I see a brief mention of gssproxy by Jeff Layton more than three years ago, but don't remember any follow up on that. What would be your goal in doing this? Presumably we could improve cifs.ko's ability to automatically autonegotiate new SMB sessions for incoming VFS requests from uids that have associated kerberos tickets. Fortunately here is little dependency on SPNEGO in cifs.ko (so it could be fairly easy to add other upcalls for SPNEGO), just during SMB3 session setup (and also in parsing the SMB3 negotiate response). My bigger worry with handling SPNEGO (RFC2478) in the longer term, is adding support for the various other mechanisms (other than Kerberos and NTLMSSP) that servers can negotiate (PKU2U for example, and also the 'peer to peer kerberos' that Macs can apparently negotiate with SMB3 and SPNEGO). Authentication is mostly opaque to the SMB3 protocol, so if additional mechanisms can be negotiated (transparently, with little impact on other parts of the kernel code) with SPNEGO in the future that would be of value On Thu, Dec 3, 2020 at 4:08 PM Jacob Shivers <jshivers@xxxxxxxxxx> wrote: > > Hello all, > > Is anyone working on modifying cifs.ko to work with gssproxy directly? > > There were comments a few years ago about such an endeavor, but I have > not seen any further discussion in recent years. > > Thanks for any information, > Jacob > -- Thanks, Steve
