All of lore.kernel.org
 help / color / mirror / Atom feed
From: Isaac Boukris <iboukris-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
To: Jeff Layton <jlayton-eUNUBHrolfbYtjvyW6yDsg@public.gmane.org>
Cc: linux-cifs-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
	jfdey-rEd9KcVInK8dYYaOPf09RA@public.gmane.org,
	samba-technical-w/Ol4Ecudpl8XjKLYN78aQ@public.gmane.org
Subject: Re: [cifs-utils PATCHv2 0/6] cifs.upcall: cleanup and overhaul of the cifs.upcall krb5 handling code
Date: Thu, 25 Aug 2016 22:59:06 +0300	[thread overview]
Message-ID: <CAC-fF8RE-D=2wiSixiyXw7mR3Z8OeHD5GWtRkibuP9DNseGQuA@mail.gmail.com> (raw)
In-Reply-To: <1472143488.3160.7.camel-eUNUBHrolfbYtjvyW6yDsg@public.gmane.org>

On Thu, Aug 25, 2016 at 7:44 PM, Jeff Layton <jlayton-eUNUBHrolfbYtjvyW6yDsg@public.gmane.org> wrote:
> On Thu, 2016-08-25 at 19:05 +0300, Isaac Boukris wrote:
>> However, it gets more complicated when it comes to SPNEGO.
>> First, when I call gss_init_sec_context with SPNEGO mech it will
>> always return GSS_S_CONTINUE_NEEDED as it need server response in
>> order to complete (even if mutual auth is not requested).
>> This causes (I think) the call to gss_inquire_sec_context_by_oid to
>> fail.
>> Also, we need to support continuation anyway for mutual auth and NTLM
>> fallback.
>>
>
> Ahh that's interesting. I didn't realize we'd be stuck having to handle
> a multi-stage negotiation if we use gss_init_sec_context. That is sort
> of difficult to handle with the way the upcall currently works.
>
> I may still play with it just to verify that I understand what you're
> saying but it does make sense.


You may take look at my (dirty) draft:
https://github.com/frenche/cifs-utils/tree/gssapi_upcall

> If we're going to go down the road of changing the upcall to handle
> that then I think I'd prefer to just change cifs.ko over to use
> gssproxy directly, like knfsd already does.
>
> It would be one less special snowflake to deal with and most of the
> plumbing is already in place. We could leave the old upcall in place
> for legacy userland case, and only do it if the gssproxy negotiation
> failed. It's a bit of a project, but would be totally doable.


The cifs kernel module will need some changes anyway to handle
multi-stage negotiation I think.
Using gssproxy sounds like an excellent idea, though I'm only vaguely
familiar with it so I'll have to look it up.

On the other hand I think there may still be an interest for stateless
mechanism (alongside) which wouldn't require a running daemon.
I'm trying to think of an alternative to exporting the gss context,
perhaps by keeping the upcall process running and continuing the
conversation with the kernel module somehow.

With best regards,
Isaac B.

  parent reply	other threads:[~2016-08-25 19:59 UTC|newest]

Thread overview: 18+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-08-25 14:17 [cifs-utils PATCHv2 0/6] cifs.upcall: cleanup and overhaul of the cifs.upcall krb5 handling code Jeff Layton
2016-08-25 14:17 ` [cifs-utils PATCHv2 1/6] aclocal: fix typo in idmap.m4 Jeff Layton
2016-08-25 14:17 ` [cifs-utils PATCHv2 2/6] cifs.upcall: use krb5 routines to get default ccname Jeff Layton
     [not found] ` <1472134665-4014-1-git-send-email-jlayton-eUNUBHrolfbYtjvyW6yDsg@public.gmane.org>
2016-08-25 14:17   ` [cifs-utils PATCHv2 3/6] cifs.upcall: make the krb5_context a static global variable Jeff Layton
2016-08-25 14:17 ` [cifs-utils PATCHv2 4/6] cifs.upcall: remove KRB5_TC_OPENCLOSE Jeff Layton
2016-08-25 14:17 ` [cifs-utils PATCHv2 5/6] cifs.upcall: make get_tgt_time take a ccache arg Jeff Layton
2016-08-25 14:17 ` [cifs-utils PATCHv2 6/6] cifs.upcall: stop passing around ccache name strings Jeff Layton
2016-08-25 16:05 ` [cifs-utils PATCHv2 0/6] cifs.upcall: cleanup and overhaul of the cifs.upcall krb5 handling code Isaac Boukris
     [not found]   ` <CAC-fF8S_K49oDzNMQ8PrjWyWEokdsRo2gC5xUQobWe4TTBYaCA-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2016-08-25 16:44     ` Jeff Layton
     [not found]       ` <1472143488.3160.7.camel-eUNUBHrolfbYtjvyW6yDsg@public.gmane.org>
2016-08-25 19:59         ` Isaac Boukris [this message]
2016-08-25 20:51           ` Jeff Layton
2016-08-26 12:53             ` Simo
     [not found]               ` <1472216025.17759.9.camel-eUNUBHrolfbYtjvyW6yDsg@public.gmane.org>
2016-08-26 13:44                 ` Jeff Layton
2016-08-26 13:54                   ` Simo
2016-08-27 17:11         ` Isaac Boukris
2016-08-26 12:46       ` Simo
     [not found]         ` <1472215575.17759.3.camel-eUNUBHrolfbYtjvyW6yDsg@public.gmane.org>
2016-08-27 18:06           ` Isaac Boukris
     [not found]             ` <CAC-fF8TP8T_qzmLNjTcs-u+nG46WWsEVyEQMqRBdgscQno3L5g-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2016-08-27 21:25               ` Simo

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='CAC-fF8RE-D=2wiSixiyXw7mR3Z8OeHD5GWtRkibuP9DNseGQuA@mail.gmail.com' \
    --to=iboukris-re5jqeeqqe8avxtiumwx3w@public.gmane.org \
    --cc=jfdey-rEd9KcVInK8dYYaOPf09RA@public.gmane.org \
    --cc=jlayton-eUNUBHrolfbYtjvyW6yDsg@public.gmane.org \
    --cc=linux-cifs-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
    --cc=samba-technical-w/Ol4Ecudpl8XjKLYN78aQ@public.gmane.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.