[PATCH][SMB3] mount.cifs integration with PAM

Aurélien Aptel aaptel at suse.com
Fri Aug 14 09:52:42 UTC 2020

Hi Shyam,

Shyam Prasad N <nspmangalore at gmail.com> writes:
> Currently, for sec=krb5, mount.cifs assumes that the kerberos TGT is
> already downloaded and stored in krb5 cred cache file. If an AD user
> is logged in through ssh or su, those utilities authenticate with PAM
> (winbind or sssd), and winbind/sssd can be configured to perform
> krbtgt house-keeping (like refreshing the tickets). However, if the AD
> user is not logged in, and the local root user wants to mount the
> share using the credentials for an AD user, he/she will need to resort
> to manual kinit, and this does not go through winbind/sssd.

That is correct, I think. Note that using when login in the system PAM
also sets up KRB5CCNAME variable that points to the credential cache
(e.g. "FILE:/tmp/krb5cc_0") and is then inherited in all processes in
the session.

> Attached patch will introduce PAM authentication in mount.cifs. If
> sec=krb5 is specified, mount.cifs will attempt to authenticate with
> PAM as the username mentioned in mount options. If the authentication
> fails, we fall back to the old behavior and proceed with the mount
> nevertheless.

Shouldn't we do it the other way around? i.e. try to use any existing
credential cache, and if that fails auth again with PAM. I think we
might end up overwriting an existing cache or logging in twice

> @linux-cifs: Please review the overall flow, and let me know if there
> are any issues/suggestions. The feature is enabled by default in a
> configure parameter (krb5pam), and can be disabled. Do we also need a
> new mount option to trigger this new behavior? (try-pam-auth?)

> @samba-technical: Please review the overall flow of PAM
> authentication. Currently, I'm mainly doing pam_authenticate and
> pam_setcreds. Is there any added benefit opening and closing session?
> Is it possible to call pam_open_session from mount.cifs, and then call
> pam_close_session in another binary (umount.cifs)?

I am not 100% sure about this but I think the session should be opened
in the context of the parent shell process to be able to be persistent,
otherwise the session will close when mount.cifs exits. Maybe there is a
way to pin the session on a different processes... But most likely there
is an existing session opened by PAM when the user initially logged in
the system (regardless of the PAM backend/params).

Aurélien Aptel / SUSE Labs Samba Team
GPG: 1839 CB5F 9F5B FB9B AA97  8C99 03C8 A49B 521B D5D3
SUSE Software Solutions Germany GmbH, Maxfeldstr. 5, 90409 Nürnberg, DE
GF: Felix Imendörffer, Mary Higgins, Sri Rasiah HRB 247165 (AG München)

More information about the samba-technical mailing list