[PATCH][SMB3] mount.cifs integration with PAM

Shyam Prasad N nspmangalore at gmail.com
Mon Aug 17 09:12:21 UTC 2020 

Thanks Aurélien. Good points.
Let me take a closer look at this and see how to proceed.

Regards,
Shyam

On Mon, Aug 17, 2020, 14:18 Aurélien Aptel <aaptel at suse.com> wrote:

> Shyam Prasad N <nspmangalore at gmail.com> writes:
> > Agreed. But since we're not dealing with krb5cc file directly in
> > mount.cifs, I don't see it influencing this change. However, I will test
> it
> > out too.
>
> When reconnecting or accessing DFS links (cross-server symlinks) the
> client opens a new connection to the target server and has to auth
> again. Since there are no ways to ask for a password at that moment
> (we're in the middle of some syscall) cifs.ko does an upcall to
> cifs.upcall and passes the pid of the process who initiated the
> syscall. cifs.upcall then reads that proc env (via /proc/<pid>/environ)
> and looks for KRB5CCNAME, uses it and returns the required data for
> cifs.ko to proceed with the SMB Session Setup.
>
> So it is important to have this env var set if the location of the
> credential cache is not the default one. If you do PAM login from
> mount.cifs, the env var might be set for that process but it will only
> persist in children processes of mount.cifs i.e. most likely none.
>
> I still think this patch is a good idea but we should definitely print
> something to the user that things might fail later on, or give
> instructions to set the env var in the user shell or something like that.
>
> > That does make sense. I was thinking of including a mount option to
> enable
> > this path. But let me explore the retry-on-failure path as well.
>
> Mount option sounds good regardless.
>
> > Yeah. I didn't get the complete picture on session maintenance after
> > reading the pam application developer's guide.
> > Was hoping that somebody on samba-technical would have some idea about
> this.
>
> The keyring docs have some info on it too but it's still not clear to
> me.
>
> https://man7.org/linux/man-pages/man7/session-keyring.7.html
>
> Cheers,
> --
> Aurélien Aptel / SUSE Labs Samba Team
> GPG: 1839 CB5F 9F5B FB9B AA97  8C99 03C8 A49B 521B D5D3
> SUSE Software Solutions Germany GmbH, Maxfeldstr. 5, 90409 Nürnberg, DE
> GF: Felix Imendörffer, Mary Higgins, Sri Rasiah HRB 247165 (AG München)
>

More information about the samba-technical mailing list