<ul>
<li><a href="#Using Samba as an AFS gateway"> Using Samba as an AFS gateway</a><ul>
<li><a href="#Plain text passwords sent over n"> Plain text passwords sent over network</a><ul>
- <li><a href="#Compile Samba --with-pam"> Compile Samba --with-pam</a></li>
- <li><a href="#Compile Samba --with-afs"> Compile Samba --with-afs</a></li>
+ <li><a href="#Compile Samba 2 --with-pam"> Compile Samba 2 --with-pam</a></li>
+ <li><a href="#Compile Samba 2 --with-afs"> Compile Samba 2 --with-afs</a></li>
</ul>
</li>
<li><a href="#No plain text passwords sent ove"> No plain text passwords sent over network</a><ul>
<li><a href="#FOKSTRAUT"> FOKSTRAUT</a></li>
</ul>
</li>
+ <li><a href="#New: More secure options"> New: More secure options</a><ul>
+ <li><a href="#Samba 3 built-in AFS support"> Samba 3 built-in AFS support</a></li>
+ <li><a href="#kimpersonate"> kimpersonate </a></li>
+ </ul>
+ </li>
<li><a href="#Random Links"> Random Links</a></li>
- <li><a href="#Discussion / What are you doing?"> Discussion / What are you doing?</a></li>
+ <li><a href="#Attachments"> Attachments</a></li>
</ul>
</li>
</ul>
- Client gets no warning before AFS tokens expire
- To get new tokens, client must unmap and then remap the drive letter corresponding to the AFS gateway
-### <a name="Compile Samba --with-pam"></a> Compile Samba --with-pam
+### <a name="Compile Samba 2 --with-pam"></a> Compile Samba 2 --with-pam
This causes Samba to use pluggable authentication modules (PAM) for authentication. PAM is available on many Unix variants, notably Linux and Solaris. There are PAM modules for the various Kerberos implementations that work with AFS; the module for the default kaserver comes with [[OpenAFS]]. For some more info on PAM see the [Samba doc](http://de.samba.org/samba/ftp/docs/htmldocs/Samba-HOWTO-Collection.html#PAM). Many precompiled versions of Samba are built with this option (i.e. Redhat's Samba RPMs)
- Doesn't work with operating systems that do not support PAM.
-### <a name="Compile Samba --with-afs"></a> Compile Samba --with-afs
+### <a name="Compile Samba 2 --with-afs"></a> Compile Samba 2 --with-afs
This links Samba against AFS authentication code directly.
- Another possibility would be a web application behind an SSL server running on the same host as the Samba server.
- Passwords must be stored in cleartext on the Samba server.
+## <a name="New: More secure options"></a> New: More secure options
+
+### <a name="Samba 3 built-in AFS support"></a> Samba 3 built-in AFS support
+
+It looks like Samba 3.0.4 has built-in AFS support (perhaps only for the Kerberos 4 kaserver on GNU/Linux with [[OpenAFS]] however). The relevant configure option looks like:
+
+ --with-fake-kaserver Include AFS fake-kaserver support (default=no)
+
+References:
+
+- <http://www.samba.org/samba/docs/man/smb.conf.5.html#AFSSHARE>
+- <news://news.gmane.org:119/E19sNzf-0002uv-00@intern.SerNet.DE>
+- <http://www.dragoninc.on.ca/mail-archives/samba-technical/2003-10/0339.html>
+- [http://marc.theaimsgroup.com/?l=samba&m=108238783519493&w=2](http://marc.theaimsgroup.com/?l=samba&m=108238783519493&w=2)
+- [http://marc.theaimsgroup.com/?l=samba&m=108119099330691&w=2](http://marc.theaimsgroup.com/?l=samba&m=108119099330691&w=2)
+- <http://lists.samba.org/archive/samba/2004-April/084693.html>
+
+Also based on <http://us4.samba.org/samba/ftp/pre/WHATSNEW-3-0-5pre1.txt> it looks like Samba 3.0.5 will have support to display and set AFS acls via the NT security editor.
+
+Here are some relevant comments from the Samba 3.0.4 code (author's homepage is at <http://www.sernet.de/vl/> ):
+
+ ./source/lib/afs.c:
+ /*
+ This routine takes a radical approach completely bypassing the
+ Kerberos idea of security and using AFS simply as an intelligent
+ file backend. Samba has persuaded itself somehow that the user is
+ actually correctly identified and then we create a ticket that the
+ AFS server hopefully accepts using its KeyFile that the admin has
+ kindly stored to our secrets.tdb.
+
+ Thanks to the book "Network Security -- PRIVATE Communication in a
+ PUBLIC World" by Charlie Kaufman, Radia Perlman and Mike Speciner
+ Kerberos 4 tickets are not really hard to construct.
+
+ For the comments "Alice" is the User to be auth'ed, and "Bob" is the
+ AFS server.
+ */
+
+ ./source/lib/afs_settoken.c:
+ /*
+ Put an AFS token into the Kernel so that it can authenticate against
+ the AFS server. This assumes correct local uid settings.
+
+ This is currently highly Linux and OpenAFS-specific. The correct API
+ call for this would be ktc_SetToken. But to do that we would have to
+ import a REALLY big bunch of libraries which I would currently like
+ to avoid.
+ */
+
+### <a name="kimpersonate"></a> kimpersonate
+
+The major problem when exporting the AFS filespace read-write to SMB (Windows fileshareing) using Samba is the transfer of the user token to the smb-server. The simple may is to use clear-text password between the Windows client and the samba-server, and then to get tokens for the user with this password. This solution is clearly not acceptable for security aware AFS administrators.
+
+On solution is to use \`kimpersonate' + store afs key on fileserver. To obtain the kimersonate code contact "Love H�rnquist-�strand" < lha () stacken ! kth ! se >
+
+Here are some references to this technique:
+
+- <https://lists.openafs.org/pipermail/openafs-info/2003-July/010026.html>
+- <http://www.mail-archive.com/openafs-info@openafs.org/msg08471.html>
+- <http://openbsd.mirrors.pair.com/src/usr.sbin/afs/src/doc/arla.info>
+- <http://www.it.kth.se/~aep/licentiate/PB-lanman2001.pdf>
+
+Here is the kimpersonate **README**:
+
+ kimpersonate
+ ============
+
+ kimpersonate takes a keytab/srvtab/AFS KeyFile and impersonates
+ kerberos credental case for a user. See manpage for documentation.
+
+ Very useful when using with samba.
+
+ Using kimpersonate with SAMBA
+ =============================
+
+ entry in smb.conf
+
+ root preexec = /usr/samba/bin/su-user-login '%u'
+
+ Also see the su-user-login file, note that this file contains hacks
+ that parses the %u for samba 3.0-alpha22 something using domain
+ logins. Check that is matches your usage.
+
+ You need to make sure that somehow the samba does a afs setpag call
+ before calling afslog/aklog. See the patch
+ samba-setpag-patch-linux-and-freebsd above.
+
+Here is a text rendition the kimpersonate-1.0 **man page**:
+
+ KERBEROS(SECTION) LOCAL KERBEROS(SECTION)
+
+ NAME
+ kimpersonate - impersonate a user when there exist a srvtab, keyfile or
+ KeyFile
+
+ SYNOPSIS
+ kimpersonate [-s string | --server=string] [-c string | --client=string]
+ [-k string | --keytab=string] [-4 | --krb4] [-5 | --krb5]
+ [-e integer | --expire-time=integer] [-a string |
+ --client-address=string] [-t string | --enc-type=string] [-f
+ string | --ticket-flags=string] [--verbose] [--version]
+ [--help]
+
+ DESCRIPTION
+ The kimpersonate program create a "fake" ticket using the service-key of
+ the service, the service key can be read from a Kerberos 5 keytab, AFS
+ KeyFile or (if compiled with support for Kerberos 4) a Kerberos 4 srvtab.
+ Supported options:
+
+ -s string, --server=string
+ name of server principal
+
+ -c string, --client=string
+ name of client principal
+
+ -k string, --keytab=string
+ name of keytab file
+
+ -4, --krb4
+ create a kerberos 4 ticket
+
+ -5, --krb5
+ create a kerberos 5 ticket
+
+ -e integer, --expire-time=integer
+ lifetime of ticket in seconds
+
+ -a string, --client-address=string
+ address of client
+
+ -t string, --enc-type=string
+ encryption type
+
+ -f string, --ticket-flags=string
+ ticket flags for krb5 ticket
+
+ --verbose
+ Verbose output
+
+ --version
+ Print version
+
+ --help
+
+ FILES
+ Uses /etc/krb5.keytab, /etc/srvtab and /usr/afs/etc/KeyFile when avalible
+ and the the -k is used with appropriate prefix.
+
+ EXAMPLES
+ kimpersonate can be used in samba root preexec option or for debugging.
+ kimpersonate -s host/hummel.e.kth.se@E.KTH.SE -c lha@E.KTH.SE -5 --no-
+ krb4 will create a Kerberos 5 ticket for lha@E.KTH.SE for the host hum-
+ mel.e.kth.se if there exist a keytab entry for it in /etc/krb5.keytab
+
+ kimpersonate -k krb4:/etc/srvtab -s host/hummel.e.kth.se@E.KTH.SE -c
+ lha@E.KTH.SE --no-krb5 -4 will create a Kerberos 4 ticket for
+ lha@E.KTH.SE for the host hummel.e.kth.se if there exist a srvtab entry
+ for it in /etc/srvtab Note the Kerberos 5 syntax of the server.
+
+ SEE ALSO
+ kinit(1)
+
+ AUTHORS
+ Love H�rnquist-�strand < lha () stacken ! kth ! se >
+
+ Heimdal July 30, 2000 Heimdal
+
## <a name="Random Links"></a> Random Links
2002-05 discussion on samba-technical: [http://marc.theaimsgroup.com/?l=samba-technical&m=102214554108308&w=2](http://marc.theaimsgroup.com/?l=samba-technical&m=102214554108308&w=2)
-## <a name="Discussion / What are you doing?"></a> Discussion / What are you doing?
+## <a name="Attachments"></a> Attachments
+
+[http://www.shop263.com/i-4/207.htm A级表面SMC树脂] [http://www.shop263.com/i-4/208.htm B型硅胶] [http://www.shop263.com/i-4/209.htm DG膜纺织面料] [http://www.shop263.com/i-4/210.htm DNA细胞重生系列] [http://www.shop263.com/i-4/211.htm NMF因子肌肤平] [http://www.shop263.com/i-4/212.htm 艾芦植物平衡系列] [http://www.shop263.com/i-4/213.htm 氨基酸] [http://www.shop263.com/i-4/214.htm 按摩霜] [http://www.shop263.com/i-4/215.htm 巴豆酸] [http://www.shop263.com/i-4/216.htm 巴豆酸酐] [http://www.shop263.com/i-4/217.htm 白凡士林] [http://www.shop263.com/i-4/218.htm 包装用硅胶] [http://www.shop263.com/i-4/219.htm 宝宝绿色护理] [http://www.shop263.com/i-4/220.htm 保湿] [http://www.shop263.com/i-4/221.htm 保湿防裂润唇膏] [http://www.shop263.com/i-4/222.htm 保湿剂] [http://www.shop263.com/i-4/223.htm 保养喷蜡] [http://www.shop263.com/i-4/224.htm 杯垫] [http://www.shop263.com/i-4/225.htm 苯二胺] [http://www.shop263.com/i-4/226.htm 苯亚磺酸钠] [http://www.shop263.com/i-4/227.htm 畚箕刷] [http://www.shop263.com/i-4/228.htm 变色唇膏] [http://www.shop263.com/i-4/229.htm 变压器油] [http://www.shop263.com/i-4/230.htm 表面活性] [http://www.shop263.com/i-4/231.htm 表面活性剂] [http://www.shop263.com/i-4/232.htm 表面脂] [http://www.shop263.com/i-4/233.htm 表面脂药用] [http://www.shop263.com/i-4/234.htm 薄膜包衣剂] [http://www.shop263.com/i-4/235.htm 不饱和聚酯树脂] [http://www.shop263.com/i-4/236.htm 不锈底漆] [http://www.shop263.com/i-4/237.htm 不锈钢抛光液] [http://www.shop263.com/i-4/238.htm 擦铜水] [http://www.shop263.com/i-4/239.htm 彩妆] [http://www.shop263.com/i-4/240.htm 菜粕] [http://www.shop263.com/i-4/241.htm 菜油] [http://www.shop263.com/i-4/242.htm 菜籽色拉油] [http://www.shop263.com/i-4/243.htm 餐具洗涤剂] [http://www.shop263.com/i-4/244.htm 餐具洗涤用品] [http://www.shop263.com/i-4/245.htm 茶香酮] [http://www.shop263.com/i-4/246.htm 超级机油精] [http://www.shop263.com/i-4/247.htm 车用香水] [http://www.shop263.com/i-4/248.htm 成膜定型剂] [http://www.shop263.com/i-4/249.htm 宠物清洁杀虫剂] [http://www.shop263.com/i-4/250.htm 除虫菊素] [http://www.shop263.com/i-4/251.htm 厨房地面去油剂] [http://www.shop263.com/i-4/252.htm 厨房高效油污清洁剂] [http://www.shop263.com/i-4/253.htm 窗帘护脚垫] [http://www.shop263.com/i-4/254.htm 纯天然除虫菊] [http://www.shop263.com/i-4/255.htm 唇彩] [http://www.shop263.com/i-4/256.htm 唇油] [http://www.shop263.com/i-4/257.htm 带电清洗工程] [http://www.shop263.com/i-4/258.htm 单元卫生间用SMC树脂] [http://www.shop263.com/i-4/259.htm 低钠营养盐] [http://www.shop263.com/i-4/260.htm 低泡地毯清洁剂] [http://www.shop263.com/i-4/261.htm 低烟指数阻燃树脂] [http://www.shop263.com/i-4/262.htm 底蜡] [http://www.shop263.com/i-4/263.htm 电发] [http://www.shop263.com/i-4/264.htm 电器绝缘油] [http://www.shop263.com/i-4/265.htm 电清洗] [http://www.shop263.com/i-4/266.htm 电热驱蚊液] [http://www.shop263.com/i-4/267.htm 电热蚊香] [http://www.shop263.com/i-4/268.htm 电子蜡] [http://www.shop263.com/i-4/269.htm 调理剂] [http://www.shop263.com/i-4/270.htm 动物药业] [http://www.shop263.com/i-4/271.htm 多色唇彩] [http://www.shop263.com/i-4/272.htm 儿童护肤系列] [http://www.shop263.com/i-4/273.htm 儿童阶段护理] [http://www.shop263.com/i-4/274.htm 二氯异氰尿酸钠] [http://www.shop263.com/i-4/275.htm 二氧化氯] [http://www.shop263.com/i-4/276.htm 凡士林] [http://www.shop263.com/i-4/277.htm 防尘地垫] [http://www.shop263.com/i-4/278.htm 防虫防蛀片] [http://www.shop263.com/i-4/279.htm 防滑地垫] [http://www.shop263.com/i-4/280.htm 防集装箱摇晃系统] [http://www.shop263.com/i-4/281.htm 防晒隔离霜] [http://www.shop263.com/i-4/282.htm 防晒剂] [http://www.shop263.com/i-4/283.htm 防晒霜] [http://www.shop263.com/i-4/284.htm 防锈蜡] [http://www.shop263.com/i-4/285.htm 防锈润滑] [http://www.shop263.com/i-4/286.htm 防皱] [http://www.shop263.com/i-4/287.htm 纺织蜡] [http://www.shop263.com/i-4/288.htm 非医药日用品] [http://www.shop263.com/i-4/289.htm 酚类致敏物] [http://www.shop263.com/i-4/290.htm 粉饼] [http://www.shop263.com/i-4/291.htm 粉底霜] [http://www.shop263.com/i-4/292.htm 粉条] [http://www.shop263.com/i-4/293.htm 氟硅酸钠] [http://www.shop263.com/i-4/294.htm 氟西汀] [http://www.shop263.com/i-4/295.htm 富马酸单乙酯] [http://www.shop263.com/i-4/296.htm 钙强化营养盐] [http://www.shop263.com/i-4/297.htm 甘宝素] [http://www.shop263.com/i-4/298.htm 甘油液] [http://www.shop263.com/i-4/299.htm 感光材料] [http://www.shop263.com/i-4/300.htm 高固免抛面蜡] [http://www.shop263.com/i-4/301.htm 羧甲基纤维素钠] [http://www.shop263.com/i-4/302.htm 胎盘系列] [http://www.shop263.com/i-4/303.htm 特殊化学品] [http://www.shop263.com/i-4/304.htm 特殊添加剂] [http://www.shop263.com/i-4/305.htm 特种煤油] [http://www.shop263.com/i-4/306.htm 特种溶剂] [http://www.shop263.com/i-4/307.htm 体膏] [http://www.shop263.com/i-4/308.htm 天然提取物系列] [http://www.shop263.com/i-4/309.htm 天然植物型化妆品] [http://www.shop263.com/i-4/310.htm 铁强化营养盐] [http://www.shop263.com/i-4/311.htm 高级固蜡] [http://www.shop263.com/i-4/312.htm 高级免抛面蜡] [http://www.shop263.com/i-4/313.htm 高级软蜡] [http://www.shop263.com/i-4/314.htm 高级砂蜡] [http://www.shop263.com/i-4/315.htm 高级洗洁精] [http://www.shop263.com/i-4/316.htm 高级香水] [http://www.shop263.com/i-4/317.htm 高泡地毯清洁剂] [http://www.shop263.com/i-4/318.htm 高奇通洁灵] [http://www.shop263.com/i-4/319.htm 高速磨光面蜡] [http://www.shop263.com/i-4/320.htm 高效复合肥] [http://www.shop263.com/i-4/321.htm 高效广谱] [http://www.shop263.com/i-4/322.htm 高效回复液蜡] [http://www.shop263.com/i-4/323.htm 高效美白去角质凝霜] [http://www.shop263.com/i-4/324.htm 高新分离技术设备] [http://www.shop263.com/i-4/325.htm 膏霜] [http://www.shop263.com/i-4/326.htm 个人洗护用品] [http://www.shop263.com/i-4/327.htm 工控自动化] [http://www.shop263.com/i-4/328.htm 工业凡士林] [http://www.shop263.com/i-4/329.htm 工业清洁剂] [http://www.shop263.com/i-4/330.htm 工业清洗机] [http://www.shop263.com/i-4/331.htm 工业清洗剂] [http://www.shop263.com/i-4/332.htm 工业清洗用品] [http://www.shop263.com/i-4/333.htm 工业用粘合剂] [http://www.shop263.com/i-4/334.htm 工艺品树脂] [http://www.shop263.com/i-4/335.htm 共聚物] [http://www.shop263.com/i-4/336.htm 固体清香] [http://www.shop263.com/i-4/337.htm 硅胶猫砂] [http://www.shop263.com/i-4/338.htm 果冻蜡] [http://www.shop263.com/i-4/339.htm 合成洗衣粉] [http://www.shop263.com/i-4/340.htm 护发素] [http://www.shop263.com/i-4/341.htm 护肤品] [http://www.shop263.com/i-4/342.htm 护甲油] [http://www.shop263.com/i-4/343.htm 护理用品] [http://www.shop263.com/i-4/344.htm 花卉环保杀虫剂] [http://www.shop263.com/i-4/345.htm 化妆盒] [http://www.shop263.com/i-4/346.htm 化妆品] [http://www.shop263.com/i-4/347.htm 化妆套刷] [http://www.shop263.com/i-4/348.htm 化妆洗涤品] [http://www.shop263.com/i-4/349.htm 环保甲油] [http://www.shop263.com/i-4/350.htm 环保桶] [http://www.shop263.com/i-4/351.htm 黄凡士林] [http://www.shop263.com/i-4/352.htm 活粒子精华倒膜] [http://www.shop263.com/i-4/353.htm 机械设备清洁剂] [http://www.shop263.com/i-4/354.htm 积碳净] [http://www.shop263.com/i-4/355.htm 季胺碱] [http://www.shop263.com/i-4/356.htm 加碘精制盐] [http://www.shop263.com/i-4/357.htm 家居清洁用品] [http://www.shop263.com/i-4/358.htm 家居卫生杀虫剂] [http://www.shop263.com/i-4/359.htm 家居洗涤用品] [http://www.shop263.com/i-4/360.htm 家庭消毒药水] [http://www.shop263.com/i-4/361.htm 甲基纤维素] [http://www.shop263.com/i-4/362.htm 减肥霜] [http://www.shop263.com/i-4/363.htm 娇肤特效眼膜] [http://www.shop263.com/i-4/364.htm 洁肤凝露] [http://www.shop263.com/i-4/365.htm 洁面乳] [http://www.shop263.com/i-4/366.htm 洁阴液] [http://www.shop263.com/i-4/367.htm 睫毛膏] [http://www.shop263.com/i-4/368.htm 金属加工用油] [http://www.shop263.com/i-4/369.htm 精华素] [http://www.shop263.com/i-4/370.htm 精炼棉籽油] [http://www.shop263.com/i-4/371.htm 精细化工助剂] [http://www.shop263.com/i-4/372.htm 桔色硅胶] [http://www.shop263.com/i-4/373.htm 焗油发膜] [http://www.shop263.com/i-4/374.htm 聚胺脂泡沫填缝剂] [http://www.shop263.com/i-4/375.htm 聚丙烯酰胺] [http://www.shop263.com/i-4/376.htm 聚羧酸] [http://www.shop263.com/i-4/377.htm 莰烷酮] [http://www.shop263.com/i-4/378.htm 抗皱美白] [http://www.shop263.com/i-4/379.htm 空气清新剂] [http://www.shop263.com/i-4/380.htm 口红] [http://www.shop263.com/i-4/381.htm 口红笔] [http://www.shop263.com/i-4/382.htm 口腔护理品] [http://www.shop263.com/i-4/383.htm 矿物质] [http://www.shop263.com/i-4/384.htm 拉挤树脂] [http://www.shop263.com/i-4/385.htm 蜡和香精] [http://www.shop263.com/i-4/386.htm 蜡烛蜡] [http://www.shop263.com/i-4/387.htm 蓝色硅胶] [http://www.shop263.com/i-4/388.htm 老年斑霜] [http://www.shop263.com/i-4/389.htm 离子类烫] [http://www.shop263.com/i-4/390.htm 立净洗洁精] [http://www.shop263.com/i-4/391.htm 亮丽玻璃清洁剂] [http://www.shop263.com/i-4/392.htm 邻苯二甲醛] [http://www.shop263.com/i-4/393.htm 邻氯苯甲醛] [http://www.shop263.com/i-4/394.htm 磷酸一铵] [http://www.shop263.com/i-4/395.htm 流体瓜尔豆胶悬浮液] [http://www.shop263.com/i-4/396.htm 漏电保护神] [http://www.shop263.com/i-4/397.htm 芦荟保湿] [http://www.shop263.com/i-4/398.htm 芦荟干粉] [http://www.shop263.com/i-4/399.htm 芦荟果丁] [http://www.shop263.com/i-4/400.htm 芦荟胶囊] [http://www.shop263.com/i-4/401.htm 芦荟酒] [http://www.shop263.com/i-4/402.htm 芦荟矿物晶] [http://www.shop263.com/i-4/403.htm 芦荟面膜] [http://www.shop263.com/i-4/404.htm 芦荟凝胶] [http://www.shop263.com/i-4/405.htm 芦荟润肤] [http://www.shop263.com/i-4/406.htm 芦荟系列] [http://www.shop263.com/i-4/407.htm 芦荟系列化妆品] [http://www.shop263.com/i-4/408.htm 芦荟牙膏] [http://www.shop263.com/i-4/409.htm 水性甲油] [http://www.shop263.com/i-4/410.htm 速消眼角皱纹蜜] [http://www.shop263.com/i-4/411.htm 塑料衣夹] [http://www.shop263.com/i-4/412.htm 羧甲淀粉钠]
git://git.openafs.org / openafs-wiki.git / blobdiff