linux-cifs.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: "Aurélien Aptel" <aaptel@suse.com>
To: Shyam Prasad N <nspmangalore@gmail.com>,
	CIFS <linux-cifs@vger.kernel.org>,
	samba-technical@lists.samba.org,
	Pavel Shilovsky <piastryyy@gmail.com>,
	Steve French <smfrench@gmail.com>,
	sribhat.msa@outlook.com
Subject: Re: [PATCH][SMB3] mount.cifs integration with PAM
Date: Fri, 14 Aug 2020 11:52:42 +0200	[thread overview]
Message-ID: <87pn7t4kr9.fsf@suse.com> (raw)
In-Reply-To: <CANT5p=pxPsBwAv3oJX6Ae9wjpZoEjLvyfGM1sM9DEhS11RNgog@mail.gmail.com>

Hi Shyam,

Shyam Prasad N <nspmangalore@gmail.com> writes:
> Currently, for sec=krb5, mount.cifs assumes that the kerberos TGT is
> already downloaded and stored in krb5 cred cache file. If an AD user
> is logged in through ssh or su, those utilities authenticate with PAM
> (winbind or sssd), and winbind/sssd can be configured to perform
> krbtgt house-keeping (like refreshing the tickets). However, if the AD
> user is not logged in, and the local root user wants to mount the
> share using the credentials for an AD user, he/she will need to resort
> to manual kinit, and this does not go through winbind/sssd.

That is correct, I think. Note that using when login in the system PAM
also sets up KRB5CCNAME variable that points to the credential cache
(e.g. "FILE:/tmp/krb5cc_0") and is then inherited in all processes in
the session.

> Attached patch will introduce PAM authentication in mount.cifs. If
> sec=krb5 is specified, mount.cifs will attempt to authenticate with
> PAM as the username mentioned in mount options. If the authentication
> fails, we fall back to the old behavior and proceed with the mount
> nevertheless.

Shouldn't we do it the other way around? i.e. try to use any existing
credential cache, and if that fails auth again with PAM. I think we
might end up overwriting an existing cache or logging in twice
otherwise.

> @linux-cifs: Please review the overall flow, and let me know if there
> are any issues/suggestions. The feature is enabled by default in a
> configure parameter (krb5pam), and can be disabled. Do we also need a
> new mount option to trigger this new behavior? (try-pam-auth?)

> @samba-technical: Please review the overall flow of PAM
> authentication. Currently, I'm mainly doing pam_authenticate and
> pam_setcreds. Is there any added benefit opening and closing session?
> Is it possible to call pam_open_session from mount.cifs, and then call
> pam_close_session in another binary (umount.cifs)?

I am not 100% sure about this but I think the session should be opened
in the context of the parent shell process to be able to be persistent,
otherwise the session will close when mount.cifs exits. Maybe there is a
way to pin the session on a different processes... But most likely there
is an existing session opened by PAM when the user initially logged in
the system (regardless of the PAM backend/params).

Cheers,
-- 
Aurélien Aptel / SUSE Labs Samba Team
GPG: 1839 CB5F 9F5B FB9B AA97  8C99 03C8 A49B 521B D5D3
SUSE Software Solutions Germany GmbH, Maxfeldstr. 5, 90409 Nürnberg, DE
GF: Felix Imendörffer, Mary Higgins, Sri Rasiah HRB 247165 (AG München)

  reply	other threads:[~2020-08-14  9:52 UTC|newest]

Thread overview: 17+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-08-14  5:45 [PATCH][SMB3] mount.cifs integration with PAM Shyam Prasad N
2020-08-14  9:52 ` Aurélien Aptel [this message]
     [not found]   ` <CANT5p=oeY91u17DPe6WO75Eq_bjzrVC0kmAErrZ=h3S1qh-Wxw@mail.gmail.com>
2020-08-17  8:48     ` Aurélien Aptel
     [not found]       ` <CANT5p=rxp3iQMgxaM_mn3RE3B+zezWr3o8zpkFyWUR27CpeVCA@mail.gmail.com>
2020-09-09 11:04         ` Shyam Prasad N
2020-09-09 14:13           ` Aurélien Aptel
2020-09-09 17:25             ` Shyam Prasad N
2020-09-10  9:43               ` Aurélien Aptel
2020-09-23 12:06                 ` Shyam Prasad N
2020-09-23 13:56                   ` Aurélien Aptel
2020-09-24 10:39                     ` Shyam Prasad N
2020-11-09 23:42                       ` Pavel Shilovsky
2020-11-10 13:20                         ` Shyam Prasad N
2020-11-10 19:22                           ` Pavel Shilovsky
2020-11-27 10:43                             ` Shyam Prasad N
2020-12-14 18:03                               ` Stefan Metzmacher
     [not found]                                 ` <CANT5p=rYiY0xE-35swsFKVitZD2yTchRiReyA0wVvY+mU_qKEw@mail.gmail.com>
2021-01-30 14:24                                   ` Shyam Prasad N
2021-02-01 10:51                                     ` Aurélien Aptel

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=87pn7t4kr9.fsf@suse.com \
    --to=aaptel@suse.com \
    --cc=linux-cifs@vger.kernel.org \
    --cc=nspmangalore@gmail.com \
    --cc=piastryyy@gmail.com \
    --cc=samba-technical@lists.samba.org \
    --cc=smfrench@gmail.com \
    --cc=sribhat.msa@outlook.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).