[linux-cifs-client] Re: cifs kerberos authtentication

[Steven French]

> But it seams that cifs does at the moment not support kerberos
> authentication to win servers. 

Yes - cifs supports NTLM not Kerberos, and in some cases CIFS can do NTLM 
via NTLMSSP encapsulation but no SPNEGO encapsulation of Kerberos tickets 
is supported yet.

> Is there a technical problem? 
Yes. Among the issues is that there is no spnego code in the kernel (I 
started it early in the year, but it is disabled as it is not complete). 
Using a userspace helper is possible but introduces some issues in 
reliable reconnection (where calling up to a userspace helper as smbfs 
would do) is tricky.  In addition various implementations of SPNEGO have 
had security/stability issues so we want to do whichever approach (kernel 
or upcall to samba client library) very carefully.

The good news is that with the new kernel credential keyring (and 
hopefully a kerberos enabled pam module that can store tickets in kernel) 
and the new kernel->userspace communication/notification mechanism - this 
will be easier.


> Is an kerberos implementation planed? 
> And if, when will a usable version be released?

Yes - probably not till next year unless someone would help out with some 
patches/proposals.


Steve French
Senior Software Engineer
Linux Technology Center - IBM Austin
phone: 512-838-2294
email: sfrench at-sign us dot ibm dot com
-------------- next part --------------
HTML attachment scrubbed and removed