[CIFS] Kerberos and CIFS ACL support part 1

Signed-off-by: Steve French <sfrench@us.ibm.com>
author: Steve French <sfrench@us.ibm.com> 2005-12-02 01:32:42 -0500
committer: Steve French <sfrench@us.ibm.com> 2005-12-02 01:32:42 -0500
commit: bf8206791750854bc6668266b694e8fe2cacb924 (patch)
tree: 6fd0a4193b07e071e4a947d3df2bb62934b6bd93 /fs/cifs
parent: 83451879ab213e152c6fe5c743f257ba58d7acd1 (diff)
4 files changed, 94 insertions, 9 deletions
diff --git a/fs/cifs/README b/fs/cifs/README
index e5d09a2fc7a..b0070d1b149 100644
--- a/fs/cifs/README
+++ b/fs/cifs/README
@@ -436,7 +436,17 @@ A partial list of the supported mount options follows:
                SFU does).  In the future the bottom 9 bits of the mode
                mode also will be emulated using queries of the security
                descriptor (ACL).
-                
+sec             Security mode.  Allowed values are:
+                        none    attempt to connection as a null user (no name)
+                        krb5    Use Kerberos version 5 authentication
+                        krb5i   Use Kerberos authentication and packet signing
+                        ntlm    Use NTLM password hashing (default)
+                        ntlmi   Use NTLM password hashing with signing (if
+                                /proc/fs/cifs/PacketSigningEnabled on or if
+                                server requires signing also can be the default) 
+                        ntlmv2  Use NTLMv2 password hashing      
+                        ntlmv2i Use NTLMv2 password hashing with packet signing
 The mount.cifs mount helper also accepts a few mount options before -o
 including:
diff --git a/fs/cifs/cifsacl.h b/fs/cifs/cifsacl.h
new file mode 100644
index 00000000000..4cfcdf2e630
--- /dev/null
+++ b/fs/cifs/cifsacl.h
@@ -0,0 +1,36 @@
+/*
+ *   fs/cifs/cifsacl.h
+ *
+ *   Copyright (c) International Business Machines  Corp., 2005
+ *   Author(s): Steve French (sfrench@us.ibm.com)
+ *
+ *   This library is free software; you can redistribute it and/or modify
+ *   it under the terms of the GNU Lesser General Public License as published
+ *   by the Free Software Foundation; either version 2.1 of the License, or
+ *   (at your option) any later version.
+ *
+ *   This library is distributed in the hope that it will be useful,
+ *   but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See
+ *   the GNU Lesser General Public License for more details.
+ *
+ *   You should have received a copy of the GNU Lesser General Public License
+ *   along with this library; if not, write to the Free Software
+ *   Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ */
+#ifndef _CIFSACL_H
+#define _CIFSACL_H
+struct cifs_sid {
+        __u8 revision; /* revision level */
+        __u8 num_subauths;
+        __u8 authority[6];
+        __u8 sub_auth[4];
+        /* next sub_auth if any ... */
+} __attribute__((packed));
+/* everyone */
+const cifs_sid sid_everyone = {1, 1, {0, 0, 0, 0, 0, 0}, {0, 0, 0, 0}};
+/* group users */
+const cifs_sid sid_user = {1, 2 , {0, 0, 0, 0, 0, 5}, {32, 545, 0, 0}};
diff --git a/fs/cifs/cifspdu.h b/fs/cifs/cifspdu.h
index 33e1859fd2f..5253e779b3a 100644
--- a/fs/cifs/cifspdu.h
+++ b/fs/cifs/cifspdu.h
@@ -1,7 +1,7 @@
 /*
 *   fs/cifs/cifspdu.h
 *
- *   Copyright (c) International Business Machines  Corp., 2002
+ *   Copyright (c) International Business Machines  Corp., 2002,2005
 *   Author(s): Steve French (sfrench@us.ibm.com)
 *
 *   This library is free software; you can redistribute it and/or modify
diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c
index c467de85761..651f3b6cebe 100644
--- a/fs/cifs/connect.c
+++ b/fs/cifs/connect.c
@@ -82,6 +82,12 @@ struct smb_vol {
        unsigned remap:1;   /* set to remap seven reserved chars in filenames */
        unsigned posix_paths:1;   /* unset to not ask for posix pathnames. */
        unsigned sfu_emul:1;
+        unsigned krb5:1;
+        unsigned ntlm:1;
+        unsigned ntlmv2:1;
+        unsigned nullauth:1; /* attempt to authenticate with null user */
+        unsigned sign:1;
+        unsigned seal:1;     /* encrypt */
        unsigned nocase;     /* request case insensitive filenames */
        unsigned nobrl;      /* disable sending byte range locks to srv */
        unsigned int rsize;
@@ -777,7 +783,7 @@ cifs_parse_mount_options(char *options, const char *devname,struct smb_vol *vol)
        /* vol->retry default is 0 (i.e. "soft" limited retry not hard retry) */
        vol->rw = TRUE;
+        vol->ntlm = TRUE;
        /* default is always to request posix paths. */
        vol->posix_paths = 1;
@@ -903,6 +909,39 @@ cifs_parse_mount_options(char *options, const char *devname,struct smb_vol *vol)
                                printk(KERN_WARNING "CIFS: ip address too long\n");
                                return 1;
                        }
+                } else if (strnicmp(data, "sec", 3) == 0) { 
+                        if (!value || !*value) {
+                                cERROR(1,("no security value specified"));
+                                continue;
+                        } else if (strnicmp(value, "krb5i", 5) == 0) {
+                                vol->sign = 1;
+                                vol->krb5 = 1;
+                        } else if (strnicmp(value, "krb5p", 5) == 0) {
+                                /* vol->seal = 1; 
+                                   vol->krb5 = 1; */
+                                cERROR(1,("Krb5 cifs privacy not supported"));
+                                return 1;
+                        } else if (strnicmp(value, "krb5", 4) == 0) {
+                                vol->krb5 = 1;
+                        } else if (strnicmp(value, "ntlmv2i", 7) == 0) {
+                                vol->ntlmv2 = 1;
+                                vol->sign = 1;
+                        } else if (strnicmp(value, "ntlmv2", 6) == 0) {
+                                vol->ntlmv2 = 1;
+                        } else if (strnicmp(value, "ntlmi", 5) == 0) {
+                                vol->ntlm = 1;
+                                vol->sign = 1;
+                        } else if (strnicmp(value, "ntlm", 4) == 0) {
+                                /* ntlm is default so can be turned off too */
+                                vol->ntlm = 1;
+                        } else if (strnicmp(value, "nontlm", 6) == 0) {
+                                vol->ntlm = 0;
+                        } else if (strnicmp(value, "none", 4) == 0) {
+                                vol->nullauth = 1; 
+                        } else {
+                                cERROR(1,("bad security option: %s", value));
+                                return 1;
+                        }
                } else if ((strnicmp(data, "unc", 3) == 0)
                           || (strnicmp(data, "target", 6) == 0)
                           || (strnicmp(data, "path", 4) == 0)) {
@@ -1546,7 +1585,7 @@ cifs_mount(struct super_block *sb, struct cifs_sb_info *cifs_sb,
                cFYI(1, ("Username: %s ", volume_info.username));
        } else {
-                cifserror("No username specified ");
+                cifserror("No username specified");
        /* In userspace mount helper we can get user name from alternate
           locations such as env variables and files on disk */
                kfree(volume_info.UNC);
@@ -1587,7 +1626,7 @@ cifs_mount(struct super_block *sb, struct cifs_sb_info *cifs_sb,
                return -EINVAL;
        } else /* which servers DFS root would we conect to */ {
                cERROR(1,
-                       ("CIFS mount error: No UNC path (e.g. -o unc=//192.168.1.100/public) specified  "));
+                       ("CIFS mount error: No UNC path (e.g. -o unc=//192.168.1.100/public) specified"));
                kfree(volume_info.UNC);
                kfree(volume_info.password);
                FreeXid(xid);
@@ -1626,7 +1665,7 @@ cifs_mount(struct super_block *sb, struct cifs_sb_info *cifs_sb,
        if (srvTcp) {
-                cFYI(1, ("Existing tcp session with server found "));                
+                cFYI(1, ("Existing tcp session with server found"));                
        } else {        /* create socket */
                if(volume_info.port)
                        sin_server.sin_port = htons(volume_info.port);
@@ -1689,11 +1728,11 @@ cifs_mount(struct super_block *sb, struct cifs_sb_info *cifs_sb,
        if (existingCifsSes) {
                pSesInfo = existingCifsSes;
-                cFYI(1, ("Existing smb sess found "));
+                cFYI(1, ("Existing smb sess found"));
                kfree(volume_info.password);
                /* volume_info.UNC freed at end of function */
        } else if (!rc) {
-                cFYI(1, ("Existing smb sess not found "));
+                cFYI(1, ("Existing smb sess not found"));
                pSesInfo = sesInfoAlloc();
                if (pSesInfo == NULL)
                        rc = -ENOMEM;
@@ -1777,7 +1816,7 @@ cifs_mount(struct super_block *sb, struct cifs_sb_info *cifs_sb,
                    find_unc(sin_server.sin_addr.s_addr, volume_info.UNC,
                             volume_info.username);
                if (tcon) {
-                        cFYI(1, ("Found match on UNC path "));
+                        cFYI(1, ("Found match on UNC path"));
                        /* we can have only one retry value for a connection
                           to a share so for resources mounted more than once
                           to the same server share the last value passed in
author	Steve French <sfrench@us.ibm.com>	2005-12-02 01:32:42 -0500
committer	Steve French <sfrench@us.ibm.com>	2005-12-02 01:32:42 -0500
commit	bf8206791750854bc6668266b694e8fe2cacb924 (patch)
tree	6fd0a4193b07e071e4a947d3df2bb62934b6bd93 /fs/cifs
parent	83451879ab213e152c6fe5c743f257ba58d7acd1 (diff)

diff --git a/fs/cifs/README b/fs/cifs/README index e5d09a2fc7a..b0070d1b149 100644 --- a/fs/cifs/README +++ b/fs/cifs/README
@@ -436,7 +436,17 @@ A partial list of the supported mount options follows:
436	SFU does). In the future the bottom 9 bits of the mode	436	SFU does). In the future the bottom 9 bits of the mode
437	mode also will be emulated using queries of the security	437	mode also will be emulated using queries of the security
438	descriptor (ACL).	438	descriptor (ACL).
439		439	sec Security mode. Allowed values are:
		440	none attempt to connection as a null user (no name)
		441	krb5 Use Kerberos version 5 authentication
		442	krb5i Use Kerberos authentication and packet signing
		443	ntlm Use NTLM password hashing (default)
		444	ntlmi Use NTLM password hashing with signing (if
		445	/proc/fs/cifs/PacketSigningEnabled on or if
		446	server requires signing also can be the default)
		447	ntlmv2 Use NTLMv2 password hashing
		448	ntlmv2i Use NTLMv2 password hashing with packet signing
		449
440	The mount.cifs mount helper also accepts a few mount options before -o	450	The mount.cifs mount helper also accepts a few mount options before -o
441	including:	451	including:
442		452


diff --git a/fs/cifs/cifsacl.h b/fs/cifs/cifsacl.h new file mode 100644 index 00000000000..4cfcdf2e630 --- /dev/null +++ b/fs/cifs/cifsacl.h
@@ -0,0 +1,36 @@
		1	/*
		2	* fs/cifs/cifsacl.h
		3	*
		4	* Copyright (c) International Business Machines Corp., 2005
		5	* Author(s): Steve French (sfrench@us.ibm.com)
		6	*
		7	* This library is free software; you can redistribute it and/or modify
		8	* it under the terms of the GNU Lesser General Public License as published
		9	* by the Free Software Foundation; either version 2.1 of the License, or
		10	* (at your option) any later version.
		11	*
		12	* This library is distributed in the hope that it will be useful,
		13	* but WITHOUT ANY WARRANTY; without even the implied warranty of
		14	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See
		15	* the GNU Lesser General Public License for more details.
		16	*
		17	* You should have received a copy of the GNU Lesser General Public License
		18	* along with this library; if not, write to the Free Software
		19	* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
		20	*/
		21
		22	#ifndef _CIFSACL_H
		23	#define _CIFSACL_H
		24
		25	struct cifs_sid {
		26	__u8 revision; /* revision level */
		27	__u8 num_subauths;
		28	__u8 authority[6];
		29	__u8 sub_auth[4];
		30	/* next sub_auth if any ... */
		31	} __attribute__((packed));
		32
		33	/* everyone */
		34	const cifs_sid sid_everyone = {1, 1, {0, 0, 0, 0, 0, 0}, {0, 0, 0, 0}};
		35	/* group users */
		36	const cifs_sid sid_user = {1, 2 , {0, 0, 0, 0, 0, 5}, {32, 545, 0, 0}};


diff --git a/fs/cifs/cifspdu.h b/fs/cifs/cifspdu.h index 33e1859fd2f..5253e779b3a 100644 --- a/fs/cifs/cifspdu.h +++ b/fs/cifs/cifspdu.h
@@ -1,7 +1,7 @@
1	/*	1	/*
2	* fs/cifs/cifspdu.h	2	* fs/cifs/cifspdu.h
3	*	3	*
4	* Copyright (c) International Business Machines Corp., 2002	4	* Copyright (c) International Business Machines Corp., 2002,2005
5	* Author(s): Steve French (sfrench@us.ibm.com)	5	* Author(s): Steve French (sfrench@us.ibm.com)
6	*	6	*
7	* This library is free software; you can redistribute it and/or modify	7	* This library is free software; you can redistribute it and/or modify


diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c index c467de85761..651f3b6cebe 100644 --- a/fs/cifs/connect.c +++ b/fs/cifs/connect.c
@@ -82,6 +82,12 @@ struct smb_vol {
82	unsigned remap:1; /* set to remap seven reserved chars in filenames */	82	unsigned remap:1; /* set to remap seven reserved chars in filenames */
83	unsigned posix_paths:1; /* unset to not ask for posix pathnames. */	83	unsigned posix_paths:1; /* unset to not ask for posix pathnames. */
84	unsigned sfu_emul:1;	84	unsigned sfu_emul:1;
		85	unsigned krb5:1;
		86	unsigned ntlm:1;
		87	unsigned ntlmv2:1;
		88	unsigned nullauth:1; /* attempt to authenticate with null user */
		89	unsigned sign:1;
		90	unsigned seal:1; /* encrypt */
85	unsigned nocase; /* request case insensitive filenames */	91	unsigned nocase; /* request case insensitive filenames */
86	unsigned nobrl; /* disable sending byte range locks to srv */	92	unsigned nobrl; /* disable sending byte range locks to srv */
87	unsigned int rsize;	93	unsigned int rsize;
@@ -777,7 +783,7 @@ cifs_parse_mount_options(char options, const char devname,struct smb_vol *vol)
777		783
778	/* vol->retry default is 0 (i.e. "soft" limited retry not hard retry) */	784	/* vol->retry default is 0 (i.e. "soft" limited retry not hard retry) */
779	vol->rw = TRUE;	785	vol->rw = TRUE;
780		786	vol->ntlm = TRUE;
781	/* default is always to request posix paths. */	787	/* default is always to request posix paths. */
782	vol->posix_paths = 1;	788	vol->posix_paths = 1;
783		789
@@ -903,6 +909,39 @@ cifs_parse_mount_options(char options, const char devname,struct smb_vol *vol)
903	printk(KERN_WARNING "CIFS: ip address too long\n");	909	printk(KERN_WARNING "CIFS: ip address too long\n");
904	return 1;	910	return 1;
905	}	911	}
		912	} else if (strnicmp(data, "sec", 3) == 0) {
		913	if (!value \|\| !*value) {
		914	cERROR(1,("no security value specified"));
		915	continue;
		916	} else if (strnicmp(value, "krb5i", 5) == 0) {
		917	vol->sign = 1;
		918	vol->krb5 = 1;
		919	} else if (strnicmp(value, "krb5p", 5) == 0) {
		920	/* vol->seal = 1;
		921	vol->krb5 = 1; */
		922	cERROR(1,("Krb5 cifs privacy not supported"));
		923	return 1;
		924	} else if (strnicmp(value, "krb5", 4) == 0) {
		925	vol->krb5 = 1;
		926	} else if (strnicmp(value, "ntlmv2i", 7) == 0) {
		927	vol->ntlmv2 = 1;
		928	vol->sign = 1;
		929	} else if (strnicmp(value, "ntlmv2", 6) == 0) {
		930	vol->ntlmv2 = 1;
		931	} else if (strnicmp(value, "ntlmi", 5) == 0) {
		932	vol->ntlm = 1;
		933	vol->sign = 1;
		934	} else if (strnicmp(value, "ntlm", 4) == 0) {
		935	/* ntlm is default so can be turned off too */
		936	vol->ntlm = 1;
		937	} else if (strnicmp(value, "nontlm", 6) == 0) {
		938	vol->ntlm = 0;
		939	} else if (strnicmp(value, "none", 4) == 0) {
		940	vol->nullauth = 1;
		941	} else {
		942	cERROR(1,("bad security option: %s", value));
		943	return 1;
		944	}
906	} else if ((strnicmp(data, "unc", 3) == 0)	945	} else if ((strnicmp(data, "unc", 3) == 0)
907	\|\| (strnicmp(data, "target", 6) == 0)	946	\|\| (strnicmp(data, "target", 6) == 0)
908	\|\| (strnicmp(data, "path", 4) == 0)) {	947	\|\| (strnicmp(data, "path", 4) == 0)) {
@@ -1546,7 +1585,7 @@ cifs_mount(struct super_block sb, struct cifs_sb_info cifs_sb,
1546	cFYI(1, ("Username: %s ", volume_info.username));	1585	cFYI(1, ("Username: %s ", volume_info.username));
1547		1586
1548	} else {	1587	} else {
1549	cifserror("No username specified ");	1588	cifserror("No username specified");
1550	/* In userspace mount helper we can get user name from alternate	1589	/* In userspace mount helper we can get user name from alternate
1551	locations such as env variables and files on disk */	1590	locations such as env variables and files on disk */
1552	kfree(volume_info.UNC);	1591	kfree(volume_info.UNC);
@@ -1587,7 +1626,7 @@ cifs_mount(struct super_block sb, struct cifs_sb_info cifs_sb,
1587	return -EINVAL;	1626	return -EINVAL;
1588	} else /* which servers DFS root would we conect to */ {	1627	} else /* which servers DFS root would we conect to */ {
1589	cERROR(1,	1628	cERROR(1,
1590	("CIFS mount error: No UNC path (e.g. -o unc=//192.168.1.100/public) specified "));	1629	("CIFS mount error: No UNC path (e.g. -o unc=//192.168.1.100/public) specified"));
1591	kfree(volume_info.UNC);	1630	kfree(volume_info.UNC);
1592	kfree(volume_info.password);	1631	kfree(volume_info.password);
1593	FreeXid(xid);	1632	FreeXid(xid);
@@ -1626,7 +1665,7 @@ cifs_mount(struct super_block sb, struct cifs_sb_info cifs_sb,
1626		1665
1627		1666
1628	if (srvTcp) {	1667	if (srvTcp) {
1629	cFYI(1, ("Existing tcp session with server found "));	1668	cFYI(1, ("Existing tcp session with server found"));
1630	} else { /* create socket */	1669	} else { /* create socket */
1631	if(volume_info.port)	1670	if(volume_info.port)
1632	sin_server.sin_port = htons(volume_info.port);	1671	sin_server.sin_port = htons(volume_info.port);
@@ -1689,11 +1728,11 @@ cifs_mount(struct super_block sb, struct cifs_sb_info cifs_sb,
1689		1728
1690	if (existingCifsSes) {	1729	if (existingCifsSes) {
1691	pSesInfo = existingCifsSes;	1730	pSesInfo = existingCifsSes;
1692	cFYI(1, ("Existing smb sess found "));	1731	cFYI(1, ("Existing smb sess found"));
1693	kfree(volume_info.password);	1732	kfree(volume_info.password);
1694	/* volume_info.UNC freed at end of function */	1733	/* volume_info.UNC freed at end of function */
1695	} else if (!rc) {	1734	} else if (!rc) {
1696	cFYI(1, ("Existing smb sess not found "));	1735	cFYI(1, ("Existing smb sess not found"));
1697	pSesInfo = sesInfoAlloc();	1736	pSesInfo = sesInfoAlloc();
1698	if (pSesInfo == NULL)	1737	if (pSesInfo == NULL)
1699	rc = -ENOMEM;	1738	rc = -ENOMEM;
@@ -1777,7 +1816,7 @@ cifs_mount(struct super_block sb, struct cifs_sb_info cifs_sb,
1777	find_unc(sin_server.sin_addr.s_addr, volume_info.UNC,	1816	find_unc(sin_server.sin_addr.s_addr, volume_info.UNC,
1778	volume_info.username);	1817	volume_info.username);
1779	if (tcon) {	1818	if (tcon) {
1780	cFYI(1, ("Found match on UNC path "));	1819	cFYI(1, ("Found match on UNC path"));
1781	/* we can have only one retry value for a connection	1820	/* we can have only one retry value for a connection
1782	to a share so for resources mounted more than once	1821	to a share so for resources mounted more than once
1783	to the same server share the last value passed in	1822	to the same server share the last value passed in