[linux-cifs-client] Kerberos5 support in cifs pathset [PATCH: 4/4] userspace utility for creating security blob and getting session key

[simo]

On Fri, 2007-10-26 at 14:04 +0400, Q (Igor Mammedov) wrote:
> simo wrote:
> > Have you already thought how to find the right credentials here ?
> 
> It takes first TGT from default kerberos cache file. We don't have 
> direct means to select what TGT to use for TGS, I could suggest that we 
> can use UID of the user calling 'mount' utility, to decide whose krb5 
> cache to use (assuming that the most users have only one TGT).
> For hands off cache initialization we could use keytab files.The proper 
> place for this could be in mount.cifs. For example we specify sec='krb5' 
> and credentials option with keytab file or user/password and mount.cifs 
> utility initializes cache with TGT.

I should have explained that we plan to allow a new session setup every
time a new uid walks a mount point. We already have the uid available
the real problem is that the best I could think so far is to try and see
if /tmp/krbcc_<uid> exist and try with that.

> Recently I've played with mounting using krb5 auth as ordinary user and 
> have patch to cifs_spnego.c/and mine kernel patch that allows to use 
> right cache depending on the calling user.

Good.

> > Do you know if the sesskey is always guaranteed to be a fixed length ?
> 
> There is no guaranties that sesskey length be fixed in the future. 
> However,  preliminary reading on this topic reveals that often used 
> ciphers are DES/RC4-HMAC (MS-Preferred)/3DES/AES and maximum key length 
> of them is for AES 256bits.

Ok, so maybe we should take a safe approach kernel side and allow for
variable length keys?

Simo.

-- 
Simo Sorce
Samba Team GPL Compliance Officer <simo at samba.org>
Senior Software Engineer at Red Hat Inc. <ssorce at redhat.com>