I have a use-case for authentication of Linux cifs client mounts without the user being
present (e.g. from batch jobs) using gssproxy's impersonation feature with Kerberos
Constrained Delegation similar to how it can be done for NFS.
My understanding is that currently neither the Linux cifs kernel client nor cifs-utils
userland tools support acquiring credentials using gssproxy. The former uses a custom
upcall interface to talk to cifs.spnego from cifs-utils. The latter then goes looking for
Kerberos ticket caches using libkrb5 functions, not GSSAPI, which prevents gssproxy from
interacting with it.
From what I understand, the preferred method would be to switch the Linux kernel client
upcall to the RPC protocol defined by gssproxy (as has been done for the Linux kernel
NFS server already replacing rpc.svcgssd). The kernel could then, at least optionally,
talk to gssproxy directly to try and obtain credentials.
Failing that, cifs-utils' cifs.spnego could be switched to GSSAPI so that
gssproxy's interposer plugin could intercept GSSAPI calls and provide them with the
required credentials (similar to the NFS client rpc.gssd).
Assuming my understanding is correct so far:
Is anyone doing any work on this and could use some help (testing, coding)?
What would be expected complexity and possible roadblocks when trying to make a start at
Or is the idea moot due to some constraint or recent development I'm not aware of?
I have found a recent discussion of the topic on linux-cifs which provided no definite
As a crude attempt at an explicit userspace workaround I tried but failed to trick
smbclient into initialising a ticket cache using gssproxy for cifs.spnego to find later
Is this something that could be implemented without too much redundant effort (or should
already work, perhaps using a different tool)?