[linux-cifs-client] [PATCH 0/6] Introduction: implement SPNEGO/Kerberos in CIFS (try #2)

[Jeff Layton]

This try #2 of the patchset to implement krb5 mounts with CIFS. This
is probably still not ready to be committed, but it does currently work.

This patchset is a bit closer to the one originally posted by Igor
Mammedov. This set uses the in-kernel ASN.1 parsing to determine the
secType that will be used in the session setup. In the session setup,
we do an upcall to userspace using the keyctl API if the secType is
Kerberos.

The userspace program is then expected to take the info provided in the
key description and send back a new SPNEGO blob and a SessionKey. The
the kernel can then use this info in the key payload as a SPNEGO blob in
its session setup request.

With this patchset plus a hacked up version of Igor Mammedov's userspace
request-key callout program, I'm able to successfully mount a win2k3
server using kerberos auth.

This should work today with SPNEGO blobs that are less than 32k, and
should work with larger blobs once David Howells' patch to increase
the key payload size is upstream.

Here's a list of known shortcomings with the current patchset:

1) The userspace request-key program is not yet complete. Simo Sorce has
volunteered to write it. I've used Igor's userspace program to test it,
but it needs some work. I can envision this being part of the samba tree.
smbclient needs to roll up SPNEGO blobs too, so it seems like that code
could be shared, but I'll defer that decision to those who are writing
the program.

2) Multi-stage SPNEGO conversations are not yet implemented. It
shouldn't be too tough to add them, but as of today, I'm not clear on
what they actually look like on the wire. Particularly, I don't know
what the SMB status field will look like. So for now, if multi-stage
SPNEGO is needed, the mount will probably fail. If someone is able
to trigger this and can provide captures or info about it, then we
should be able to get that added.

3) multi-user mounts are not currently implemented. I've been chatting
with Steve about the best scheme for handling them, so for now, things
are pretty much still single-user.

Many thanks to Simo Sorce, Steve French and Igor Mammedov for guidance
and sample code on this. Comments are appreciated.

Signed-off-by: Jeff Layton <jlayton at redhat.com>