diff options
| author | Steve French <sfrench@us.ibm.com> | 2009-05-06 00:16:04 -0400 |
|---|---|---|
| committer | Steve French <sfrench@us.ibm.com> | 2009-05-06 00:16:04 -0400 |
| commit | ac68392460ffefed13020967bae04edc4d3add06 (patch) | |
| tree | 9b5e43db83752e8927ee5e449dfafefe12ae1f7d | |
| parent | 844823cb822932d2c599abf38692e3d6a5b5a320 (diff) | |
[CIFS] Allow raw ntlmssp code to be enabled with sec=ntlmssp
On mount, "sec=ntlmssp" can now be specified to allow
"rawntlmssp" security to be enabled during
CIFS session establishment/authentication (ntlmssp used to
require specifying krb5 which was counterintuitive).
Signed-off-by: Steve French <sfrench@us.ibm.com>
| -rw-r--r-- | fs/cifs/README | 10 | ||||
| -rw-r--r-- | fs/cifs/cifsglob.h | 16 | ||||
| -rw-r--r-- | fs/cifs/cifssmb.c | 10 | ||||
| -rw-r--r-- | fs/cifs/connect.c | 7 |
4 files changed, 35 insertions, 8 deletions
diff --git a/fs/cifs/README b/fs/cifs/README index 07434181623b..db208ddb9899 100644 --- a/fs/cifs/README +++ b/fs/cifs/README | |||
| @@ -651,7 +651,15 @@ Experimental When set to 1 used to enable certain experimental | |||
| 651 | signing turned on in case buffer was modified | 651 | signing turned on in case buffer was modified |
| 652 | just before it was sent, also this flag will | 652 | just before it was sent, also this flag will |
| 653 | be used to use the new experimental directory change | 653 | be used to use the new experimental directory change |
| 654 | notification code). | 654 | notification code). When set to 2 enables |
| 655 | an additional experimental feature, "raw ntlmssp" | ||
| 656 | session establishment support (which allows | ||
| 657 | specifying "sec=ntlmssp" on mount). The Linux cifs | ||
| 658 | module will use ntlmv2 authentication encapsulated | ||
| 659 | in "raw ntlmssp" (not using SPNEGO) when | ||
| 660 | "sec=ntlmssp" is specified on mount. | ||
| 661 | This support also requires building cifs with | ||
| 662 | the CONFIG_CIFS_EXPERIMENTAL configuration flag. | ||
| 655 | 663 | ||
| 656 | These experimental features and tracing can be enabled by changing flags in | 664 | These experimental features and tracing can be enabled by changing flags in |
| 657 | /proc/fs/cifs (after the cifs module has been installed or built into the | 665 | /proc/fs/cifs (after the cifs module has been installed or built into the |
diff --git a/fs/cifs/cifsglob.h b/fs/cifs/cifsglob.h index df40ab64cd95..a61ab772c6f6 100644 --- a/fs/cifs/cifsglob.h +++ b/fs/cifs/cifsglob.h | |||
| @@ -82,8 +82,8 @@ enum securityEnum { | |||
| 82 | LANMAN, /* Legacy LANMAN auth */ | 82 | LANMAN, /* Legacy LANMAN auth */ |
| 83 | NTLM, /* Legacy NTLM012 auth with NTLM hash */ | 83 | NTLM, /* Legacy NTLM012 auth with NTLM hash */ |
| 84 | NTLMv2, /* Legacy NTLM auth with NTLMv2 hash */ | 84 | NTLMv2, /* Legacy NTLM auth with NTLMv2 hash */ |
| 85 | RawNTLMSSP, /* NTLMSSP without SPNEGO */ | 85 | RawNTLMSSP, /* NTLMSSP without SPNEGO, NTLMv2 hash */ |
| 86 | NTLMSSP, /* NTLMSSP via SPNEGO */ | 86 | NTLMSSP, /* NTLMSSP via SPNEGO, NTLMv2 hash */ |
| 87 | Kerberos, /* Kerberos via SPNEGO */ | 87 | Kerberos, /* Kerberos via SPNEGO */ |
| 88 | MSKerberos, /* MS Kerberos via SPNEGO */ | 88 | MSKerberos, /* MS Kerberos via SPNEGO */ |
| 89 | }; | 89 | }; |
| @@ -531,6 +531,7 @@ static inline void free_dfs_info_array(struct dfs_info3_param *param, | |||
| 531 | #define CIFSSEC_MAY_PLNTXT 0 | 531 | #define CIFSSEC_MAY_PLNTXT 0 |
| 532 | #endif /* weak passwords */ | 532 | #endif /* weak passwords */ |
| 533 | #define CIFSSEC_MAY_SEAL 0x00040 /* not supported yet */ | 533 | #define CIFSSEC_MAY_SEAL 0x00040 /* not supported yet */ |
| 534 | #define CIFSSEC_MAY_NTLMSSP 0x00080 /* raw ntlmssp with ntlmv2 */ | ||
| 534 | 535 | ||
| 535 | #define CIFSSEC_MUST_SIGN 0x01001 | 536 | #define CIFSSEC_MUST_SIGN 0x01001 |
| 536 | /* note that only one of the following can be set so the | 537 | /* note that only one of the following can be set so the |
| @@ -543,22 +544,23 @@ require use of the stronger protocol */ | |||
| 543 | #define CIFSSEC_MUST_LANMAN 0x10010 | 544 | #define CIFSSEC_MUST_LANMAN 0x10010 |
| 544 | #define CIFSSEC_MUST_PLNTXT 0x20020 | 545 | #define CIFSSEC_MUST_PLNTXT 0x20020 |
| 545 | #ifdef CONFIG_CIFS_UPCALL | 546 | #ifdef CONFIG_CIFS_UPCALL |
| 546 | #define CIFSSEC_MASK 0x3F03F /* allows weak security but also krb5 */ | 547 | #define CIFSSEC_MASK 0xAF0AF /* allows weak security but also krb5 */ |
| 547 | #else | 548 | #else |
| 548 | #define CIFSSEC_MASK 0x37037 /* current flags supported if weak */ | 549 | #define CIFSSEC_MASK 0xA70A7 /* current flags supported if weak */ |
| 549 | #endif /* UPCALL */ | 550 | #endif /* UPCALL */ |
| 550 | #else /* do not allow weak pw hash */ | 551 | #else /* do not allow weak pw hash */ |
| 551 | #ifdef CONFIG_CIFS_UPCALL | 552 | #ifdef CONFIG_CIFS_UPCALL |
| 552 | #define CIFSSEC_MASK 0x0F00F /* flags supported if no weak allowed */ | 553 | #define CIFSSEC_MASK 0x8F08F /* flags supported if no weak allowed */ |
| 553 | #else | 554 | #else |
| 554 | #define CIFSSEC_MASK 0x07007 /* flags supported if no weak allowed */ | 555 | #define CIFSSEC_MASK 0x87087 /* flags supported if no weak allowed */ |
| 555 | #endif /* UPCALL */ | 556 | #endif /* UPCALL */ |
| 556 | #endif /* WEAK_PW_HASH */ | 557 | #endif /* WEAK_PW_HASH */ |
| 557 | #define CIFSSEC_MUST_SEAL 0x40040 /* not supported yet */ | 558 | #define CIFSSEC_MUST_SEAL 0x40040 /* not supported yet */ |
| 559 | #define CIFSSEC_MUST_NTLMSSP 0x80080 /* raw ntlmssp with ntlmv2 */ | ||
| 558 | 560 | ||
| 559 | #define CIFSSEC_DEF (CIFSSEC_MAY_SIGN | CIFSSEC_MAY_NTLM | CIFSSEC_MAY_NTLMV2) | 561 | #define CIFSSEC_DEF (CIFSSEC_MAY_SIGN | CIFSSEC_MAY_NTLM | CIFSSEC_MAY_NTLMV2) |
| 560 | #define CIFSSEC_MAX (CIFSSEC_MUST_SIGN | CIFSSEC_MUST_NTLMV2) | 562 | #define CIFSSEC_MAX (CIFSSEC_MUST_SIGN | CIFSSEC_MUST_NTLMV2) |
| 561 | #define CIFSSEC_AUTH_MASK (CIFSSEC_MAY_NTLM | CIFSSEC_MAY_NTLMV2 | CIFSSEC_MAY_LANMAN | CIFSSEC_MAY_PLNTXT | CIFSSEC_MAY_KRB5) | 563 | #define CIFSSEC_AUTH_MASK (CIFSSEC_MAY_NTLM | CIFSSEC_MAY_NTLMV2 | CIFSSEC_MAY_LANMAN | CIFSSEC_MAY_PLNTXT | CIFSSEC_MAY_KRB5 | CIFSSEC_MAY_NTLMSSP) |
| 562 | /* | 564 | /* |
| 563 | ***************************************************************** | 565 | ***************************************************************** |
| 564 | * All constants go here | 566 | * All constants go here |
diff --git a/fs/cifs/cifssmb.c b/fs/cifs/cifssmb.c index 4e10efd2432c..75e6623a8635 100644 --- a/fs/cifs/cifssmb.c +++ b/fs/cifs/cifssmb.c | |||
| @@ -449,6 +449,14 @@ CIFSSMBNegotiate(unsigned int xid, struct cifsSesInfo *ses) | |||
| 449 | cFYI(1, ("Kerberos only mechanism, enable extended security")); | 449 | cFYI(1, ("Kerberos only mechanism, enable extended security")); |
| 450 | pSMB->hdr.Flags2 |= SMBFLG2_EXT_SEC; | 450 | pSMB->hdr.Flags2 |= SMBFLG2_EXT_SEC; |
| 451 | } | 451 | } |
| 452 | #ifdef CONFIG_CIFS_EXPERIMENTAL | ||
| 453 | else if ((secFlags & CIFSSEC_MUST_NTLMSSP) == CIFSSEC_MUST_NTLMSSP) | ||
| 454 | pSMB->hdr.Flags2 |= SMBFLG2_EXT_SEC; | ||
| 455 | else if ((secFlags & CIFSSEC_AUTH_MASK) == CIFSSEC_MAY_NTLMSSP) { | ||
| 456 | cFYI(1, ("NTLMSSP only mechanism, enable extended security")); | ||
| 457 | pSMB->hdr.Flags2 |= SMBFLG2_EXT_SEC; | ||
| 458 | } | ||
| 459 | #endif | ||
| 452 | 460 | ||
| 453 | count = 0; | 461 | count = 0; |
| 454 | for (i = 0; i < CIFS_NUM_PROT; i++) { | 462 | for (i = 0; i < CIFS_NUM_PROT; i++) { |
| @@ -585,6 +593,8 @@ CIFSSMBNegotiate(unsigned int xid, struct cifsSesInfo *ses) | |||
| 585 | server->secType = NTLMv2; | 593 | server->secType = NTLMv2; |
| 586 | else if (secFlags & CIFSSEC_MAY_KRB5) | 594 | else if (secFlags & CIFSSEC_MAY_KRB5) |
| 587 | server->secType = Kerberos; | 595 | server->secType = Kerberos; |
| 596 | else if (secFlags & CIFSSEC_MAY_NTLMSSP) | ||
| 597 | server->secType = NTLMSSP; | ||
| 588 | else if (secFlags & CIFSSEC_MAY_LANMAN) | 598 | else if (secFlags & CIFSSEC_MAY_LANMAN) |
| 589 | server->secType = LANMAN; | 599 | server->secType = LANMAN; |
| 590 | /* #ifdef CONFIG_CIFS_EXPERIMENTAL | 600 | /* #ifdef CONFIG_CIFS_EXPERIMENTAL |
diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c index 3a934dd84225..4aa81a507b74 100644 --- a/fs/cifs/connect.c +++ b/fs/cifs/connect.c | |||
| @@ -979,6 +979,13 @@ cifs_parse_mount_options(char *options, const char *devname, | |||
| 979 | return 1; | 979 | return 1; |
| 980 | } else if (strnicmp(value, "krb5", 4) == 0) { | 980 | } else if (strnicmp(value, "krb5", 4) == 0) { |
| 981 | vol->secFlg |= CIFSSEC_MAY_KRB5; | 981 | vol->secFlg |= CIFSSEC_MAY_KRB5; |
| 982 | #ifdef CONFIG_CIFS_EXPERIMENTAL | ||
| 983 | } else if (strnicmp(value, "ntlmsspi", 8) == 0) { | ||
| 984 | vol->secFlg |= CIFSSEC_MAY_NTLMSSP | | ||
| 985 | CIFSSEC_MUST_SIGN; | ||
| 986 | } else if (strnicmp(value, "ntlmssp", 7) == 0) { | ||
| 987 | vol->secFlg |= CIFSSEC_MAY_NTLMSSP; | ||
| 988 | #endif | ||
| 982 | } else if (strnicmp(value, "ntlmv2i", 7) == 0) { | 989 | } else if (strnicmp(value, "ntlmv2i", 7) == 0) { |
| 983 | vol->secFlg |= CIFSSEC_MAY_NTLMV2 | | 990 | vol->secFlg |= CIFSSEC_MAY_NTLMV2 | |
| 984 | CIFSSEC_MUST_SIGN; | 991 | CIFSSEC_MUST_SIGN; |