Hi. I'm trying to find a solution for our windows clients. I will explain my situation. We have kerberos 5 (mit) kdc, openafs without kaserver (authentication using kerberos), openldap, everything on debian stable servers. What do our unix/linux clients do? They authenticate over kerberos (pam), gain tickets and consequently gain the afs token (krb5afs or openafs_session), call ldap and find their home under /afs/cell/usr/username (posixAccount, posixGroup). Nothing is local. Every file, desktop and stuff, is stored under afs (no matter what, a user sees just a directory /afs... nothing different from any other directory they will see). I'd like to do the same thing on windows using samba, but I need some advices because I'm not sure. Just two points before asking. These things apply clearly for windows only, since linux, unix (aix, irix, and solaris), and macosx do what I've said before (all remotely). - Kerberos for Windows: KFW after a successful windows login, if the username and password match the kerberos principal and password, automatically gains all kerberos tickets. - OpenAFS for Windows: AFS after a successful windows login, if the username and password match the kaserver principal and password, automatically gains the AFS token. --- If OpenAFS is installed under a kerberos environment, so with KFW present on the system, will convert the previously obtained kerberos ticket into an AFS token. --- OpenAFS uses a UNC name \\AFS in windows, so no letter Z: Y: or whatever is needed anymore, anyway, they can be present. Now, I'd like to have the same thing without a windows server, doing the same thing with samba, having remote profiles and all the user's stuff on afs, and authenticating users NOT locally... is that possible? I'd like to know some things. My user authentication and authorization data is created on kerberos, afs and ldap servers. I'd like to create users just on samba, not modifying users locally on each machine... would be quite crazy (and not feasable... ~500 users...). Can samba help me? In what way? I know I can create an NT4 domain with samba alone. Good. Can samba tell the windows client to use \\AFS or have I to export a drive for afs? Are there issues in doing that? If I specify ``\\AFS\cellname\users\username'' as the profile storing directory, will windows go on afs or will samba screw it up all since samba do not understand \\AFS since it is working on linux? I mean, windows understands \\AFS\blah\blah but I don't know if it's a I know the answer is no, but I will ask it anyway :) Can samba have no password and get authentication/authorization from a kerberos kdc? How can I sinchronize passwords? I mean, if samba can't use kerberos, the user will change just the samba password... I need to modify also kerberos passwords since they should be able to use the same username and password on every pc in the department. In particular... I was discouraged to use samba, because all windows clients would be using plain text passowrds, sending them clear-text on the network. Is it true? Is there a way of avoiding this? Any help, even if little, is really appreciated!!! -- Sensei <mailto:senseiwa@tin.it> <pgp:8998A2DB> <icqnum:241572242> <yahoo!:sensei_sen> <msn-id:sensei_sen@hotmail.com> -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 256 bytes Desc: OpenPGP digital signature Url : http://lists.samba.org/archive/samba/attachments/20050308/83f2b63e/signature.bin