[linux-cifs-client] Kerberos5 support in cifs pathset [PATCH: 0/4]
Jeff Layton
jlayton at redhat.com
Tue Oct 23 12:06:19 GMT 2007
On Mon, 22 Oct 2007 21:09:08 +0400
"Q (Igor Mammedov)" <qwerty0987654321 at mail.ru> wrote:
> Hi Jra and Steve,
>
> Complete Kerberos5 support patch is attached (against kernel
> 2.6.22.9).
>
> Before mounting user must have TGT acquired and cached (for example
> using kinit).
>
> For mounting I used followed command:
>
> mount -t cifs \\\\server\\share /mnt -o guest,sec=krb5i
>
> Share will be mounted with calling user credentials(TGT) and key will
> be saved in user's session keyring.
>
> Additionaly to make patch easyer for review I will send it in
> following small parts:
>
> krb_signing.patch - adds support for signing required for kerberos
>
> enable_krb5_in_NEG_and_SESS_SETUP_req.patch - enables extended
> security in NEG... and SESSION_SETUP... requests when mounting with
> krb5i option
>
> spnego_upcall_handling.patch - upcall handling via KEYS API for
> getting security blob and session key
>
> spnego_request_key_utility.patch - userspace utility for creating
> security blob and getting session key.
>
> patch: spnego_upcall_handling.patch depends on the first 2 patches.
>
>
> Comments are appreciated.
>
Igor, many thanks for posting this patchset. My hat's off to you for
tackling a tough problem!
The fundamental design with these patches is a bit different than what
I had envisioned, so I'm not sure how much I'll be able to use
directly, but some of it (particularly the krb5_signing.patch) looks
like we might be able to use it as-is.
At the very least this helps fill in some of the gaps in my knowledge
of when during the SPNEGO setup we'll have certain information.
I plan to spend some time reviewing this later today.
Thanks,
--
Jeff Layton <jlayton at redhat.com>
More information about the linux-cifs-client
mailing list