Hi Jeff,
Recently, I've been spending some time with the cifs.upcall code which
does a "kinit" for a user using the system keytab file. git blame
shows that you were the author of this function init_cc_from_keytab().
I want to understand these patches mainly:
commit 2dcecd21262513a0866c321643fc33d3d0135915
Author: Jeff Layton <jlayton@xxxxxxxxx>
Date: Thu Feb 23 18:28:24 2017 -0500
cifs.upcall: unset $KRB5CCNAME when creating new credcache from keytab
We don't want to trust $KRB5CCNAME when creating or updating a new
credcache since we could be operating under the wrong credentials.
Always create new credcaches in the default location instead.
Reported-by: Chad William Seys <cwseys@xxxxxxxxxxxxxxxx>
Signed-off-by: Jeff Layton <jlayton@xxxxxxxxx>
commit 69949ba0086ac7a4f07ade7558fbe5c537220ebb
Author: Jeff Layton <jlayton@xxxxxxxxx>
Date: Fri Feb 24 10:48:57 2017 -0500
cifs.upcall: use a MEMORY: ccache when instantiating from a keytab
Using a more permanent ccache is potentially problematic when we're
instantiating a new one. We might be operating under different creds
than expected. Just use a MEMORY: ccache since we don't need it to
last longer than the life of the upcall anyway.
Reported-and-Tested-by: Chad William Seys <cwseys@xxxxxxxxxxxxxxxx>
Signed-off-by: Jeff Layton <jlayton@xxxxxxxxx>
Few things I want to understand about this:
1. What was the purpose of this code path in the first place? i.e.
init_cc_from_keytab
2. It looks like we read the cred cache file at it's default location.
Why can't we write the cred cache file as indicated by the env as
well? Why do we want to create an in-memory cache here, and not dump
the TGT in the default cc as indicated by env? Why waste the
authentication which was already done?
The reason why I ask this is because I'm exploring the possibility of
populating the keytab file in mount.cifs, and let cifs.upcall acquire
tickets when needed.
--
-Shyam
