aboutsummaryrefslogtreecommitdiffstats
path: root/fs
diff options
context:
space:
mode:
Diffstat (limited to 'fs')
-rw-r--r--fs/Kconfig1
-rw-r--r--fs/cifs/CHANGES6
-rw-r--r--fs/cifs/README30
-rw-r--r--fs/cifs/asn1.c11
-rw-r--r--fs/cifs/cifs_spnego.c4
-rw-r--r--fs/cifs/cifs_spnego.h2
-rw-r--r--fs/cifs/cifsglob.h3
-rw-r--r--fs/cifs/connect.c33
-rw-r--r--fs/cifs/inode.c3
-rw-r--r--fs/cifs/sess.c11
10 files changed, 74 insertions, 30 deletions
diff --git a/fs/Kconfig b/fs/Kconfig
index d3873583360b..f0427105a619 100644
--- a/fs/Kconfig
+++ b/fs/Kconfig
@@ -1984,7 +1984,6 @@ config CIFS_EXPERIMENTAL
1984 1984
1985config CIFS_UPCALL 1985config CIFS_UPCALL
1986 bool "Kerberos/SPNEGO advanced session setup (EXPERIMENTAL)" 1986 bool "Kerberos/SPNEGO advanced session setup (EXPERIMENTAL)"
1987 depends on CIFS_EXPERIMENTAL
1988 depends on KEYS 1987 depends on KEYS
1989 help 1988 help
1990 Enables an upcall mechanism for CIFS which accesses 1989 Enables an upcall mechanism for CIFS which accesses
diff --git a/fs/cifs/CHANGES b/fs/cifs/CHANGES
index f5d0083e09fa..526041a52d35 100644
--- a/fs/cifs/CHANGES
+++ b/fs/cifs/CHANGES
@@ -4,7 +4,11 @@ Fix premature write failure on congested networks (we would give up
4on EAGAIN from the socket too quickly on large writes). 4on EAGAIN from the socket too quickly on large writes).
5Cifs_mkdir and cifs_create now respect the setgid bit on parent dir. 5Cifs_mkdir and cifs_create now respect the setgid bit on parent dir.
6Fix endian problems in acl (mode from/to cifs acl) on bigendian 6Fix endian problems in acl (mode from/to cifs acl) on bigendian
7architectures. 7architectures. Fix problems with preserving timestamps on copying open
8files (e.g. "cp -a") to Windows servers. For mkdir and create honor setgid bit
9on parent directory when server supports Unix Extensions but not POSIX
10create. Update cifs.upcall version to handle new Kerberos sec flags
11(this requires update of cifs.upcall program from Samba).
8 12
9Version 1.53 13Version 1.53
10------------ 14------------
diff --git a/fs/cifs/README b/fs/cifs/README
index 2bd6fe556f88..68b5c1169d9d 100644
--- a/fs/cifs/README
+++ b/fs/cifs/README
@@ -642,8 +642,30 @@ The statistics for the number of total SMBs and oplock breaks are different in
642that they represent all for that share, not just those for which the server 642that they represent all for that share, not just those for which the server
643returned success. 643returned success.
644 644
645Also note that "cat /proc/fs/cifs/DebugData" will display information about 645Also note that "cat /proc/fs/cifs/DebugData" will display information about
646the active sessions and the shares that are mounted. 646the active sessions and the shares that are mounted.
647Enabling Kerberos (extended security) works when CONFIG_CIFS_EXPERIMENTAL is 647
648on but requires a user space helper (from the Samba project). NTLM and NTLMv2 and 648Enabling Kerberos (extended security) works but requires version 1.2 or later
649LANMAN support do not require this helper. 649of the helper program cifs.upcall to be present and to be configured in the
650/etc/request-key.conf file. The cifs.upcall helper program is from the Samba
651project(http://www.samba.org). NTLM and NTLMv2 and LANMAN support do not
652require this helper. Note that NTLMv2 security (which does not require the
653cifs.upcall helper program), instead of using Kerberos, is sufficient for
654some use cases.
655
656Enabling DFS support (used to access shares transparently in an MS-DFS
657global name space) requires that CONFIG_CIFS_EXPERIMENTAL be enabled. In
658addition, DFS support for target shares which are specified as UNC
659names which begin with host names (rather than IP addresses) requires
660a user space helper (such as cifs.upcall) to be present in order to
661translate host names to ip address, and the user space helper must also
662be configured in the file /etc/request-key.conf
663
664To use cifs Kerberos and DFS support, the Linux keyutils package should be
665installed and something like the following lines should be added to the
666/etc/request-key.conf file:
667
668create cifs.spnego * * /usr/local/sbin/cifs.upcall %k
669create dns_resolver * * /usr/local/sbin/cifs.upcall %k
670
671
diff --git a/fs/cifs/asn1.c b/fs/cifs/asn1.c
index 5fabd2caf93c..1b09f1670061 100644
--- a/fs/cifs/asn1.c
+++ b/fs/cifs/asn1.c
@@ -476,6 +476,7 @@ decode_negTokenInit(unsigned char *security_blob, int length,
476 unsigned int cls, con, tag, oidlen, rc; 476 unsigned int cls, con, tag, oidlen, rc;
477 bool use_ntlmssp = false; 477 bool use_ntlmssp = false;
478 bool use_kerberos = false; 478 bool use_kerberos = false;
479 bool use_mskerberos = false;
479 480
480 *secType = NTLM; /* BB eventually make Kerberos or NLTMSSP the default*/ 481 *secType = NTLM; /* BB eventually make Kerberos or NLTMSSP the default*/
481 482
@@ -574,10 +575,12 @@ decode_negTokenInit(unsigned char *security_blob, int length,
574 *(oid + 1), *(oid + 2), *(oid + 3))); 575 *(oid + 1), *(oid + 2), *(oid + 3)));
575 576
576 if (compare_oid(oid, oidlen, MSKRB5_OID, 577 if (compare_oid(oid, oidlen, MSKRB5_OID,
577 MSKRB5_OID_LEN)) 578 MSKRB5_OID_LEN) &&
578 use_kerberos = true; 579 !use_kerberos)
580 use_mskerberos = true;
579 else if (compare_oid(oid, oidlen, KRB5_OID, 581 else if (compare_oid(oid, oidlen, KRB5_OID,
580 KRB5_OID_LEN)) 582 KRB5_OID_LEN) &&
583 !use_mskerberos)
581 use_kerberos = true; 584 use_kerberos = true;
582 else if (compare_oid(oid, oidlen, NTLMSSP_OID, 585 else if (compare_oid(oid, oidlen, NTLMSSP_OID,
583 NTLMSSP_OID_LEN)) 586 NTLMSSP_OID_LEN))
@@ -630,6 +633,8 @@ decode_negTokenInit(unsigned char *security_blob, int length,
630 633
631 if (use_kerberos) 634 if (use_kerberos)
632 *secType = Kerberos; 635 *secType = Kerberos;
636 else if (use_mskerberos)
637 *secType = MSKerberos;
633 else if (use_ntlmssp) 638 else if (use_ntlmssp)
634 *secType = NTLMSSP; 639 *secType = NTLMSSP;
635 640
diff --git a/fs/cifs/cifs_spnego.c b/fs/cifs/cifs_spnego.c
index 2434ab0e8791..117ef4bba68e 100644
--- a/fs/cifs/cifs_spnego.c
+++ b/fs/cifs/cifs_spnego.c
@@ -114,9 +114,11 @@ cifs_get_spnego_key(struct cifsSesInfo *sesInfo)
114 114
115 dp = description + strlen(description); 115 dp = description + strlen(description);
116 116
117 /* for now, only sec=krb5 is valid */ 117 /* for now, only sec=krb5 and sec=mskrb5 are valid */
118 if (server->secType == Kerberos) 118 if (server->secType == Kerberos)
119 sprintf(dp, ";sec=krb5"); 119 sprintf(dp, ";sec=krb5");
120 else if (server->secType == MSKerberos)
121 sprintf(dp, ";sec=mskrb5");
120 else 122 else
121 goto out; 123 goto out;
122 124
diff --git a/fs/cifs/cifs_spnego.h b/fs/cifs/cifs_spnego.h
index 05a34b17a1ab..e4041ec4d712 100644
--- a/fs/cifs/cifs_spnego.h
+++ b/fs/cifs/cifs_spnego.h
@@ -23,7 +23,7 @@
23#ifndef _CIFS_SPNEGO_H 23#ifndef _CIFS_SPNEGO_H
24#define _CIFS_SPNEGO_H 24#define _CIFS_SPNEGO_H
25 25
26#define CIFS_SPNEGO_UPCALL_VERSION 1 26#define CIFS_SPNEGO_UPCALL_VERSION 2
27 27
28/* 28/*
29 * The version field should always be set to CIFS_SPNEGO_UPCALL_VERSION. 29 * The version field should always be set to CIFS_SPNEGO_UPCALL_VERSION.
diff --git a/fs/cifs/cifsglob.h b/fs/cifs/cifsglob.h
index 7e1cf262effe..8dfd6f24d488 100644
--- a/fs/cifs/cifsglob.h
+++ b/fs/cifs/cifsglob.h
@@ -80,7 +80,8 @@ enum securityEnum {
80 NTLMv2, /* Legacy NTLM auth with NTLMv2 hash */ 80 NTLMv2, /* Legacy NTLM auth with NTLMv2 hash */
81 RawNTLMSSP, /* NTLMSSP without SPNEGO */ 81 RawNTLMSSP, /* NTLMSSP without SPNEGO */
82 NTLMSSP, /* NTLMSSP via SPNEGO */ 82 NTLMSSP, /* NTLMSSP via SPNEGO */
83 Kerberos /* Kerberos via SPNEGO */ 83 Kerberos, /* Kerberos via SPNEGO */
84 MSKerberos, /* MS Kerberos via SPNEGO */
84}; 85};
85 86
86enum protocolEnum { 87enum protocolEnum {
diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c
index 0711db65afe8..4c13bcdb92a5 100644
--- a/fs/cifs/connect.c
+++ b/fs/cifs/connect.c
@@ -3598,19 +3598,21 @@ int cifs_setup_session(unsigned int xid, struct cifsSesInfo *pSesInfo,
3598 char ntlm_session_key[CIFS_SESS_KEY_SIZE]; 3598 char ntlm_session_key[CIFS_SESS_KEY_SIZE];
3599 bool ntlmv2_flag = false; 3599 bool ntlmv2_flag = false;
3600 int first_time = 0; 3600 int first_time = 0;
3601 struct TCP_Server_Info *server = pSesInfo->server;
3601 3602
3602 /* what if server changes its buffer size after dropping the session? */ 3603 /* what if server changes its buffer size after dropping the session? */
3603 if (pSesInfo->server->maxBuf == 0) /* no need to send on reconnect */ { 3604 if (server->maxBuf == 0) /* no need to send on reconnect */ {
3604 rc = CIFSSMBNegotiate(xid, pSesInfo); 3605 rc = CIFSSMBNegotiate(xid, pSesInfo);
3605 if (rc == -EAGAIN) /* retry only once on 1st time connection */ { 3606 if (rc == -EAGAIN) {
3607 /* retry only once on 1st time connection */
3606 rc = CIFSSMBNegotiate(xid, pSesInfo); 3608 rc = CIFSSMBNegotiate(xid, pSesInfo);
3607 if (rc == -EAGAIN) 3609 if (rc == -EAGAIN)
3608 rc = -EHOSTDOWN; 3610 rc = -EHOSTDOWN;
3609 } 3611 }
3610 if (rc == 0) { 3612 if (rc == 0) {
3611 spin_lock(&GlobalMid_Lock); 3613 spin_lock(&GlobalMid_Lock);
3612 if (pSesInfo->server->tcpStatus != CifsExiting) 3614 if (server->tcpStatus != CifsExiting)
3613 pSesInfo->server->tcpStatus = CifsGood; 3615 server->tcpStatus = CifsGood;
3614 else 3616 else
3615 rc = -EHOSTDOWN; 3617 rc = -EHOSTDOWN;
3616 spin_unlock(&GlobalMid_Lock); 3618 spin_unlock(&GlobalMid_Lock);
@@ -3623,23 +3625,22 @@ int cifs_setup_session(unsigned int xid, struct cifsSesInfo *pSesInfo,
3623 goto ss_err_exit; 3625 goto ss_err_exit;
3624 3626
3625 pSesInfo->flags = 0; 3627 pSesInfo->flags = 0;
3626 pSesInfo->capabilities = pSesInfo->server->capabilities; 3628 pSesInfo->capabilities = server->capabilities;
3627 if (linuxExtEnabled == 0) 3629 if (linuxExtEnabled == 0)
3628 pSesInfo->capabilities &= (~CAP_UNIX); 3630 pSesInfo->capabilities &= (~CAP_UNIX);
3629 /* pSesInfo->sequence_number = 0;*/ 3631 /* pSesInfo->sequence_number = 0;*/
3630 cFYI(1, ("Security Mode: 0x%x Capabilities: 0x%x TimeAdjust: %d", 3632 cFYI(1, ("Security Mode: 0x%x Capabilities: 0x%x TimeAdjust: %d",
3631 pSesInfo->server->secMode, 3633 server->secMode, server->capabilities, server->timeAdj));
3632 pSesInfo->server->capabilities, 3634
3633 pSesInfo->server->timeAdj));
3634 if (experimEnabled < 2) 3635 if (experimEnabled < 2)
3635 rc = CIFS_SessSetup(xid, pSesInfo, first_time, nls_info); 3636 rc = CIFS_SessSetup(xid, pSesInfo, first_time, nls_info);
3636 else if (extended_security 3637 else if (extended_security
3637 && (pSesInfo->capabilities & CAP_EXTENDED_SECURITY) 3638 && (pSesInfo->capabilities & CAP_EXTENDED_SECURITY)
3638 && (pSesInfo->server->secType == NTLMSSP)) { 3639 && (server->secType == NTLMSSP)) {
3639 rc = -EOPNOTSUPP; 3640 rc = -EOPNOTSUPP;
3640 } else if (extended_security 3641 } else if (extended_security
3641 && (pSesInfo->capabilities & CAP_EXTENDED_SECURITY) 3642 && (pSesInfo->capabilities & CAP_EXTENDED_SECURITY)
3642 && (pSesInfo->server->secType == RawNTLMSSP)) { 3643 && (server->secType == RawNTLMSSP)) {
3643 cFYI(1, ("NTLMSSP sesssetup")); 3644 cFYI(1, ("NTLMSSP sesssetup"));
3644 rc = CIFSNTLMSSPNegotiateSessSetup(xid, pSesInfo, &ntlmv2_flag, 3645 rc = CIFSNTLMSSPNegotiateSessSetup(xid, pSesInfo, &ntlmv2_flag,
3645 nls_info); 3646 nls_info);
@@ -3668,12 +3669,12 @@ int cifs_setup_session(unsigned int xid, struct cifsSesInfo *pSesInfo,
3668 3669
3669 } else { 3670 } else {
3670 SMBNTencrypt(pSesInfo->password, 3671 SMBNTencrypt(pSesInfo->password,
3671 pSesInfo->server->cryptKey, 3672 server->cryptKey,
3672 ntlm_session_key); 3673 ntlm_session_key);
3673 3674
3674 if (first_time) 3675 if (first_time)
3675 cifs_calculate_mac_key( 3676 cifs_calculate_mac_key(
3676 &pSesInfo->server->mac_signing_key, 3677 &server->mac_signing_key,
3677 ntlm_session_key, 3678 ntlm_session_key,
3678 pSesInfo->password); 3679 pSesInfo->password);
3679 } 3680 }
@@ -3686,13 +3687,13 @@ int cifs_setup_session(unsigned int xid, struct cifsSesInfo *pSesInfo,
3686 nls_info); 3687 nls_info);
3687 } 3688 }
3688 } else { /* old style NTLM 0.12 session setup */ 3689 } else { /* old style NTLM 0.12 session setup */
3689 SMBNTencrypt(pSesInfo->password, pSesInfo->server->cryptKey, 3690 SMBNTencrypt(pSesInfo->password, server->cryptKey,
3690 ntlm_session_key); 3691 ntlm_session_key);
3691 3692
3692 if (first_time) 3693 if (first_time)
3693 cifs_calculate_mac_key( 3694 cifs_calculate_mac_key(&server->mac_signing_key,
3694 &pSesInfo->server->mac_signing_key, 3695 ntlm_session_key,
3695 ntlm_session_key, pSesInfo->password); 3696 pSesInfo->password);
3696 3697
3697 rc = CIFSSessSetup(xid, pSesInfo, ntlm_session_key, nls_info); 3698 rc = CIFSSessSetup(xid, pSesInfo, ntlm_session_key, nls_info);
3698 } 3699 }
diff --git a/fs/cifs/inode.c b/fs/cifs/inode.c
index 848286861c31..9c548f110102 100644
--- a/fs/cifs/inode.c
+++ b/fs/cifs/inode.c
@@ -546,7 +546,8 @@ int cifs_get_inode_info(struct inode **pinode,
546 if ((inode->i_mode & S_IWUGO) == 0 && 546 if ((inode->i_mode & S_IWUGO) == 0 &&
547 (attr & ATTR_READONLY) == 0) 547 (attr & ATTR_READONLY) == 0)
548 inode->i_mode |= (S_IWUGO & default_mode); 548 inode->i_mode |= (S_IWUGO & default_mode);
549 inode->i_mode &= ~S_IFMT; 549
550 inode->i_mode &= ~S_IFMT;
550 } 551 }
551 /* clear write bits if ATTR_READONLY is set */ 552 /* clear write bits if ATTR_READONLY is set */
552 if (attr & ATTR_READONLY) 553 if (attr & ATTR_READONLY)
diff --git a/fs/cifs/sess.c b/fs/cifs/sess.c
index ed150efbe27c..b537fad3bf50 100644
--- a/fs/cifs/sess.c
+++ b/fs/cifs/sess.c
@@ -505,7 +505,7 @@ CIFS_SessSetup(unsigned int xid, struct cifsSesInfo *ses, int first_time,
505 unicode_ssetup_strings(&bcc_ptr, ses, nls_cp); 505 unicode_ssetup_strings(&bcc_ptr, ses, nls_cp);
506 } else 506 } else
507 ascii_ssetup_strings(&bcc_ptr, ses, nls_cp); 507 ascii_ssetup_strings(&bcc_ptr, ses, nls_cp);
508 } else if (type == Kerberos) { 508 } else if (type == Kerberos || type == MSKerberos) {
509#ifdef CONFIG_CIFS_UPCALL 509#ifdef CONFIG_CIFS_UPCALL
510 struct cifs_spnego_msg *msg; 510 struct cifs_spnego_msg *msg;
511 spnego_key = cifs_get_spnego_key(ses); 511 spnego_key = cifs_get_spnego_key(ses);
@@ -516,6 +516,15 @@ CIFS_SessSetup(unsigned int xid, struct cifsSesInfo *ses, int first_time,
516 } 516 }
517 517
518 msg = spnego_key->payload.data; 518 msg = spnego_key->payload.data;
519 /* check version field to make sure that cifs.upcall is
520 sending us a response in an expected form */
521 if (msg->version != CIFS_SPNEGO_UPCALL_VERSION) {
522 cERROR(1, ("incorrect version of cifs.upcall (expected"
523 " %d but got %d)",
524 CIFS_SPNEGO_UPCALL_VERSION, msg->version));
525 rc = -EKEYREJECTED;
526 goto ssetup_exit;
527 }
519 /* bail out if key is too long */ 528 /* bail out if key is too long */
520 if (msg->sesskey_len > 529 if (msg->sesskey_len >
521 sizeof(ses->server->mac_signing_key.data.krb5)) { 530 sizeof(ses->server->mac_signing_key.data.krb5)) {