[PATCH][SMB3] mount.cifs integration with PAM

Aurélien Aptel aaptel at suse.com
Mon Aug 17 08:48:13 UTC 2020

Shyam Prasad N <nspmangalore at gmail.com> writes:
> Agreed. But since we're not dealing with krb5cc file directly in
> mount.cifs, I don't see it influencing this change. However, I will test it
> out too.

When reconnecting or accessing DFS links (cross-server symlinks) the
client opens a new connection to the target server and has to auth
again. Since there are no ways to ask for a password at that moment
(we're in the middle of some syscall) cifs.ko does an upcall to
cifs.upcall and passes the pid of the process who initiated the
syscall. cifs.upcall then reads that proc env (via /proc/<pid>/environ)
and looks for KRB5CCNAME, uses it and returns the required data for
cifs.ko to proceed with the SMB Session Setup.

So it is important to have this env var set if the location of the
credential cache is not the default one. If you do PAM login from
mount.cifs, the env var might be set for that process but it will only
persist in children processes of mount.cifs i.e. most likely none.

I still think this patch is a good idea but we should definitely print
something to the user that things might fail later on, or give
instructions to set the env var in the user shell or something like that.

> That does make sense. I was thinking of including a mount option to enable
> this path. But let me explore the retry-on-failure path as well.

Mount option sounds good regardless.

> Yeah. I didn't get the complete picture on session maintenance after
> reading the pam application developer's guide.
> Was hoping that somebody on samba-technical would have some idea about this.

The keyring docs have some info on it too but it's still not clear to


Aurélien Aptel / SUSE Labs Samba Team
GPG: 1839 CB5F 9F5B FB9B AA97  8C99 03C8 A49B 521B D5D3
SUSE Software Solutions Germany GmbH, Maxfeldstr. 5, 90409 Nürnberg, DE
GF: Felix Imendörffer, Mary Higgins, Sri Rasiah HRB 247165 (AG München)

More information about the samba-technical mailing list