On Wed, 2008-03-19 at 08:43 -0500, Pat Riehecky wrote: > Don't use NFS. It is trivial to compromise the security of NFS - you > simply need root on something, set your IP and su as needed. If the > tactic is not clear poke me off list. NFS is never the answer outside > of the data center.
Huh? NFS has and strong security support (including kerberos) since 2000, so what are you talking about? > On Wed, 2008-03-19 at 08:23 -0400, James Pulver wrote: > > Speaking to the kinit, maybe there's a free file manager for windows > > that would interop with MIT Leash for passing the ticket to samba? > I'm > > able to get putty and WinSCP for instance to work with the Network > > Identity Manager... > > > > I'm debating dropping samba, and trying again for either a different > > file system (AFS or NFS on windows) or having to switch around to > using > > AD as central authentication (which I'd rather not do). > > -- > > James Pulver > > Information Technology Area Supervisor > > LEPP Computer Group > > Cornell University > > > > > > > > Steve Harper wrote: > > > We here at the University of Utah have a similar setup that we > are > > > trying to get work. We have set up a cross-realm trust between > our MIT > > > Kerberos server and our Windows AD Domain, and all the user > accounts > > > altSecurityIdentities map the AD users to our MIT style kerberos > realm. > > > AD passwords are set to long random strings. > > > > > > So far we have followed the guide below on the Samba wiki, with > some > > > success but there are a few things that still do not work. > > > > > > http://wiki.samba.org/index.php/Samba_%26_Active_Directory > > > > > > On linux and mac workstations we can map shares on our samba > server once > > > we have done a kinit against our kerberos realm. > > > > > > kinit [EMAIL PROTECTED] > > > smbclient \\sambaserver.utah.edu\SHARENAME -k > > > > > > Smb shares initiated from the GUI on the Mac work ok on the Tiger > > > release of Mac OS X, but seem to fail on Leopard. > > > > > > Other than that, it all works fine on these clients. > > > > > > The problem is with the windows workstations. Workstations that > are > > > members of the domain can logon with their MIT passwords, > specifying the > > > kerberos realm in the GINA. Once there they can seamlessly map > drives > > > iff they specify their (usually set to garbage) local AD > passwords. All > > > other permutations to let the samba or windows server know that we > want > > > to use our cross-realm trust credentials have been unsucessful > thus far. > > > Ideally we would like to be able to map drives to these shares > from > > > windows machines that are not even members of our AD domain. > > > > > > A new option I saw that I have not had time to try out yet for > the > > > smb.conf is > > > use kerberos keytab = yes > > > > > > This might help the clients to succeed, or it might be useful in > getting > > > Samba to attempt to authenticate users directly against our MIT > Kerberos > > > server. I've still got a lot of reading and experimenting to do > to see > > > if we can pull this together. Hopefully somebody else on this > list has > > > already fought such a battle and emerged triumphant. But in > perusing > > > the list archives for a few hours I have yet to see something like > this. > > > > > > Thanks, > > > Steve Harper > > > Center for High Performance Computing > > > University of Utah. > > > > > > James Pulver wrote: > > >> So, I'm trying to figure out how to get Samba to work in this > way. > > >> Specifically, I have a 2003 R2 AD in 2003 functional level. All > user > > >> accounts are mapped to the same user account name @ our MIT > Kerberos > > >> server. Users do not know their AD password. > > >> > > >> Can Samba authenticate users with their Kerberos realm passwords, > and > > >> know to use the same user name so the UIDs match for both > platforms + > > >> permissions? > > >> > > >> If it can, what should the smb.conf look like? > > >> -- > > >> James Pulver > > >> Information Technology Area Supervisor > > >> LEPP Computer Group > > >> Cornell University > > >> > > -- Udo Rader bestsolution.at EDV Systemhaus GmbH http://www.bestsolution.at
signature.asc
Description: This is a digitally signed message part
-- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
