[PATCH 0/1] cifs.upcall: enable ccache init from keytab for multiuser mount sessions

[PATCH 0/1] cifs.upcall: enable ccache init from keytab for multiuser mount sessions

[Florian Schwalm]

While trying to configure kerberized SMB on some of my department's machines
I failed to achieve the desired scenario. The idea was that multiple service
users on the machines each authenticate with their own credentials on a multiuser mount.
Since those service users are used for non-interactive tasks the
credentials should be initialized automatically from the keytab provided to cifs.upcall.
In debugging the connection and looking at the source code of
cifs.upcall as well as the cifs kernel module I noticed that the keytab
is only used if the key description provided by the kernel specifies a
username. This is not the case for individual user sessions of a
multiuser mount. Since we already scrape a gid from the passwd nss db
based on the provided uid, I thought there would be no harm in doing so
as well for the username in case none is provided. This is what the
provided patch implements. By deriving the username for the user
sessions we enable those sessions to initialize themselves from the
keytab as well.

If there is an established way to configure this without requiring my
patch, please tell me where to look.

Also, please take extra care in reviewing this patch. I haven't written
any C in a long time.

Florian Schwalm (1):
  cifs.upcall: enable ccache init from keytab for multiuser mount
    sessions

 cifs.upcall.c | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

-- 
2.39.3

[PATCH 1/1] cifs.upcall: enable ccache init from keytab for multiuser mount sessions

[Florian Schwalm]

Initializing the credentials cache from the provided keytab relies on
the username/principal to be known.
The kernel doesn't pass down a username for the individual user sessions
of a multiuser mount, though, we only get a uid.
This patch adds derival of a missing username based on the uid just as is
already done for the gid.
This way the keytab can also be used for initialization of user
sessions.

Signed-off-by: Florian Schwalm <Florian.Schwalm@seven.one>
---
 cifs.upcall.c | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/cifs.upcall.c b/cifs.upcall.c
index 52c0328..492fcb6 100644
--- a/cifs.upcall.c
+++ b/cifs.upcall.c
@@ -1515,6 +1515,21 @@ int main(const int argc, char *const argv[])
 		goto out;
 	}
 
+	/*
+	 * The kernel doesn't pass down the username for individual sessions
+	 * of a multiuser mount, so we resort here to scraping one
+	 * out of the passwd nss db.
+	 */
+	if(arg->username[0] == '\0') {
+		if (strlen(pw->pw_name) > sizeof(arg->username)-1) {
+			syslog(LOG_ERR, "pw_name value too long for buffer");
+		} else {
+			memset(arg->username, 0, sizeof(arg->username));
+			strncpy(arg->username, pw->pw_name, strlen(pw->pw_name));
+			syslog(LOG_DEBUG, "Added username derived from uid:%s", arg->username);
+		}
+	}
+
 	ccache = get_existing_cc(env_cachename);
 	/* Couldn't find credcache? Try to use keytab */
 	if (ccache == NULL && arg->username[0] != '\0')
-- 
2.39.3

Re: [PATCH 0/1] cifs.upcall: enable ccache init from keytab for multiuser mount sessions

[Schwalm, Florian]

Looking further into the issue my use case may be solved by using the gssproxy feature implemented two years ago.
The patch may still be useful if you want to support this in cifs-utils itself. Though probably another patch would be advisable to support per-user keytabs so we do not need to combine user credentials in a shared keytab. I can try to work on this if you think this would be a valuable addition. If you conclude that this is sufficiently solved by gssproxy, though, that would also be fine.

-----Ursprüngliche Nachricht-----
Von: Schwalm, Florian <Florian.Schwalm@seven.one> 
Gesendet: Mittwoch, 17. Januar 2024 14:26
An: linux-cifs@vger.kernel.org
Cc: Schwalm, Florian <Florian.Schwalm@seven.one>
Betreff: [PATCH 0/1] cifs.upcall: enable ccache init from keytab for multiuser mount sessions

While trying to configure kerberized SMB on some of my department's machines I failed to achieve the desired scenario. The idea was that multiple service users on the machines each authenticate with their own credentials on a multiuser mount.
Since those service users are used for non-interactive tasks the credentials should be initialized automatically from the keytab provided to cifs.upcall.
In debugging the connection and looking at the source code of cifs.upcall as well as the cifs kernel module I noticed that the keytab is only used if the key description provided by the kernel specifies a username. This is not the case for individual user sessions of a multiuser mount. Since we already scrape a gid from the passwd nss db based on the provided uid, I thought there would be no harm in doing so as well for the username in case none is provided. This is what the provided patch implements. By deriving the username for the user sessions we enable those sessions to initialize themselves from the keytab as well.

If there is an established way to configure this without requiring my patch, please tell me where to look.

Also, please take extra care in reviewing this patch. I haven't written any C in a long time.

Florian Schwalm (1):
  cifs.upcall: enable ccache init from keytab for multiuser mount
    sessions

 cifs.upcall.c | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

--
2.39.3