[Keyrings] Re: kerberos keyring ccache
Trond Myklebust
trond.myklebust at fys.uio.no
Tue Jan 24 21:47:15 GMT 2006
On Tue, 2006-01-24 at 12:18 -0600, Steve French wrote:
> It would be a complete disaster (bad performance) to upcall very often -
> I am hoping
> that nfs (and afs and others) that care about kerberos like cifs - can
> recognize
> security credentials that are set by winbind (the pam/nss logon code) or
> pam_kerberos
> at logon time and save them in the credential cache. What I am not
> clear on is
> how to look at the krb5 tickets for the process (that in an ideal case
> winbind or pam_kerberos
> set at logon time) just enough to tell whether I have already
> authenticated that user.
That won't save us an upcall. We do not want to put _any_ kerberos code
into the kernel, and that includes the code that kerberos uses for
negotiating an RPCSEC_GSS session. Winbind credentials inside the kernel
are therefore still useless to us.
Cheers,
Trond
More information about the samba-technical
mailing list