[linux-cifs-client] Re: cifs kerberos authtentication
Steven French
sfrench at us.ibm.com
Fri Nov 19 22:25:05 GMT 2004
> But it seams that cifs does at the moment not support kerberos
> authentication to win servers.
Yes - cifs supports NTLM not Kerberos, and in some cases CIFS can do NTLM
via NTLMSSP encapsulation but no SPNEGO encapsulation of Kerberos tickets
is supported yet.
> Is there a technical problem?
Yes. Among the issues is that there is no spnego code in the kernel (I
started it early in the year, but it is disabled as it is not complete).
Using a userspace helper is possible but introduces some issues in
reliable reconnection (where calling up to a userspace helper as smbfs
would do) is tricky. In addition various implementations of SPNEGO have
had security/stability issues so we want to do whichever approach (kernel
or upcall to samba client library) very carefully.
The good news is that with the new kernel credential keyring (and
hopefully a kerberos enabled pam module that can store tickets in kernel)
and the new kernel->userspace communication/notification mechanism - this
will be easier.
> Is an kerberos implementation planed?
> And if, when will a usable version be released?
Yes - probably not till next year unless someone would help out with some
patches/proposals.
Steve French
Senior Software Engineer
Linux Technology Center - IBM Austin
phone: 512-838-2294
email: sfrench at-sign us dot ibm dot com
-------------- next part --------------
HTML attachment scrubbed and removed
More information about the linux-cifs-client
mailing list