[PATCH 0/2] cifs: allow use of alternate credcaches for krb5
upcalls (try #2)
Jeff Layton
jlayton at samba.org
Wed Jul 8 13:00:50 GMT 2009
Currently, cifs does not allow you to use non-default credential caches
when mounting using sec=krb5. The kernel does not pass along enough info
to allow the upcall to select the right credcache. This is particularly
problematic if you want to use something like pam_krb5 and pam_mount
together to mount up a share.
This patchset implements this ability by having cifs.upcall scrape the
KRB5CCNAME variable out of /proc/PID/environ. In order to do that
properly, it needs to know the pid of the process that initiated the
upcall.
The first patch in this series is a kernel patch that just adds this
information to the upcall string. The second patch is a cifs.upcall
patch that has it take the pid info and get the KRB5CCNAME and use that
for getting the service ticket.
Tested by mounting a share using an alternate "FILE:" credcache name. I
think it'll be possible to eventually allow the use of "KEYRING:"
credcaches too, but that'll need a little more work to authorize access
to the session keyring for the requesting process.
Jeff Layton (2):
cifs: add pid of initiating process to spnego upcall info
cifs.upcall: use pid value from kernel to determine KRB5CCNAME to use
client/cifs.upcall.c | 87 +++++++++++++++++++++++++++++++++++++++++++-------
1 files changed, 75 insertions(+), 12 deletions(-)
More information about the samba-technical
mailing list