[PATCH][SMB3] mount.cifs integration with PAM

Shyam Prasad N nspmangalore at gmail.com
Fri Aug 14 05:45:40 UTC 2020


Hi,

Currently, for sec=krb5, mount.cifs assumes that the kerberos TGT is
already downloaded and stored in krb5 cred cache file. If an AD user
is logged in through ssh or su, those utilities authenticate with PAM
(winbind or sssd), and winbind/sssd can be configured to perform
krbtgt house-keeping (like refreshing the tickets). However, if the AD
user is not logged in, and the local root user wants to mount the
share using the credentials for an AD user, he/she will need to resort
to manual kinit, and this does not go through winbind/sssd.

Attached patch will introduce PAM authentication in mount.cifs. If
sec=krb5 is specified, mount.cifs will attempt to authenticate with
PAM as the username mentioned in mount options. If the authentication
fails, we fall back to the old behavior and proceed with the mount
nevertheless.

@linux-cifs: Please review the overall flow, and let me know if there
are any issues/suggestions. The feature is enabled by default in a
configure parameter (krb5pam), and can be disabled. Do we also need a
new mount option to trigger this new behavior? (try-pam-auth?)

@samba-technical: Please review the overall flow of PAM
authentication. Currently, I'm mainly doing pam_authenticate and
pam_setcreds. Is there any added benefit opening and closing session?
Is it possible to call pam_open_session from mount.cifs, and then call
pam_close_session in another binary (umount.cifs)?

Also attached the output of my test runs.

Thanks in advance.
-- 
-Shyam
-------------- next part --------------
localadmin at linux-vm:~$ sudo mount -t cifs //mystorageaccount.file.core.windows.net/share2 /mnt/abc/ -o vers=3.0,sec=krb5,serverino,cifsacl,mfsymlinks,actimeo=60,multiuser,cruid=aduser,username=aduser,domain=mydomain
Authenticating as user: aduser
Password:  (no echo)
localadmin at linux-vm:~$ mount -t cifs
//mystorageaccount.file.core.windows.net/share2 on /mnt/abc type cifs (rw,relatime,vers=3.0,sec=krb5,cruid=11195,cache=strict,multiuser,domain=mydomain,uid=0,noforceuid,gid=0,noforcegid,file_mode=0755,dir_mode=0755,soft,persistenthandles,nounix,serverino,mapposix,cifsacl,mfsymlinks,noperm,rsize=1048576,wsize=1048576,bsize=1048576,echo_interval=60,actimeo=60)

aduser at linux-vm:~$ ls /mnt/abc/
a.sh  abc  bac  datefile  dir1  hahaha  test.sh  testfile

localadmin at linux-vm:~$ sudo mount -t cifs //mystorageaccount.file.core.windows.net/share2 /mnt/abc/ -o vers=3.0,sec=krb5,serverino,cifsacl,mfsymlinks,actimeo=60,multiuser,cruid=aduser,credentials=/home/localadmin/.smb/aduser.creds
Authenticating as user: aduser
localadmin at linux-vm:~$ mount -t cifs
//mystorageaccount.file.core.windows.net/share2 on /mnt/abc type cifs (rw,relatime,vers=3.0,sec=krb5,cruid=11195,cache=strict,multiuser,domain=mydomain,uid=0,noforceuid,gid=0,noforcegid,file_mode=0755,dir_mode=0755,soft,persistenthandles,nounix,serverino,mapposix,cifsacl,mfsymlinks,noperm,rsize=1048576,wsize=1048576,bsize=1048576,echo_interval=60,actimeo=60)
localadmin at linux-vm:~$ ls -l /tmp/krb5cc_11195
-rw------- 1 aduser root 6077 Aug 14 04:19 /tmp/krb5cc_11195

-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-mount.cifs-Try-to-authenticate-the-krb5-user-against.patch
Type: application/octet-stream
Size: 8807 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20200814/73b012c9/0001-mount.cifs-Try-to-authenticate-the-krb5-user-against.obj>


More information about the samba-technical mailing list