[Keyrings] Re: kerberos keyring ccache

Trond Myklebust trond.myklebust at fys.uio.no
Tue Jan 24 21:47:15 GMT 2006

On Tue, 2006-01-24 at 12:18 -0600, Steve French wrote:

> It would be a complete disaster (bad performance) to upcall very often - 
> I am hoping
> that nfs (and afs and others) that care about kerberos like cifs - can 
> recognize
> security credentials that are set by winbind (the pam/nss logon code) or 
> pam_kerberos
> at logon time and save them in the credential cache.   What I am not 
> clear on is
> how to look at the krb5 tickets for the process (that in an ideal case 
> winbind or pam_kerberos
> set at logon time) just enough to tell whether I have already 
> authenticated that user.  

That won't save us an upcall. We do not want to put _any_ kerberos code
into the kernel, and that includes the code that kerberos uses for
negotiating an RPCSEC_GSS session. Winbind credentials inside the kernel
are therefore still useless to us.


More information about the samba-technical mailing list