From: "Aurélien Aptel" <aaptel@samba.org>
To: Stefan Metzmacher <metze@samba.org>, linux-cifs@vger.kernel.org
Cc: Stefan Metzmacher <metze@samba.org>
Subject: Re: [PATCH v1 13/13] cifs: introduce the CifsInvalidCredentials session state
Date: Mon, 24 Feb 2020 19:09:22 +0100 [thread overview]
Message-ID: <87sgiz5031.fsf@suse.com> (raw)
In-Reply-To: <20200224131510.20608-14-metze@samba.org>
Stefan Metzmacher <metze@samba.org> writes:
> A future addition would be an upcall to get new credentials from
> userspace, or a way to use a magic file per session under /proc/fs/cifs/
> to provide new credentials.
I've looked into this recently. cifscreds from cifs-utils can already
store/update credentials in keyrings.
I believe this is only used in multiuser mode (-o multiuser). In that
mode, when a process does a syscall, cifs.ko will try to use a cifs_ses
matching the uid of that process, potentially opening a new one.
To open a new session for that user, cifs.ko looks at the current
process session keyring for that uid credentials. Take a look at
cifs_set_cifscreds(), it's the function that sets the credentials in the
volume about to be connected to.
* the key is of type "logon",
* description is "cifs:<mode>:<host>" where mode determines what host is
('a' for an ip address, 'd' for a domain).
* value is "<user>:<password>"
[ side-note on that keyring: it is the process session keyring. So you
need to make sure the keyring is created when the user first logs in the
system (i.e. via pam), otherwise cifscreds will create it, and since it
is the only user, will destroy it when cifscreds exits (refcount reaches
zero). I don't know why it was decided to use the session keyring, I
feel like we should make this keyring "global" instead of per session,
it would be easier to setup and update but I don't know the security
implications. (If anyone knows please share) ]
In any case, I think we should try to update
cifs_ses->{user_name,password} before re-opening a session by looking at
this keyring.
Cheers,
--
Aurélien Aptel / SUSE Labs Samba Team
GPG: 1839 CB5F 9F5B FB9B AA97 8C99 03C8 A49B 521B D5D3
SUSE Software Solutions Germany GmbH, Maxfeldstr. 5, 90409 Nürnberg, DE
GF: Felix Imendörffer, Mary Higgins, Sri Rasiah HRB 247165 (AG München)
next prev parent reply other threads:[~2020-02-24 18:09 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-02-24 13:14 [PATCH v1 00/13] Avoid reconnects of failed session setups on soft mounts Stefan Metzmacher
2020-02-24 13:14 ` [PATCH v1 01/13] cifs: call wake_up(&server->response_q) inside of cifs_reconnect() Stefan Metzmacher
2020-02-24 13:14 ` [PATCH v1 02/13] cifs: use mod_delayed_work() for &server->reconnect if already queued Stefan Metzmacher
2020-02-24 13:15 ` [PATCH v1 03/13] cifs: make use of cap_unix(ses) in cifs_reconnect_tcon() Stefan Metzmacher
2020-02-24 18:12 ` Aurélien Aptel
2020-02-24 20:39 ` Steve French
2020-02-24 21:36 ` Pavel Shilovsky
2020-02-24 13:15 ` [PATCH v1 04/13] cifs: split out a cifs_connect_session_locked() helper function Stefan Metzmacher
2020-03-06 17:05 ` Aurélien Aptel
2020-02-24 13:15 ` [PATCH v1 05/13] cifs: merge __{cifs,smb2}_reconnect[_tcon]() into cifs_tree_connect() Stefan Metzmacher
2020-03-06 16:46 ` Aurélien Aptel
2020-02-24 13:15 ` [PATCH v1 06/13] cifs: abstract cifs_tcon_reconnect() out of smb2_reconnect() Stefan Metzmacher
2020-03-27 17:31 ` Steve French
2020-02-24 13:15 ` [PATCH v1 07/13] cifs: cifs_reconnect_tcon() make use of the generic cifs_tcon_reconnect() function Stefan Metzmacher
2020-02-24 13:15 ` [PATCH v1 08/13] cifs: make cifs_tree_connect() static Stefan Metzmacher
2020-02-24 13:15 ` [PATCH v1 09/13] cifs: turn smb2_reconnect_server() into a generic cifs_reconnect_server() Stefan Metzmacher
2020-02-24 13:15 ` [PATCH v1 10/13] cifs: move cifs_reconnect_tcons() to fs/cifs/connect.c and make it static Stefan Metzmacher
2020-02-24 13:15 ` [PATCH v1 11/13] cifs: use reconnect timer also for SMB1 Stefan Metzmacher
2020-02-24 13:15 ` [PATCH v1 12/13] cifs: map STATUS_ACCOUNT_LOCKED_OUT to -EACCES Stefan Metzmacher
2020-02-24 13:15 ` [PATCH v1 13/13] cifs: introduce the CifsInvalidCredentials session state Stefan Metzmacher
2020-02-24 18:09 ` Aurélien Aptel [this message]
2020-02-24 18:38 ` [PATCH v1 00/13] Avoid reconnects of failed session setups on soft mounts Aurélien Aptel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87sgiz5031.fsf@suse.com \
--to=aaptel@samba.org \
--cc=linux-cifs@vger.kernel.org \
--cc=metze@samba.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.