Message-Id: <199708201537.IAA04658@mailhost1.cac.washington.edu> From: "James W DeRoest" <deroest@cac.washington.edu> To: "AST Webpage" <astweb@u.washington.edu> Subject: SMB authentication in labs Date: Wed, 20 Aug 1997 08:36:47 -0700
-----Original Message----- From: Yonah Karp <yonah@u.washington.edu> To: Elizabeth Williams <betsy@u.washington.edu>; M. McNair <mcnair@u.washington.edu>; David Cox <dcox@u.washington.edu>; Adam Ith <aith@u.washington.edu>; Steven Jones <noyd@u.washington.edu>; R. Campbell <ryanc@u.washington.edu> Cc: Oren Sreebny <oren@u.washington.edu>; Jim DeRoest <deroest@u.washington.edu>; Sandra Moy <sandy@cac.washington.edu>; C. Warren <cwarren@u.washington.edu>; Jim Fox <fox@u.washington.edu>; Donn Cave <donn@u.washington.edu>; erinh@cac.washington.edu <erinh@cac.washington.edu> Date: Thursday, July 24, 1997 3:48 PM Subject: SMB authentication in labs
Below are notes from this morning's meeting.
Yonah
======
Attending: Betsy Williams, Mark McNair, Yonah Karp, David Cox, Adam Ith, Steve Jones, Ryan Campbell.
The basic idea behind this project is that a user needs to have a homer or dante (UA) account to get into the lab and will be authenticated via a lab logon using SMB and their UA password. For W95 boxes authentication is done via SMB; for Mac OS authentication will be done via an ftp client.
- We'll need an emergency procedure to log into the lab for the .1% of folks who don't meet the above requirement, i.e. a labguest account. We discussed various methods to secure access to this account; CS will come up with an appropriate solution and implement it.
- Need a policy decision about what happens when an individual is disusered. We'd prefer that they lost lab access.
- We will need to very strenuously encourage people to log out.
- CS will see to it that when they log out they will lose their various caches.
- AST will figure out whether the A&gelyS pilot SMB mounting server simba01 should be a different computer than the computer where the lab authentication occurs. Currently, both functions occur on simba01.
- The ftp client is currently set up for homer.
- CS wants to ultimately authenticate against our Kerberos DB. Right now they can use simba01 -- it will authenticate against the homer password file. This is the first stage; step 2 will be to authenticate against the UA-wide password DB; step 3 is to authenticate against our K5 DB.
- We mentioned the "renew" web-based utility AST plans on having up by fall which will allow students (and possibly fac/ staff) which will allow resetting password for people who can't remember (and possibly for people who can).
- Mark/CS will test their Mac ftp authentication software against ftp.u, homer.u, etc.
- AST will work with CS (Chad & Adam) to look at the "authman" client which goes directly from a Mac box to a Kerberos db. Unclear whether it's k4 or k5, however.
- There is a suite of client-side software called LabMan from University of Texas which is worth looking at for the future. It's not ready for use this autumn but may be for autumn '98.
- There was some discussion of domain logins. Steve will work with CS on this.