The Samba-Bugzilla – Bug 11527
Troubles with credentials in "session" kernel keyring
Last modified: 2016-05-20 07:40:21 UTC
(Sigh. Let's play bug ping-pong.)
So I am mounting various cifs filesystems with -o multiuser, and storing the password in the kernel keyring (cifscreds &c).
But now certain parts of my X11 session are run via systemd, via a separate PAM stack, and thus have their own session keyring – independent from the other half of my X11 programs.
(Which, by the way, isn't exactly a new issue – urxvtd, tmux, emacs-daemon, screen would all have the same problem.)
As in the original bug report [linked above], I'm told that cifs.ko & cifs-utils should use the 'user' keyring instead of the 'session' one to avoid such problems:
> Right, separating sessions from each other makes no sense security-wise on any usual workstation setup. Tools should switch to user-owned data instead of session-speficic data. The concept of sessions is not meant to carry any credentials or other data, it is only the user who owns everything.
Another way, I think, would be to "join" an existing named session keyring when logging in to X11 – I remember having seen this option in `keyctl session …`.