George Mamalakis wrote:
Hello everybody,
in our department, we have decided to move our configuration from
NFS/SAMBA to LDAP, OpenAFS, heimdal and samba on our labs. Our servers
run FreeBSD, while our clients are dual boot machines, running linux
and Windows XP. The book "Distributed services with openafs" has been
a great aid to our venture, but there is a big thing that needs to be
resolved, that the aforementioned book seems to not be able to cover.
Heimdal, OpenAFS and LDAP worked (after long hours of testing and
debugging) like a charm, which means that users are now able to login
on linux boxes using their kerberos credentials (through pam),
retrieve all needed information (nsswitch) from ldap, and have their
home folders stored in afs space.
Samba, on the other hand, seems much more difficult to configure. The
book takes an approach of the following concept: All
machine/user/group information is stored on the LDAP server and Samba
is configured to function via LDAP (OpenLDAP, of course). Users are
required to join the Samba domain, and access their home
folders/profiles via the Samba server. Since
authentication/authorization is completely left to samba, there is no
direct communication of the user with the KDC (or afs whatsoever). For
users to access their folders and profiles, samba has to become a
kerberos/afs client with all needed privileges to perform its actions.
Therefore, instead of storing files in our ufs filesystem, samba
stores them in afs space. I will not delve into more details, since
the problem starts quite soon.
User homedirs are located in /afs/mydomain/users/<userdirs>. Machines
join our domain without any problems. A user "windows" along with its
principal have been created in the samba machine and the KDC
respectively. The same user has been created in the afs server as
well, and that users has all (afs) permissions granted on the users'
home directories (via acls). On the samba server, after /afs has
been mounted, user windows is able to access everything as should,
once I "kinit windows" and then "afslog mydomain". So, I changed
samba's rc script so as to "kinit windows" and then obtain the afs
token through "afslog mydomain". The first problem was that when I
first connected with my testuser on samba through smbclient, samba
refused to give me any sort of access on my home folder. After setting
"fs setacl /afs/mydomain/users/testuser system:anyone all", I was able
to connect with smbclient, and when I created a directory, the
directory's owner was 32766, which stands of course for system:anyone..
I have changed my samba rc script so that once samba gets started, the
script touches a file in /afs/mydomain/users/testuser. The file's
owner is "windows" indeed!
I don't understand why this happens. I suppose that once the samba
processes (smbd, nmbd) have been forked by the rc script, for some
reason that I miss, tokens are not "passed" to them, and hence the
problem exists.
The book describes this procedure through the use of MIT Kerberos
implementation and not heimdal. In this case, "aklog -setpag" may
probably result to something different than afslog...I really don't know.
In any case, does anybody know how one may resolve this issue? And if
not, is there an alternate way to configure my systems?
Thank you all for your time in advance, and I hope that somebody will
help
Why aren't you just using the native OpenAFS client for windows?
If you must do samba, have you configured windows and samba to use
clear-text passwords? Samba must pass the raw password to OpenAFS, not
the lanman-hashed version that samba receives from the client.
Sincerely,
Jason
_______________________________________________
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info
