+<div>
+ <ul>
+ <li><a href="#Using Samba as an AFS gateway"> Using Samba as an AFS gateway</a><ul>
+ <li><a href="#Plain text passwords sent over n"> Plain text passwords sent over network</a><ul>
+ <li><a href="#Compile Samba --with-pam"> Compile Samba --with-pam</a></li>
+ <li><a href="#Compile Samba --with-afs"> Compile Samba --with-afs</a></li>
+ </ul>
+ </li>
+ <li><a href="#No plain text passwords sent ove"> No plain text passwords sent over network</a><ul>
+ <li><a href="#kSAMBA"> kSAMBA</a></li>
+ <li><a href="#SMBKlog"> SMBKlog</a></li>
+ <li><a href="#FOKSTRAUT"> FOKSTRAUT</a></li>
+ </ul>
+ </li>
+ <li><a href="#Random Links"> Random Links</a></li>
+ <li><a href="#Discussion / What are you doing?"> Discussion / What are you doing?</a></li>
+ </ul>
+ </li>
+ </ul>
+</div>
+
# <a name="Using Samba as an AFS gateway"></a> Using Samba as an AFS gateway
Recently I've been researching methods of using Samba as an AFS gateway. Below are my findings so far. Please feel free to add/correct stuff. -- [[DanielClark]] - 04 Aug 2002
- Client gets no warning before AFS tokens expire
- To get new tokens, client must unmap and then remap the drive letter corresponding to the AFS gateway
-### <a name="Compile Samba <code><b>--with-pam=="></a> Compile Samba ==--with-pam
+### <a name="Compile Samba --with-pam"></a> Compile Samba --with-pam
This causes Samba to use pluggable authentication modules (PAM) for authentication. PAM is available on many Unix variants, notably Linux and Solaris. There are PAM modules for the various Kerberos implementations that work with AFS; the module for the default kaserver comes with [[OpenAFS]]. For some more info on PAM see the [Samba doc](http://de.samba.org/samba/ftp/docs/htmldocs/Samba-HOWTO-Collection.html#PAM). Many precompiled versions of Samba are built with this option (i.e. Redhat's Samba RPMs)
- Doesn't work with operating systems that do not support PAM.
-### <a name="Compile Samba <code><b>--with-afs=="></a> Compile Samba ==--with-afs
+### <a name="Compile Samba --with-afs"></a> Compile Samba --with-afs
This links Samba against AFS authentication code directly.
## <a name="No plain text passwords sent ove"></a> No plain text passwords sent over network
-These methods that avoid sending plain text passwords over the network.
+These are methods that avoid sending plain text passwords over the network.
Advantages:
Disadvantages:
-- Require modifications to stock Samba distribution
+- Requires modifications to stock Samba distribution
- Requires additional infrastructure beyond Samba
- All are primarily internal projects that people did for their employers, support may be minimal to nonexistent.
Advantages:
- Password not sent over network in plain text
-- Not specific to any particular Kerberos implementation
- In use for several years with a large number of clients
- Has advantages other than secure AFS login
- Seems to be under active development
- Requires some out-of-band secure infrastructure for users to change their passwords.
- Authors mention using a simple script on a login server in which a user can make an SMB connect and authenticate themselves. Unsure of the security of this solution.
- Another possibility would be a web application behind an SSL server running on the same host as the Samba server.
-- Passwords must be stored in plaintext on the Samba server.
+- Passwords must be stored in cleartext on the Samba server.
## <a name="Random Links"></a> Random Links