decide when to do the forwarding. This has the drawback that the server can completely impersonate you to any service in the realm (except those with DISALLOW_TGT_BASED set). The other option is to only forward the credentials needed for a particular service, e.g., AFS. But then you need some way of configuring the client to know which credentials those are. Steve Langasek postmodern programmer
msg01054/pgp00000.pgp
Description: PGP signature
