LinuxCIFS CredentialStashing: Difference between revisions

From SambaWiki
No edit summary
Line 5: Line 5:


== A breakdown of the project ==
== A breakdown of the project ==
Core features:
At its core, we need this:

* a userspace program that can stash the appropriate info in the keyctl keyring.
* a userspace program that can stash the appropriate info in the keyctl keyring.
**The per-user keying is probably a good choice, but there may be an argument for doing this on a per-session basis.
**The per-user keying is probably a good choice, but there may be an argument for doing this on a per-session basis.
* kernel code to get that info out of the keyring so that CIFS can use it
* kernel code to get that info out of the keyring so that CIFS can use it

Optional (Future) features:
* working SPNEGO encapsulated NTLMSSP
** current code does not work correctly, and this would allow us to mix use of krb5 and NTLMSSP for multisession mounts
* an upcall that can get these credentials if they don't exist in the keyring (possibly from winbind)

Revision as of 07:17, 6 May 2010

Overview

This is a companion project to LinuxCIFS_MultisessionMount. With them, session setup is delayed and we cannot prompt for authentication info at session setup time. This effectively limits that work to using Kerberos auth.

It needn't be that way however. If we could stash authentication info on a per-user basis, then we could use any NTLM-based authentication scheme.

A breakdown of the project

Core features:

  • a userspace program that can stash the appropriate info in the keyctl keyring.
    • The per-user keying is probably a good choice, but there may be an argument for doing this on a per-session basis.
  • kernel code to get that info out of the keyring so that CIFS can use it

Optional (Future) features:

  • working SPNEGO encapsulated NTLMSSP
    • current code does not work correctly, and this would allow us to mix use of krb5 and NTLMSSP for multisession mounts
  • an upcall that can get these credentials if they don't exist in the keyring (possibly from winbind)