From: "Aurélien Aptel" <aaptel@suse.com>
To: Frank Loeffler <frank.loeffler@uni-jena.de>, linux-cifs@vger.kernel.org
Subject: Re: specifying password when using krb5
Date: Mon, 29 Mar 2021 18:25:49 +0200 [thread overview]
Message-ID: <87o8f2orjm.fsf@suse.com> (raw)
In-Reply-To: <20210327113252.GC8814@topf.wg>
Frank Loeffler <frank.loeffler@uni-jena.de> writes:
> 1. Is it intended that mount.cifs will not ask for a password when using
> sec=krb5 and will ignore any set password?
As Shyam said, this seems to be the case.
> 2. I don't want to setup krb5-tokens for users. All I want is
> authenticate using krb5 to get the smb-session and then forget about
> krb5. smbclient seems to be able to do this. I don't know how they do
> it, I suspect they create a temporary token, open the session, and then
> drop it again. Whatever smbclient does: couldn't mount.cifs do the same
> or something similar? This would make the 'password' setting meaningful
> for sec=krb5. This does not mean that existing tokens couldn't and
> shouldn't be used. It would just mean that users would not *have* to use
> an external mechanism for this.
When you use a password you're actually not using krb5 (even in
smbclient), you're using NTLMSSP authentication.
> 3. For the moment (and only if my observations are correct): could the
> documentation be updated to reflect that "password" is ignored for
> "sec=krb5"? Users shouldn't need to dig inside the source code to find
> out things like that.
That's a good point, I'll try to update the cifs-utils man page.
> 4. Currently, trying sec=krb5 without token cache files results in the
> rather obscure error "mount error(2): No such file or directory". Could
> this me changed into something that points users to the actual cause of
> the error?
Sadly we don't have much to work with. Mounting is done with a single
system call mount() which can only return 1 error code from the list of errno
codes https://man7.org/linux/man-pages/man3/errno.3.html
The error printed is the generic description of those code stored in
your libc.
There is a new mount syscall API that allows returning errors _strings_
to userspace. I've sent experimental patches to make use of it but I
haven't received any feedback on it. Your post is a great example of why
we should merge it.
> 5. Am I even remotely correct with any of this? :)
I think you are :) thanks for reporting.
Cheers,
--
Aurélien Aptel / SUSE Labs Samba Team
GPG: 1839 CB5F 9F5B FB9B AA97 8C99 03C8 A49B 521B D5D3
SUSE Software Solutions Germany GmbH, Maxfeldstr. 5, 90409 Nürnberg, DE
GF: Felix Imendörffer, Mary Higgins, Sri Rasiah HRB 247165 (AG München)
next prev parent reply other threads:[~2021-03-29 16:26 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-03-27 11:32 specifying password when using krb5 Frank Loeffler
2021-03-29 14:56 ` Shyam Prasad N
2021-03-29 16:25 ` Aurélien Aptel [this message]
2021-03-29 17:08 ` Frank Loeffler
2021-03-31 17:42 ` Aurélien Aptel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87o8f2orjm.fsf@suse.com \
--to=aaptel@suse.com \
--cc=frank.loeffler@uni-jena.de \
--cc=linux-cifs@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.