While trying to configure kerberized SMB on some of my department's machines
I failed to achieve the desired scenario. The idea was that multiple service
users on the machines each authenticate with their own credentials on a multiuser mount.
Since those service users are used for non-interactive tasks the
credentials should be initialized automatically from the keytab provided to cifs.upcall.
In debugging the connection and looking at the source code of
cifs.upcall as well as the cifs kernel module I noticed that the keytab
is only used if the key description provided by the kernel specifies a
username. This is not the case for individual user sessions of a
multiuser mount. Since we already scrape a gid from the passwd nss db
based on the provided uid, I thought there would be no harm in doing so
as well for the username in case none is provided. This is what the
provided patch implements. By deriving the username for the user
sessions we enable those sessions to initialize themselves from the
keytab as well.
If there is an established way to configure this without requiring my
patch, please tell me where to look.
Also, please take extra care in reviewing this patch. I haven't written
any C in a long time.
Florian Schwalm (1):
cifs.upcall: enable ccache init from keytab for multiuser mount
sessions
cifs.upcall.c | 15 +++++++++++++++
1 file changed, 15 insertions(+)
--
2.39.3
