File serving through Kerberos authentication
 

In my network, I have a KDC server running Windows Server 2003 (gamma), a Linux file server (delta), and a Linux client (epsilon) that can successfully retrieve a KRB5 ticket from gamma. At the moment, I'm wondering what file system I should use for the shares on delta. I'm looking primarily at OpenAFS and NFSv4, unless someone can suggest a better solution.

Ideally, when epsilon wants to mount one of delta's shares, it needs to authenticate with gamma first. What should happen is that epsilon's forwardable ticket should be sent to delta, which then checks against gamma. If gamma approves the ticket for the share, delta continues and lets epsilon mount it.

Is what I want to do even possible? If at all possible, I would like to avoid using a keytab, as I've encountered many problems creating it with matching knvo's. Thanks for any help.

I guess that it depends on the reason that you chose to use Windows as the KDC. If it's for compatibility with Windows clients then it's probably best to go the Samba route - running a Winbind service on the Linux boxes to talk to the Windows DC with Kerberos etc., and then export the necessary directories as Samba file shares.

To clarify the situation, these 3 machines exist in a Windows-centric environment, with gamma as the primary DC. The shares on delta will only be mounted on the Linux clients, so I prefer to use OpenAFS or NFSv4. However, I still want the users to be authenticated via the KDC (preferably by getting a forwardable ticket). After delta receives the ticket, it should verify that the credentials match those for that particular share. With that cleared up, can anyone point me in the right direction?