Your understanding is correct. We could also go for a hybrid approach, where we fallback to option b when option a fails to authenticate. But for now, I'll resubmit a patch with option a as a fallback when regular mount fails, just like you had suggested. Regards, Shyam On Wed, Sep 9, 2020 at 7:43 PM Aurélien Aptel <aaptel@xxxxxxxx> wrote: > > Shyam Prasad N <nspmangalore@xxxxxxxxx> writes: > > Thoughts? > > You are reaching the limits of my poor understanding of this kerberos > stuff. What is the difference between keytab and credential cache? > > So IIUC you are proposing 2 ways to go about it: > > a) - do PAM login in mount.cifs (which in turns calls into sssd/winbind) > - implement umount.cifs for PAM logoff > > b) - ignore PAM and winbind/sssd and do kinit in mount.cifs manually > - would this requires umount.cifs as well? > > I like (b) because it feels we have more control and don't require a big > external program like winbind *but* if (b) doesn't do the refreshing of > the tickets then the mount will always stop working after they > expire. This seems only useful for quick one-off mounting or > testing/debugging. Real end users will find it unreliable unless they > setup something like what winbind does essentially. > > So ultimately, to me, (a) seems like the better choice. Let me know if I > misunderstood something. > > Cheers, > -- > Aurélien Aptel / SUSE Labs Samba Team > GPG: 1839 CB5F 9F5B FB9B AA97 8C99 03C8 A49B 521B D5D3 > SUSE Software Solutions Germany GmbH, Maxfeldstr. 5, 90409 Nürnberg, DE > GF: Felix Imendörffer, Mary Higgins, Sri Rasiah HRB 247165 (AG München) -- -Shyam
