[JENKINS-22561] publish-over-cifs should be able to use Jenkins session credentials - including domain when Jenkins Active Directory authentication is used

[jira-importer]

If a user has logged in to Jenkins with active directory username and password, with a domain configured or discovered via the active directory plugin, then publish-over-cifs ought to be able to use these values to authenticate when connecting to the remote cifs server to publish files.

---

Originally reported by samliddicott, imported from: publish-over-cifs should be able to use Jenkins session credentials - including domain when Jenkins Active Directory authentication is used

• assignee: samliddicott
• status: Closed
• priority: Major
• resolution: Won't Do
• resolved: 2017-12-21T01:43:47+11:00
• imported: 2022/01/10

[jira-importer]

samliddicott:

$25 currently offered for a fix at https://freedomsponsors.org/core/issue/483/publish-over-cifs-should-be-able-to-use-jenkins-session-credentials-including-domain-when-jenkins-active-directory-authentication-is-used?alert=SPONSOR#

[jira-importer]

samliddicott:

69 days left of sponsorship offer, I've increased the amount to
$50 as exchange rates are favourable right now

[jira-importer]

samliddicott:

Nudge,bump. 30 days to go. If $50 is too low, does anyone want to negotiate?

[jira-importer]

slide_o_mix:

There is no way to retrieve the credentials for the user in a form that can be used to re-authenticate for CIFS.

[jira-importer]

samliddicott:

It is somewhat gratifying so see some response after all this time.

I respectfully suggest that the credentials don't need retrieving as such. If an Active Directory ticket-granting kerberos ticket is obtained at the original authentication, then a ticket can be obtained for kerberos gssapi auth with the cifs server later on.

Or, a cifs connection might be used as the authenticator, (or established at authentication time) and kept active ready for use at publish time.

On the other hand, plugins might register as interested parties with interested actions, so at auth time the credentials are duplicated and encrypted against each registered plugin and action, to be used later during that plugin's action. I mean so that the publish action might receive opaque credentials which it can pass to a cifs connector which can then beg jenkins to emit them.

I merely put these on record so that motivated parties may consider them

[jira-importer]

samliddicott:

Or maybe the a new "interactive" credentials type; which, when included in a job, prompt the user for credentials when the job starts.

These can then be supplied to the various plugins as configured.

[jira-importer]

slide_o_mix:

I want to add support for the Credentials plugin and not manage credentials internally, I am not sure what the capability is for prompting, but I think that should be possible once that is implemented.

[jira-importer]

samliddicott:

I guess then we need a credentials parameter type which can

• optionally default to a some stored credentials
• optionally inject into the environment
• be used as "job" scope credentials by other publish plugins

Should I open a new issue for that?

[jira-importer]

slide_o_mix:

The credentials would be managed at the job level, look at the wiki page for the credentials plugin. No new issue is needed.