[linux-cifs-client] Kerberos5 support in cifs pathset [PATCH:
3/4] upcall handling via KEYS API for getting security blob and session
key
Q (Igor Mammedov)
qwerty0987654321 at mail.ru
Tue Oct 30 16:12:21 GMT 2007
Jeff Layton wrote:
> On Thu, 25 Oct 2007 16:59:00 +0400 "Q (Igor Mammedov)"
> <qwerty0987654321 at mail.ru> wrote:
>
>> Jeff Layton wrote: As for CIFSSMBNegotiate vs CIFS_SessSetup I
>> thought that in case of multi-stage negotiation we would have to do
>> upcalls in CIFS_SessSetup too. That's why I've did it
>> CIFS_SessSetup.
>>
>
> True. I think with the design I have, we can easily do it from either
> place (or even both). The advantage of doing it in CIFSSMBNegotiate
> is that we can have userspace do all of the SPNEGO parsing and tell
> the kernel the secType. I suppose we could do that in CIFS_SessSetup
> too but it means a bigger change there.
SecBlob from response message in CIFSSMBNegotiate just provide us with
supported MECHs and if we use MS-KRB5 then we can use MIC from it.
We already have simple in kernel asn1 parsing code that does exactly
this thing ( determines what secType to use based on mount sec option
and server supported MECHs in decode_negTokenInit ).
And we could stop right here if server doesn't support requested sec option.
IMHO, Doing SPNEGO upcall in CIFS_SessSetup where it take place by
protocol (SMB_COM_SESSION_SETUP_ANDX) looks less confusing rather than
doing it in CIFSSMBNegotiate where SecBlob is just a hint but not a part
of SPNEGO conversation.
--
Best regards,
-------------------------
Igor Mammedov,
niallain "at" gmail.com
More information about the linux-cifs-client
mailing list