| Message ID | 20240117132534.2623424-1-Florian.Schwalm@seven.one (mailing list archive) |
|---|---|
| Headers | show |
| Series | cifs.upcall: enable ccache init from keytab for multiuser mount sessions | expand |
Looking further into the issue my use case may be solved by using the gssproxy feature implemented two years ago.
The patch may still be useful if you want to support this in cifs-utils itself. Though probably another patch would be advisable to support per-user keytabs so we do not need to combine user credentials in a shared keytab. I can try to work on this if you think this would be a valuable addition. If you conclude that this is sufficiently solved by gssproxy, though, that would also be fine.
-----Ursprüngliche Nachricht-----
Von: Schwalm, Florian <Florian.Schwalm@seven.one>
Gesendet: Mittwoch, 17. Januar 2024 14:26
An: linux-cifs@vger.kernel.org
Cc: Schwalm, Florian <Florian.Schwalm@seven.one>
Betreff: [PATCH 0/1] cifs.upcall: enable ccache init from keytab for multiuser mount sessions
While trying to configure kerberized SMB on some of my department's machines I failed to achieve the desired scenario. The idea was that multiple service users on the machines each authenticate with their own credentials on a multiuser mount.
Since those service users are used for non-interactive tasks the credentials should be initialized automatically from the keytab provided to cifs.upcall.
In debugging the connection and looking at the source code of cifs.upcall as well as the cifs kernel module I noticed that the keytab is only used if the key description provided by the kernel specifies a username. This is not the case for individual user sessions of a multiuser mount. Since we already scrape a gid from the passwd nss db based on the provided uid, I thought there would be no harm in doing so as well for the username in case none is provided. This is what the provided patch implements. By deriving the username for the user sessions we enable those sessions to initialize themselves from the keytab as well.
If there is an established way to configure this without requiring my patch, please tell me where to look.
Also, please take extra care in reviewing this patch. I haven't written any C in a long time.
Florian Schwalm (1):
cifs.upcall: enable ccache init from keytab for multiuser mount
sessions
cifs.upcall.c | 15 +++++++++++++++
1 file changed, 15 insertions(+)
--
2.39.3
While trying to configure kerberized SMB on some of my department's machines I failed to achieve the desired scenario. The idea was that multiple service users on the machines each authenticate with their own credentials on a multiuser mount. Since those service users are used for non-interactive tasks the credentials should be initialized automatically from the keytab provided to cifs.upcall. In debugging the connection and looking at the source code of cifs.upcall as well as the cifs kernel module I noticed that the keytab is only used if the key description provided by the kernel specifies a username. This is not the case for individual user sessions of a multiuser mount. Since we already scrape a gid from the passwd nss db based on the provided uid, I thought there would be no harm in doing so as well for the username in case none is provided. This is what the provided patch implements. By deriving the username for the user sessions we enable those sessions to initialize themselves from the keytab as well. If there is an established way to configure this without requiring my patch, please tell me where to look. Also, please take extra care in reviewing this patch. I haven't written any C in a long time. Florian Schwalm (1): cifs.upcall: enable ccache init from keytab for multiuser mount sessions cifs.upcall.c | 15 +++++++++++++++ 1 file changed, 15 insertions(+)