diff options
Diffstat (limited to 'fs')
-rw-r--r-- | fs/Kconfig | 1 | ||||
-rw-r--r-- | fs/cifs/CHANGES | 6 | ||||
-rw-r--r-- | fs/cifs/README | 30 | ||||
-rw-r--r-- | fs/cifs/asn1.c | 11 | ||||
-rw-r--r-- | fs/cifs/cifs_spnego.c | 4 | ||||
-rw-r--r-- | fs/cifs/cifs_spnego.h | 2 | ||||
-rw-r--r-- | fs/cifs/cifsglob.h | 3 | ||||
-rw-r--r-- | fs/cifs/connect.c | 33 | ||||
-rw-r--r-- | fs/cifs/inode.c | 3 | ||||
-rw-r--r-- | fs/cifs/sess.c | 11 |
10 files changed, 74 insertions, 30 deletions
diff --git a/fs/Kconfig b/fs/Kconfig index d3873583360b..f0427105a619 100644 --- a/fs/Kconfig +++ b/fs/Kconfig | |||
@@ -1984,7 +1984,6 @@ config CIFS_EXPERIMENTAL | |||
1984 | 1984 | ||
1985 | config CIFS_UPCALL | 1985 | config CIFS_UPCALL |
1986 | bool "Kerberos/SPNEGO advanced session setup (EXPERIMENTAL)" | 1986 | bool "Kerberos/SPNEGO advanced session setup (EXPERIMENTAL)" |
1987 | depends on CIFS_EXPERIMENTAL | ||
1988 | depends on KEYS | 1987 | depends on KEYS |
1989 | help | 1988 | help |
1990 | Enables an upcall mechanism for CIFS which accesses | 1989 | Enables an upcall mechanism for CIFS which accesses |
diff --git a/fs/cifs/CHANGES b/fs/cifs/CHANGES index f5d0083e09fa..526041a52d35 100644 --- a/fs/cifs/CHANGES +++ b/fs/cifs/CHANGES | |||
@@ -4,7 +4,11 @@ Fix premature write failure on congested networks (we would give up | |||
4 | on EAGAIN from the socket too quickly on large writes). | 4 | on EAGAIN from the socket too quickly on large writes). |
5 | Cifs_mkdir and cifs_create now respect the setgid bit on parent dir. | 5 | Cifs_mkdir and cifs_create now respect the setgid bit on parent dir. |
6 | Fix endian problems in acl (mode from/to cifs acl) on bigendian | 6 | Fix endian problems in acl (mode from/to cifs acl) on bigendian |
7 | architectures. | 7 | architectures. Fix problems with preserving timestamps on copying open |
8 | files (e.g. "cp -a") to Windows servers. For mkdir and create honor setgid bit | ||
9 | on parent directory when server supports Unix Extensions but not POSIX | ||
10 | create. Update cifs.upcall version to handle new Kerberos sec flags | ||
11 | (this requires update of cifs.upcall program from Samba). | ||
8 | 12 | ||
9 | Version 1.53 | 13 | Version 1.53 |
10 | ------------ | 14 | ------------ |
diff --git a/fs/cifs/README b/fs/cifs/README index 2bd6fe556f88..68b5c1169d9d 100644 --- a/fs/cifs/README +++ b/fs/cifs/README | |||
@@ -642,8 +642,30 @@ The statistics for the number of total SMBs and oplock breaks are different in | |||
642 | that they represent all for that share, not just those for which the server | 642 | that they represent all for that share, not just those for which the server |
643 | returned success. | 643 | returned success. |
644 | 644 | ||
645 | Also note that "cat /proc/fs/cifs/DebugData" will display information about | 645 | Also note that "cat /proc/fs/cifs/DebugData" will display information about |
646 | the active sessions and the shares that are mounted. | 646 | the active sessions and the shares that are mounted. |
647 | Enabling Kerberos (extended security) works when CONFIG_CIFS_EXPERIMENTAL is | 647 | |
648 | on but requires a user space helper (from the Samba project). NTLM and NTLMv2 and | 648 | Enabling Kerberos (extended security) works but requires version 1.2 or later |
649 | LANMAN support do not require this helper. | 649 | of the helper program cifs.upcall to be present and to be configured in the |
650 | /etc/request-key.conf file. The cifs.upcall helper program is from the Samba | ||
651 | project(http://www.samba.org). NTLM and NTLMv2 and LANMAN support do not | ||
652 | require this helper. Note that NTLMv2 security (which does not require the | ||
653 | cifs.upcall helper program), instead of using Kerberos, is sufficient for | ||
654 | some use cases. | ||
655 | |||
656 | Enabling DFS support (used to access shares transparently in an MS-DFS | ||
657 | global name space) requires that CONFIG_CIFS_EXPERIMENTAL be enabled. In | ||
658 | addition, DFS support for target shares which are specified as UNC | ||
659 | names which begin with host names (rather than IP addresses) requires | ||
660 | a user space helper (such as cifs.upcall) to be present in order to | ||
661 | translate host names to ip address, and the user space helper must also | ||
662 | be configured in the file /etc/request-key.conf | ||
663 | |||
664 | To use cifs Kerberos and DFS support, the Linux keyutils package should be | ||
665 | installed and something like the following lines should be added to the | ||
666 | /etc/request-key.conf file: | ||
667 | |||
668 | create cifs.spnego * * /usr/local/sbin/cifs.upcall %k | ||
669 | create dns_resolver * * /usr/local/sbin/cifs.upcall %k | ||
670 | |||
671 | |||
diff --git a/fs/cifs/asn1.c b/fs/cifs/asn1.c index 5fabd2caf93c..1b09f1670061 100644 --- a/fs/cifs/asn1.c +++ b/fs/cifs/asn1.c | |||
@@ -476,6 +476,7 @@ decode_negTokenInit(unsigned char *security_blob, int length, | |||
476 | unsigned int cls, con, tag, oidlen, rc; | 476 | unsigned int cls, con, tag, oidlen, rc; |
477 | bool use_ntlmssp = false; | 477 | bool use_ntlmssp = false; |
478 | bool use_kerberos = false; | 478 | bool use_kerberos = false; |
479 | bool use_mskerberos = false; | ||
479 | 480 | ||
480 | *secType = NTLM; /* BB eventually make Kerberos or NLTMSSP the default*/ | 481 | *secType = NTLM; /* BB eventually make Kerberos or NLTMSSP the default*/ |
481 | 482 | ||
@@ -574,10 +575,12 @@ decode_negTokenInit(unsigned char *security_blob, int length, | |||
574 | *(oid + 1), *(oid + 2), *(oid + 3))); | 575 | *(oid + 1), *(oid + 2), *(oid + 3))); |
575 | 576 | ||
576 | if (compare_oid(oid, oidlen, MSKRB5_OID, | 577 | if (compare_oid(oid, oidlen, MSKRB5_OID, |
577 | MSKRB5_OID_LEN)) | 578 | MSKRB5_OID_LEN) && |
578 | use_kerberos = true; | 579 | !use_kerberos) |
580 | use_mskerberos = true; | ||
579 | else if (compare_oid(oid, oidlen, KRB5_OID, | 581 | else if (compare_oid(oid, oidlen, KRB5_OID, |
580 | KRB5_OID_LEN)) | 582 | KRB5_OID_LEN) && |
583 | !use_mskerberos) | ||
581 | use_kerberos = true; | 584 | use_kerberos = true; |
582 | else if (compare_oid(oid, oidlen, NTLMSSP_OID, | 585 | else if (compare_oid(oid, oidlen, NTLMSSP_OID, |
583 | NTLMSSP_OID_LEN)) | 586 | NTLMSSP_OID_LEN)) |
@@ -630,6 +633,8 @@ decode_negTokenInit(unsigned char *security_blob, int length, | |||
630 | 633 | ||
631 | if (use_kerberos) | 634 | if (use_kerberos) |
632 | *secType = Kerberos; | 635 | *secType = Kerberos; |
636 | else if (use_mskerberos) | ||
637 | *secType = MSKerberos; | ||
633 | else if (use_ntlmssp) | 638 | else if (use_ntlmssp) |
634 | *secType = NTLMSSP; | 639 | *secType = NTLMSSP; |
635 | 640 | ||
diff --git a/fs/cifs/cifs_spnego.c b/fs/cifs/cifs_spnego.c index 2434ab0e8791..117ef4bba68e 100644 --- a/fs/cifs/cifs_spnego.c +++ b/fs/cifs/cifs_spnego.c | |||
@@ -114,9 +114,11 @@ cifs_get_spnego_key(struct cifsSesInfo *sesInfo) | |||
114 | 114 | ||
115 | dp = description + strlen(description); | 115 | dp = description + strlen(description); |
116 | 116 | ||
117 | /* for now, only sec=krb5 is valid */ | 117 | /* for now, only sec=krb5 and sec=mskrb5 are valid */ |
118 | if (server->secType == Kerberos) | 118 | if (server->secType == Kerberos) |
119 | sprintf(dp, ";sec=krb5"); | 119 | sprintf(dp, ";sec=krb5"); |
120 | else if (server->secType == MSKerberos) | ||
121 | sprintf(dp, ";sec=mskrb5"); | ||
120 | else | 122 | else |
121 | goto out; | 123 | goto out; |
122 | 124 | ||
diff --git a/fs/cifs/cifs_spnego.h b/fs/cifs/cifs_spnego.h index 05a34b17a1ab..e4041ec4d712 100644 --- a/fs/cifs/cifs_spnego.h +++ b/fs/cifs/cifs_spnego.h | |||
@@ -23,7 +23,7 @@ | |||
23 | #ifndef _CIFS_SPNEGO_H | 23 | #ifndef _CIFS_SPNEGO_H |
24 | #define _CIFS_SPNEGO_H | 24 | #define _CIFS_SPNEGO_H |
25 | 25 | ||
26 | #define CIFS_SPNEGO_UPCALL_VERSION 1 | 26 | #define CIFS_SPNEGO_UPCALL_VERSION 2 |
27 | 27 | ||
28 | /* | 28 | /* |
29 | * The version field should always be set to CIFS_SPNEGO_UPCALL_VERSION. | 29 | * The version field should always be set to CIFS_SPNEGO_UPCALL_VERSION. |
diff --git a/fs/cifs/cifsglob.h b/fs/cifs/cifsglob.h index 7e1cf262effe..8dfd6f24d488 100644 --- a/fs/cifs/cifsglob.h +++ b/fs/cifs/cifsglob.h | |||
@@ -80,7 +80,8 @@ enum securityEnum { | |||
80 | NTLMv2, /* Legacy NTLM auth with NTLMv2 hash */ | 80 | NTLMv2, /* Legacy NTLM auth with NTLMv2 hash */ |
81 | RawNTLMSSP, /* NTLMSSP without SPNEGO */ | 81 | RawNTLMSSP, /* NTLMSSP without SPNEGO */ |
82 | NTLMSSP, /* NTLMSSP via SPNEGO */ | 82 | NTLMSSP, /* NTLMSSP via SPNEGO */ |
83 | Kerberos /* Kerberos via SPNEGO */ | 83 | Kerberos, /* Kerberos via SPNEGO */ |
84 | MSKerberos, /* MS Kerberos via SPNEGO */ | ||
84 | }; | 85 | }; |
85 | 86 | ||
86 | enum protocolEnum { | 87 | enum protocolEnum { |
diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c index 0711db65afe8..4c13bcdb92a5 100644 --- a/fs/cifs/connect.c +++ b/fs/cifs/connect.c | |||
@@ -3598,19 +3598,21 @@ int cifs_setup_session(unsigned int xid, struct cifsSesInfo *pSesInfo, | |||
3598 | char ntlm_session_key[CIFS_SESS_KEY_SIZE]; | 3598 | char ntlm_session_key[CIFS_SESS_KEY_SIZE]; |
3599 | bool ntlmv2_flag = false; | 3599 | bool ntlmv2_flag = false; |
3600 | int first_time = 0; | 3600 | int first_time = 0; |
3601 | struct TCP_Server_Info *server = pSesInfo->server; | ||
3601 | 3602 | ||
3602 | /* what if server changes its buffer size after dropping the session? */ | 3603 | /* what if server changes its buffer size after dropping the session? */ |
3603 | if (pSesInfo->server->maxBuf == 0) /* no need to send on reconnect */ { | 3604 | if (server->maxBuf == 0) /* no need to send on reconnect */ { |
3604 | rc = CIFSSMBNegotiate(xid, pSesInfo); | 3605 | rc = CIFSSMBNegotiate(xid, pSesInfo); |
3605 | if (rc == -EAGAIN) /* retry only once on 1st time connection */ { | 3606 | if (rc == -EAGAIN) { |
3607 | /* retry only once on 1st time connection */ | ||
3606 | rc = CIFSSMBNegotiate(xid, pSesInfo); | 3608 | rc = CIFSSMBNegotiate(xid, pSesInfo); |
3607 | if (rc == -EAGAIN) | 3609 | if (rc == -EAGAIN) |
3608 | rc = -EHOSTDOWN; | 3610 | rc = -EHOSTDOWN; |
3609 | } | 3611 | } |
3610 | if (rc == 0) { | 3612 | if (rc == 0) { |
3611 | spin_lock(&GlobalMid_Lock); | 3613 | spin_lock(&GlobalMid_Lock); |
3612 | if (pSesInfo->server->tcpStatus != CifsExiting) | 3614 | if (server->tcpStatus != CifsExiting) |
3613 | pSesInfo->server->tcpStatus = CifsGood; | 3615 | server->tcpStatus = CifsGood; |
3614 | else | 3616 | else |
3615 | rc = -EHOSTDOWN; | 3617 | rc = -EHOSTDOWN; |
3616 | spin_unlock(&GlobalMid_Lock); | 3618 | spin_unlock(&GlobalMid_Lock); |
@@ -3623,23 +3625,22 @@ int cifs_setup_session(unsigned int xid, struct cifsSesInfo *pSesInfo, | |||
3623 | goto ss_err_exit; | 3625 | goto ss_err_exit; |
3624 | 3626 | ||
3625 | pSesInfo->flags = 0; | 3627 | pSesInfo->flags = 0; |
3626 | pSesInfo->capabilities = pSesInfo->server->capabilities; | 3628 | pSesInfo->capabilities = server->capabilities; |
3627 | if (linuxExtEnabled == 0) | 3629 | if (linuxExtEnabled == 0) |
3628 | pSesInfo->capabilities &= (~CAP_UNIX); | 3630 | pSesInfo->capabilities &= (~CAP_UNIX); |
3629 | /* pSesInfo->sequence_number = 0;*/ | 3631 | /* pSesInfo->sequence_number = 0;*/ |
3630 | cFYI(1, ("Security Mode: 0x%x Capabilities: 0x%x TimeAdjust: %d", | 3632 | cFYI(1, ("Security Mode: 0x%x Capabilities: 0x%x TimeAdjust: %d", |
3631 | pSesInfo->server->secMode, | 3633 | server->secMode, server->capabilities, server->timeAdj)); |
3632 | pSesInfo->server->capabilities, | 3634 | |
3633 | pSesInfo->server->timeAdj)); | ||
3634 | if (experimEnabled < 2) | 3635 | if (experimEnabled < 2) |
3635 | rc = CIFS_SessSetup(xid, pSesInfo, first_time, nls_info); | 3636 | rc = CIFS_SessSetup(xid, pSesInfo, first_time, nls_info); |
3636 | else if (extended_security | 3637 | else if (extended_security |
3637 | && (pSesInfo->capabilities & CAP_EXTENDED_SECURITY) | 3638 | && (pSesInfo->capabilities & CAP_EXTENDED_SECURITY) |
3638 | && (pSesInfo->server->secType == NTLMSSP)) { | 3639 | && (server->secType == NTLMSSP)) { |
3639 | rc = -EOPNOTSUPP; | 3640 | rc = -EOPNOTSUPP; |
3640 | } else if (extended_security | 3641 | } else if (extended_security |
3641 | && (pSesInfo->capabilities & CAP_EXTENDED_SECURITY) | 3642 | && (pSesInfo->capabilities & CAP_EXTENDED_SECURITY) |
3642 | && (pSesInfo->server->secType == RawNTLMSSP)) { | 3643 | && (server->secType == RawNTLMSSP)) { |
3643 | cFYI(1, ("NTLMSSP sesssetup")); | 3644 | cFYI(1, ("NTLMSSP sesssetup")); |
3644 | rc = CIFSNTLMSSPNegotiateSessSetup(xid, pSesInfo, &ntlmv2_flag, | 3645 | rc = CIFSNTLMSSPNegotiateSessSetup(xid, pSesInfo, &ntlmv2_flag, |
3645 | nls_info); | 3646 | nls_info); |
@@ -3668,12 +3669,12 @@ int cifs_setup_session(unsigned int xid, struct cifsSesInfo *pSesInfo, | |||
3668 | 3669 | ||
3669 | } else { | 3670 | } else { |
3670 | SMBNTencrypt(pSesInfo->password, | 3671 | SMBNTencrypt(pSesInfo->password, |
3671 | pSesInfo->server->cryptKey, | 3672 | server->cryptKey, |
3672 | ntlm_session_key); | 3673 | ntlm_session_key); |
3673 | 3674 | ||
3674 | if (first_time) | 3675 | if (first_time) |
3675 | cifs_calculate_mac_key( | 3676 | cifs_calculate_mac_key( |
3676 | &pSesInfo->server->mac_signing_key, | 3677 | &server->mac_signing_key, |
3677 | ntlm_session_key, | 3678 | ntlm_session_key, |
3678 | pSesInfo->password); | 3679 | pSesInfo->password); |
3679 | } | 3680 | } |
@@ -3686,13 +3687,13 @@ int cifs_setup_session(unsigned int xid, struct cifsSesInfo *pSesInfo, | |||
3686 | nls_info); | 3687 | nls_info); |
3687 | } | 3688 | } |
3688 | } else { /* old style NTLM 0.12 session setup */ | 3689 | } else { /* old style NTLM 0.12 session setup */ |
3689 | SMBNTencrypt(pSesInfo->password, pSesInfo->server->cryptKey, | 3690 | SMBNTencrypt(pSesInfo->password, server->cryptKey, |
3690 | ntlm_session_key); | 3691 | ntlm_session_key); |
3691 | 3692 | ||
3692 | if (first_time) | 3693 | if (first_time) |
3693 | cifs_calculate_mac_key( | 3694 | cifs_calculate_mac_key(&server->mac_signing_key, |
3694 | &pSesInfo->server->mac_signing_key, | 3695 | ntlm_session_key, |
3695 | ntlm_session_key, pSesInfo->password); | 3696 | pSesInfo->password); |
3696 | 3697 | ||
3697 | rc = CIFSSessSetup(xid, pSesInfo, ntlm_session_key, nls_info); | 3698 | rc = CIFSSessSetup(xid, pSesInfo, ntlm_session_key, nls_info); |
3698 | } | 3699 | } |
diff --git a/fs/cifs/inode.c b/fs/cifs/inode.c index 848286861c31..9c548f110102 100644 --- a/fs/cifs/inode.c +++ b/fs/cifs/inode.c | |||
@@ -546,7 +546,8 @@ int cifs_get_inode_info(struct inode **pinode, | |||
546 | if ((inode->i_mode & S_IWUGO) == 0 && | 546 | if ((inode->i_mode & S_IWUGO) == 0 && |
547 | (attr & ATTR_READONLY) == 0) | 547 | (attr & ATTR_READONLY) == 0) |
548 | inode->i_mode |= (S_IWUGO & default_mode); | 548 | inode->i_mode |= (S_IWUGO & default_mode); |
549 | inode->i_mode &= ~S_IFMT; | 549 | |
550 | inode->i_mode &= ~S_IFMT; | ||
550 | } | 551 | } |
551 | /* clear write bits if ATTR_READONLY is set */ | 552 | /* clear write bits if ATTR_READONLY is set */ |
552 | if (attr & ATTR_READONLY) | 553 | if (attr & ATTR_READONLY) |
diff --git a/fs/cifs/sess.c b/fs/cifs/sess.c index ed150efbe27c..b537fad3bf50 100644 --- a/fs/cifs/sess.c +++ b/fs/cifs/sess.c | |||
@@ -505,7 +505,7 @@ CIFS_SessSetup(unsigned int xid, struct cifsSesInfo *ses, int first_time, | |||
505 | unicode_ssetup_strings(&bcc_ptr, ses, nls_cp); | 505 | unicode_ssetup_strings(&bcc_ptr, ses, nls_cp); |
506 | } else | 506 | } else |
507 | ascii_ssetup_strings(&bcc_ptr, ses, nls_cp); | 507 | ascii_ssetup_strings(&bcc_ptr, ses, nls_cp); |
508 | } else if (type == Kerberos) { | 508 | } else if (type == Kerberos || type == MSKerberos) { |
509 | #ifdef CONFIG_CIFS_UPCALL | 509 | #ifdef CONFIG_CIFS_UPCALL |
510 | struct cifs_spnego_msg *msg; | 510 | struct cifs_spnego_msg *msg; |
511 | spnego_key = cifs_get_spnego_key(ses); | 511 | spnego_key = cifs_get_spnego_key(ses); |
@@ -516,6 +516,15 @@ CIFS_SessSetup(unsigned int xid, struct cifsSesInfo *ses, int first_time, | |||
516 | } | 516 | } |
517 | 517 | ||
518 | msg = spnego_key->payload.data; | 518 | msg = spnego_key->payload.data; |
519 | /* check version field to make sure that cifs.upcall is | ||
520 | sending us a response in an expected form */ | ||
521 | if (msg->version != CIFS_SPNEGO_UPCALL_VERSION) { | ||
522 | cERROR(1, ("incorrect version of cifs.upcall (expected" | ||
523 | " %d but got %d)", | ||
524 | CIFS_SPNEGO_UPCALL_VERSION, msg->version)); | ||
525 | rc = -EKEYREJECTED; | ||
526 | goto ssetup_exit; | ||
527 | } | ||
519 | /* bail out if key is too long */ | 528 | /* bail out if key is too long */ |
520 | if (msg->sesskey_len > | 529 | if (msg->sesskey_len > |
521 | sizeof(ses->server->mac_signing_key.data.krb5)) { | 530 | sizeof(ses->server->mac_signing_key.data.krb5)) { |