[PATCH 0/2] cifs: allow use of alternate credcaches for krb5
upcalls (try #2)
simo
idra at samba.org
Wed Jul 8 13:47:58 GMT 2009
On Wed, 2009-07-08 at 09:00 -0400, Jeff Layton wrote:
> Currently, cifs does not allow you to use non-default credential caches
> when mounting using sec=krb5. The kernel does not pass along enough info
> to allow the upcall to select the right credcache. This is particularly
> problematic if you want to use something like pam_krb5 and pam_mount
> together to mount up a share.
>
> This patchset implements this ability by having cifs.upcall scrape the
> KRB5CCNAME variable out of /proc/PID/environ. In order to do that
> properly, it needs to know the pid of the process that initiated the
> upcall.
>
> The first patch in this series is a kernel patch that just adds this
> information to the upcall string. The second patch is a cifs.upcall
> patch that has it take the pid info and get the KRB5CCNAME and use that
> for getting the service ticket.
>
> Tested by mounting a share using an alternate "FILE:" credcache name. I
> think it'll be possible to eventually allow the use of "KEYRING:"
> credcaches too, but that'll need a little more work to authorize access
> to the session keyring for the requesting process.
>
> Jeff Layton (2):
> cifs: add pid of initiating process to spnego upcall info
> cifs.upcall: use pid value from kernel to determine KRB5CCNAME to use
>
> client/cifs.upcall.c | 87 +++++++++++++++++++++++++++++++++++++++++++-------
> 1 files changed, 75 insertions(+), 12 deletions(-)
Very nice, both patches look good to me.
Simo.
--
Simo Sorce
Samba Team GPL Compliance Officer <simo at samba.org>
Principal Software Engineer at Red Hat, Inc. <simo at redhat.com>
More information about the samba-technical
mailing list