I think I have come across what seems to be a bug in the interplay between Samba and AFS. I'm running 1.9.16p11 on an IBM RS/6000 (AIX 4.1.5) with the AFS support included (AFS 3.4a). The client machine is running Windows 95. I've created an AFS area which is writeable (rlidwk) to an AFS protection group. The group contains two AFS users, say user1 and user2. If user1 creates a file in the area, user2 can - correctly - do whatever she likes with the file when using AFS client software directly. However, the file created by user1, with its ownership of user1, is marked read-only on the W95 client PC when connected to Samba as user2. There does not seem to be any way to remove the read-only attribute from the W95 client. (By creating new files in sensitive areas, we have verified that the Samba server process is running with an AFS token for user2.) This behaviour makes me suspect that Samba looks at the ownership of the files even under AFS and perhaps the attributes for group and other users, which is all fairly meaningless under AFS... Is this possible? Cheers, Helge ---------------------------------------------------------------------------- Helge MEINHARD CERN (European Laboratory for Particle Physics) ECP division, CH-1211 Geneve 23, Switzerland Phone: +41 22 76-76031, Fax: +41 22 76-73100 E-mail: Helge.Meinhard@cern.ch
Hi. I use Windows NT 4.0 SP4 and Windows 98, and I would like to connect via Samba to a file(or directory) in AFS. However, samba doesn't appear to validate my password against the AFS database. I'm using (forced by NT, and for security reasons) encrypted passwords, what forces me to have a smbpasswd file. Is that the problem? If it is, is there anyway that samba can accept the encrypted password from Windows, decrypt it, and verify it against the AFS database? If someone has this working, please give me a hint! Thanks -- nneves@di.fc.ul.pt Dept. Informatica, Fac. Ciencias, |\ | |\ | Tel: +351 1 7500127 Univ. Lisboa, Bloco C5, Campo Grande | \|uno | \|eves Fax: +351 1 7500084 1700 Lisboa, Portugal
>Date: Sat, 03 Apr 1999 15:45:11 +0100 >From: Nuno Miguel Neves <nneves@di.fc.ul.pt> >To: samba@samba.org >Subject: Samba and AFS >Message-ID: <37062977.81EA3BE6@di.fc.ul.pt> > >Hi. >I use Windows NT 4.0 SP4 and Windows 98, and I would like to connect via >Samba to a file(or directory) in AFS. >However, samba doesn't appear to validate my password against the AFS >database. I'm using (forced by NT, and for security reasons) encrypted >passwords, what forces me to have a smbpasswd file. Is that the problem? >If it is, is there anyway that samba can accept the encrypted password from >Windows, decrypt it, and verify it against the AFS database? >If someone has this working, please give me a hint!Nuno, No, there is no existing mechanism to use encrypted passwords with Samba's AFS authentication. All the AFS tools do is take the cleartext password supplied by the user and present it to the PTS server to obtain AFS tokens. If the password is encrypted, this process fails. Two basic stratagies have been proposed to get around this. One is to maintain a table of both the encrypted and unencrypted passwords on the Samba server, and hack the AFS authentication module to match up the encrypted passwords in this file and get the corresponding unencrypted password for use in the klog process. The other is a sidecar approach, adding some separate client to the windows box and server to the UNIX box to negotiate the AFS authentication in some secure fashion. I'm not aware of anybody that has really cleanly implemented either solution. --Ken --------------------------------------------------------------------------- Ken Weiss ken.weiss@ucop.edu California Digital Library Technologies UC Office of the President (510) 710-3356 (voice) 1111 Franklin Street #7313B ken.weiss.pager@ucop.edu (text page) Oakland, CA 94607-5200 http://dcas.ucdavis.edu/kenhome.html
I want to compile samba-2.0.6 with AFS 3.5 support on Solaris 7. Is "./configure --with-afs" option enough to support AFS? I find the article in the mailing list archives of the samba homepage. <http://us1.samba.org/listproc/samba/March1999/0233.html> It gives two patch files for AFS-support. But I couldn't download them. The links are broken. Would you send the patches for me, if you have. Thanks in advance. -- Flips! JANG June Young