[PATCH 0/2] cifs: allow use of alternate credcaches for krb5 upcalls (try #2)

Jeff Layton jlayton at samba.org
Wed Jul 8 13:00:50 GMT 2009

Currently, cifs does not allow you to use non-default credential caches
when mounting using sec=krb5. The kernel does not pass along enough info
to allow the upcall to select the right credcache. This is particularly
problematic if you want to use something like pam_krb5 and pam_mount
together to mount up a share.

This patchset implements this ability by having cifs.upcall scrape the
KRB5CCNAME variable out of /proc/PID/environ. In order to do that
properly, it needs to know the pid of the process that initiated the

The first patch in this series is a kernel patch that just adds this
information to the upcall string. The second patch is a cifs.upcall
patch that has it take the pid info and get the KRB5CCNAME and use that
for getting the service ticket.

Tested by mounting a share using an alternate "FILE:" credcache name. I
think it'll be possible to eventually allow the use of "KEYRING:"
credcaches too, but that'll need a little more work to authorize access
to the session keyring for the requesting process.

Jeff Layton (2):
  cifs: add pid of initiating process to spnego upcall info
  cifs.upcall: use pid value from kernel to determine KRB5CCNAME to use

 client/cifs.upcall.c |   87 +++++++++++++++++++++++++++++++++++++++++++-------
 1 files changed, 75 insertions(+), 12 deletions(-)

More information about the samba-technical mailing list