It is somewhat gratifying so see some response after all this time.
I respectfully suggest that the credentials don't need retrieving as such. If an Active Directory ticket-granting kerberos ticket is obtained at the original authentication, then a ticket can be obtained for kerberos gssapi auth with the cifs server later on.
Or, a cifs connection might be used as the authenticator, (or established at authentication time) and kept active ready for use at publish time.
On the other hand, plugins might register as interested parties with interested actions, so at auth time the credentials are duplicated and encrypted against each registered plugin and action, to be used later during that plugin's action. I mean so that the publish action might receive opaque credentials which it can pass to a cifs connector which can then beg jenkins to emit them.
I merely put these on record so that motivated parties may consider them