Hi,

Currently, for sec=krb5, mount.cifs assumes that the kerberos TGT is
already downloaded and stored in krb5 cred cache file. If an AD user
is logged in through ssh or su, those utilities authenticate with PAM
(winbind or sssd), and winbind/sssd can be configured to perform
krbtgt house-keeping (like refreshing the tickets). However, if the AD
user is not logged in, and the local root user wants to mount the
share using the credentials for an AD user, he/she will need to resort
to manual kinit, and this does not go through winbind/sssd.

Attached patch will introduce PAM authentication in mount.cifs. If
sec=krb5 is specified, mount.cifs will attempt to authenticate with
PAM as the username mentioned in mount options. If the authentication
fails, we fall back to the old behavior and proceed with the mount
nevertheless.

@linux-cifs: Please review the overall flow, and let me know if there
are any issues/suggestions. The feature is enabled by default in a
configure parameter (krb5pam), and can be disabled. Do we also need a
new mount option to trigger this new behavior? (try-pam-auth?)

@samba-technical: Please review the overall flow of PAM
authentication. Currently, I'm mainly doing pam_authenticate and
pam_setcreds. Is there any added benefit opening and closing session?
Is it possible to call pam_open_session from mount.cifs, and then call
pam_close_session in another binary (umount.cifs)?

Also attached the output of my test runs.

Thanks in advance.
-- 
-Shyam