linux-cifs.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Jacob Shivers <jshivers@redhat.com>
To: Steve French <smfrench@gmail.com>
Cc: CIFS <linux-cifs@vger.kernel.org>,
	Shyam Prasad N <nspmangalore@gmail.com>,
	Jeff Layton <jlayton@redhat.com>
Subject: Re: cifs.ko and gssproxy
Date: Fri, 4 Dec 2020 12:21:00 -0500	[thread overview]
Message-ID: <CALe0_74jN5GWCa1_wnuVHZw2G6FYg6rkH0byV+DZjO=8Lgb9HQ@mail.gmail.com> (raw)
In-Reply-To: <CAH2r5mucjWpHmeuQ36F7QoeDugrw48dvVrZQgSbesfT4SAqpLQ@mail.gmail.com>

Hi Steve,

On Fri, Dec 4, 2020 at 1:09 AM Steve French <smfrench@gmail.com> wrote:
>
> I see a brief mention of gssproxy by Jeff Layton more than three years
> ago, but don't remember any follow up on that.   What would be your
> goal in doing this?
>
> Presumably we could improve cifs.ko's ability to automatically
> autonegotiate new SMB sessions for incoming VFS requests from uids
> that have associated kerberos tickets.  Fortunately here is little

This and allowing for the use of unattended accounts to access
Kerberized SMB resources in much the same way they can like with NFS
shares.
For users in a mixed protocol environment they could grant some uid,
like for a database process, access to said Kerberized SMB share using
the same method they already deploy for NFS assuming gssproxy is
already in use.

> dependency on SPNEGO in cifs.ko (so it could be fairly easy to add
> other upcalls for SPNEGO), just during SMB3 session setup (and also in
> parsing the SMB3 negotiate response).   My bigger worry with handling
> SPNEGO (RFC2478) in the longer term, is adding support for the various
> other mechanisms (other than Kerberos and NTLMSSP) that servers can
> negotiate (PKU2U for example, and also the 'peer to peer kerberos'
> that Macs can apparently negotiate with SMB3 and SPNEGO).
> Authentication is mostly opaque to the SMB3 protocol, so if additional
> mechanisms can be negotiated  (transparently, with little impact on
> other parts of the kernel code) with SPNEGO in the future that would
> be of value

Ideally gssapi would be to allow for the transparent use of other
mechanisms and not be a blocker for deployment.


      reply	other threads:[~2020-12-04 17:23 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-12-03 22:05 cifs.ko and gssproxy Jacob Shivers
2020-12-04  6:09 ` Steve French
2020-12-04 17:21   ` Jacob Shivers [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='CALe0_74jN5GWCa1_wnuVHZw2G6FYg6rkH0byV+DZjO=8Lgb9HQ@mail.gmail.com' \
    --to=jshivers@redhat.com \
    --cc=jlayton@redhat.com \
    --cc=linux-cifs@vger.kernel.org \
    --cc=nspmangalore@gmail.com \
    --cc=smfrench@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).