From: Jeff Layton <jlayton@samba.org>
To: Isaac Boukris <iboukris@gmail.com>
Cc: linux-cifs@vger.kernel.org, jfdey@fredhutch.org,
samba-technical@lists.samba.org
Subject: Re: [cifs-utils PATCHv2 0/6] cifs.upcall: cleanup and overhaul of the cifs.upcall krb5 handling code
Date: Thu, 25 Aug 2016 16:51:39 -0400 [thread overview]
Message-ID: <1472158299.2599.10.camel@samba.org> (raw)
In-Reply-To: <CAC-fF8RE-D=2wiSixiyXw7mR3Z8OeHD5GWtRkibuP9DNseGQuA@mail.gmail.com>
On Thu, 2016-08-25 at 22:59 +0300, Isaac Boukris wrote:
> On Thu, Aug 25, 2016 at 7:44 PM, Jeff Layton <jlayton@samba.org>
> wrote:
> >
> > On Thu, 2016-08-25 at 19:05 +0300, Isaac Boukris wrote:
> > >
> > > However, it gets more complicated when it comes to SPNEGO.
> > > First, when I call gss_init_sec_context with SPNEGO mech it will
> > > always return GSS_S_CONTINUE_NEEDED as it need server response in
> > > order to complete (even if mutual auth is not requested).
> > > This causes (I think) the call to gss_inquire_sec_context_by_oid
> > > to
> > > fail.
> > > Also, we need to support continuation anyway for mutual auth and
> > > NTLM
> > > fallback.
> > >
> >
> > Ahh that's interesting. I didn't realize we'd be stuck having to
> > handle
> > a multi-stage negotiation if we use gss_init_sec_context. That is
> > sort
> > of difficult to handle with the way the upcall currently works.
> >
> > I may still play with it just to verify that I understand what
> > you're
> > saying but it does make sense.
>
>
> You may take look at my (dirty) draft:
> https://github.com/frenche/cifs-utils/tree/gssapi_upcall
>
Neat. Do you have a companion kernel patch? I'm wondering about how to
handle backward compatibility there. I guess we could try SPNEGO first
and fall back to using the *KRB5 if that fails.
Another thing (not directly related) that I've been considering is
whether we can use anonymous krb5 creds to handle the initial mount for
sec=krb5 mounts. It would be nice to be able to do multiuser mounts
without any client side setup.
> >
> > If we're going to go down the road of changing the upcall to handle
> > that then I think I'd prefer to just change cifs.ko over to use
> > gssproxy directly, like knfsd already does.
> >
> > It would be one less special snowflake to deal with and most of the
> > plumbing is already in place. We could leave the old upcall in
> > place
> > for legacy userland case, and only do it if the gssproxy
> > negotiation
> > failed. It's a bit of a project, but would be totally doable.
>
>
> The cifs kernel module will need some changes anyway to handle
> multi-stage negotiation I think.
> Using gssproxy sounds like an excellent idea, though I'm only vaguely
> familiar with it so I'll have to look it up.
>
> On the other hand I think there may still be an interest for
> stateless
> mechanism (alongside) which wouldn't require a running daemon.
> I'm trying to think of an alternative to exporting the gss context,
> perhaps by keeping the upcall process running and continuing the
> conversation with the kernel module somehow.
>
Yeah, not having a running daemon is certainly simpler for users.
--
Jeff Layton <jlayton@samba.org>
next prev parent reply other threads:[~2016-08-25 20:51 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-08-25 14:17 [cifs-utils PATCHv2 0/6] cifs.upcall: cleanup and overhaul of the cifs.upcall krb5 handling code Jeff Layton
2016-08-25 14:17 ` [cifs-utils PATCHv2 1/6] aclocal: fix typo in idmap.m4 Jeff Layton
2016-08-25 14:17 ` [cifs-utils PATCHv2 2/6] cifs.upcall: use krb5 routines to get default ccname Jeff Layton
[not found] ` <1472134665-4014-1-git-send-email-jlayton-eUNUBHrolfbYtjvyW6yDsg@public.gmane.org>
2016-08-25 14:17 ` [cifs-utils PATCHv2 3/6] cifs.upcall: make the krb5_context a static global variable Jeff Layton
2016-08-25 14:17 ` [cifs-utils PATCHv2 4/6] cifs.upcall: remove KRB5_TC_OPENCLOSE Jeff Layton
2016-08-25 14:17 ` [cifs-utils PATCHv2 5/6] cifs.upcall: make get_tgt_time take a ccache arg Jeff Layton
2016-08-25 14:17 ` [cifs-utils PATCHv2 6/6] cifs.upcall: stop passing around ccache name strings Jeff Layton
2016-08-25 16:05 ` [cifs-utils PATCHv2 0/6] cifs.upcall: cleanup and overhaul of the cifs.upcall krb5 handling code Isaac Boukris
[not found] ` <CAC-fF8S_K49oDzNMQ8PrjWyWEokdsRo2gC5xUQobWe4TTBYaCA-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2016-08-25 16:44 ` Jeff Layton
[not found] ` <1472143488.3160.7.camel-eUNUBHrolfbYtjvyW6yDsg@public.gmane.org>
2016-08-25 19:59 ` Isaac Boukris
2016-08-25 20:51 ` Jeff Layton [this message]
2016-08-26 12:53 ` Simo
[not found] ` <1472216025.17759.9.camel-eUNUBHrolfbYtjvyW6yDsg@public.gmane.org>
2016-08-26 13:44 ` Jeff Layton
2016-08-26 13:54 ` Simo
2016-08-27 17:11 ` Isaac Boukris
2016-08-26 12:46 ` Simo
[not found] ` <1472215575.17759.3.camel-eUNUBHrolfbYtjvyW6yDsg@public.gmane.org>
2016-08-27 18:06 ` Isaac Boukris
[not found] ` <CAC-fF8TP8T_qzmLNjTcs-u+nG46WWsEVyEQMqRBdgscQno3L5g-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2016-08-27 21:25 ` Simo
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1472158299.2599.10.camel@samba.org \
--to=jlayton@samba.org \
--cc=iboukris@gmail.com \
--cc=jfdey@fredhutch.org \
--cc=linux-cifs@vger.kernel.org \
--cc=samba-technical@lists.samba.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.