3.15. Authenticated SMB Access to the OpenAFS Client Service

This section is maintained for historical reference and those sites that are manually configuring the OpenAFS Service to act as an SMB gateway. This section does not apply when the OpenAFS IFS redirector driver is in use.

OpenAFS authenticates SMB connections using either NTLM or GSS SPNEGO (NTLM). In previous versions of OpenAFS, the SMB connections were unauthenticated which opened the door for several attacks which could be used to obtain access to another user's tokens on shared machines.

When GSS SPNEGO attempts a Kerberos v5 authentication, the Windows SMB client will attempt to retrieve service tickets for "cifs/afs@REALM" (if the loopback adapter is in use) or "cifs/machine-afs@REALM" (if the loopback adapter is not being used). It is extremely important that this service principal not exist in the KDC database as the Kerberos authentication must fail allowing automatic fallback to NTLM. When NTLM is used a special local authentication mode will be used that does not require access to the user's password. Instead, Windows will internally recognize the request as coming from a local logon session.

It should also be noted that because Kerberos v5 authentication cannot be used, it is not possible to digitally sign the SMB communications. On systems that require Digital Signing of SMB Client connections, access to \\AFS will fail with a connection error.