FYI WRT to smbklog - my Brinkster account had expired.. I reinstated and put up my latest code (including some client fixes, primarily). Also updated the wiki page with some minor changes.
Jason -----Original Message----- From: Daniel Clark/Cambridge/IBM [mailto:[EMAIL PROTECTED]] Sent: Sunday, August 04, 2002 4:16 PM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: Samba as a gateway to OpenAFS I've put together a page on the OpenAFS Wiki - http://grand.central. org/twiki/bin/view/AFSLore/SMBtoAFS - listing all of the Samba as an AFS gateway projects I could find. Authors of the systems may want to look at and edit the page to make sure I'm not inadvertently misrepresenting their systems. I also have two questions for Steve Holstead: On Fri, May 24, 2002 at 10:44:54AM -0600, Steve Holstead wrote: > Unfotunately, we have the need to offer AFS space to our users via SAMBA. > In doing so, we have had to introduce a number of patches to accomplish > this task. The methodology was discussed at the LISA 2000 conference re: > http://www.usenix.org/events/lisa2000/full_papers/beck/beck_html/index. html > The introduction of the fokstraut DB allowed us to store the plaintext > password along with the HASH forms. > I would like to say that since that time, I have introduced an additional > module to re-authenticate those users who insist on not logging out. This > module will ensure that their token sticks around. > It is my intention to rid myself of the fokstraut DB by establishing a > "trust" between the AFS server and my samba server such that I can get a > token without having to send a clear text password. This will allow me to > migrate all fokstraut DB records to the SAMBA password tdb. > I am also working on a routine that ties into our password management > functions (ie our krb5, krb4, and AFSkrb). This will enable the creation > of a passwd tdb record which stays in sync with all the other passwd > records. > To re-phrase, I am trying to: > 1. Get rid of AFS's need for plaintext passwords. > 2. Establish a "registration" mechanism for new samba users and those that > change their passwords. > 3. Turn on encrypted password support. > The patches that will give you AFS support with plaintext turned on can be > found at www.ualberta.ca/~sholstea What version of Samba are these patches against? > The routines that will allow me to turn on encrypted pasword support for > AFS users are still under developement. >From reading your paper I was under the impression that the following was working: (1) User primes Samba server with cleartext password somehow - this can be done out-of-band in a secure manner. (2) Using Samba + the Fokstraut code, a DBM database is maintained on the Samba server that contains the user's username, cleartext password, and Windows password hash. (3) The user connects to the Samba server using normal SMB encrypted authentication. The Samba server authenticates the user using the windows password hash in the DBM database, and then gets the user AFS tokens by using the cleartext password in the DBM database. Is this functionality what is still under developement, or are you refering to some of the new development work you are doing to get rid of the need for cleartext passwords all together? I'm working on a web account management framework that could take care of (1), so your solution looks really good to me as it stands. Thanks, -- Daniel Clark # Sys Admin & Release Engineer IBM > Lotus > Messaging Technology Group
