[linux-cifs-client] Question on current state of sec=krb5* integration in cifs.ko
Jeff Layton
jlayton at redhat.com
Fri Oct 23 09:55:12 MDT 2009
On Fri, 23 Oct 2009 17:46:02 +0200
Holger Rauch <holger.rauch at empic.de> wrote:
> Hi Jeff,
>
> thanks again for replying that quickly. I tried sec=krb5 and it indeed
> worked (even in conjunction with autofs5). Strangely enough, it even
> continued to work when the credentials cache was empty (having run
> "kdestroy" deliberately in order to test Kerberos security).
>
> I could add files even though there were no tickets left in the cache.
> This shouldn't be the case, I think (at least that's how it works on
> NFSv4; i.e. on NFSv4 I would get "permission denied" when tickets are
> either expired or not present). Is CIFS different in this regard?
>
Yes, much...
NFS (well, RPC actually) sends credentials with every call, so if you
destroy the creds, then the client and server will tend to pick up on
that fact rather quickly. With CIFS the credentials are just used to
establish a "session". After that, krb5 doesn't really come into play
very much (at least until you have to reconnect).
--
Jeff Layton <jlayton at redhat.com>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/linux-cifs-client/attachments/20091023/30834ad2/attachment.pgp>
More information about the linux-cifs-client
mailing list