[PATCH][SMB3] mount.cifs integration with PAM

Shyam Prasad N nspmangalore at gmail.com
Wed Sep 9 17:25:00 UTC 2020

Your understanding is correct. We could also go for a hybrid approach,
where we fallback to option b when option a fails to authenticate.
But for now, I'll resubmit a patch with option a as a fallback when
regular mount fails, just like you had suggested.


On Wed, Sep 9, 2020 at 7:43 PM Aurélien Aptel <aaptel at suse.com> wrote:
> Shyam Prasad N <nspmangalore at gmail.com> writes:
> > Thoughts?
> You are reaching the limits of my poor understanding of this kerberos
> stuff. What is the difference between keytab and credential cache?
> So IIUC you are proposing 2 ways to go about it:
> a) - do PAM login in mount.cifs (which in turns calls into sssd/winbind)
>    - implement umount.cifs for PAM logoff
> b) - ignore PAM and winbind/sssd and do kinit in mount.cifs manually
>    - would this requires umount.cifs as well?
> I like (b) because it feels we have more control and don't require a big
> external program like winbind *but* if (b) doesn't do the refreshing of
> the tickets then the mount will always stop working after they
> expire. This seems only useful for quick one-off mounting or
> testing/debugging. Real end users will find it unreliable unless they
> setup something like what winbind does essentially.
> So ultimately, to me, (a) seems like the better choice. Let me know if I
> misunderstood something.
> Cheers,
> --
> Aurélien Aptel / SUSE Labs Samba Team
> GPG: 1839 CB5F 9F5B FB9B AA97  8C99 03C8 A49B 521B D5D3
> SUSE Software Solutions Germany GmbH, Maxfeldstr. 5, 90409 Nürnberg, DE
> GF: Felix Imendörffer, Mary Higgins, Sri Rasiah HRB 247165 (AG München)


More information about the samba-technical mailing list