Hi Jeff, Recently, I've been spending some time with the cifs.upcall code which does a "kinit" for a user using the system keytab file. git blame shows that you were the author of this function init_cc_from_keytab(). I want to understand these patches mainly: commit 2dcecd21262513a0866c321643fc33d3d0135915 Author: Jeff Layton <jlayton@xxxxxxxxx> Date: Thu Feb 23 18:28:24 2017 -0500 cifs.upcall: unset $KRB5CCNAME when creating new credcache from keytab We don't want to trust $KRB5CCNAME when creating or updating a new credcache since we could be operating under the wrong credentials. Always create new credcaches in the default location instead. Reported-by: Chad William Seys <cwseys@xxxxxxxxxxxxxxxx> Signed-off-by: Jeff Layton <jlayton@xxxxxxxxx> commit 69949ba0086ac7a4f07ade7558fbe5c537220ebb Author: Jeff Layton <jlayton@xxxxxxxxx> Date: Fri Feb 24 10:48:57 2017 -0500 cifs.upcall: use a MEMORY: ccache when instantiating from a keytab Using a more permanent ccache is potentially problematic when we're instantiating a new one. We might be operating under different creds than expected. Just use a MEMORY: ccache since we don't need it to last longer than the life of the upcall anyway. Reported-and-Tested-by: Chad William Seys <cwseys@xxxxxxxxxxxxxxxx> Signed-off-by: Jeff Layton <jlayton@xxxxxxxxx> Few things I want to understand about this: 1. What was the purpose of this code path in the first place? i.e. init_cc_from_keytab 2. It looks like we read the cred cache file at it's default location. Why can't we write the cred cache file as indicated by the env as well? Why do we want to create an in-memory cache here, and not dump the TGT in the default cc as indicated by env? Why waste the authentication which was already done? The reason why I ask this is because I'm exploring the possibility of populating the keytab file in mount.cifs, and let cifs.upcall acquire tickets when needed. -- -Shyam