10 files changed, 74 insertions, 30 deletions
diff --git a/fs/Kconfig b/fs/Kconfig
index d3873583360b..f0427105a619 100644
--- a/fs/Kconfig
+++ b/fs/Kconfig
@@ -1984,7 +1984,6 @@ config CIFS_EXPERIMENTAL
 config CIFS_UPCALL
          bool "Kerberos/SPNEGO advanced session setup (EXPERIMENTAL)"
-          depends on CIFS_EXPERIMENTAL
          depends on KEYS
          help
            Enables an upcall mechanism for CIFS which accesses
diff --git a/fs/cifs/CHANGES b/fs/cifs/CHANGES
index f5d0083e09fa..526041a52d35 100644
--- a/fs/cifs/CHANGES
+++ b/fs/cifs/CHANGES
@@ -4,7 +4,11 @@ Fix premature write failure on congested networks (we would give up
 on EAGAIN from the socket too quickly on large writes).
 Cifs_mkdir and cifs_create now respect the setgid bit on parent dir.
 Fix endian problems in acl (mode from/to cifs acl) on bigendian
-architectures.
+architectures.  Fix problems with preserving timestamps on copying open
+files (e.g. "cp -a") to Windows servers.  For mkdir and create honor setgid bit
+on parent directory when server supports Unix Extensions but not POSIX
+create. Update cifs.upcall version to handle new Kerberos sec flags
+(this requires update of cifs.upcall program from Samba).
 Version 1.53
 ------------
diff --git a/fs/cifs/README b/fs/cifs/README
index 2bd6fe556f88..68b5c1169d9d 100644
--- a/fs/cifs/README
+++ b/fs/cifs/README
@@ -642,8 +642,30 @@ The statistics for the number of total SMBs and oplock breaks are different in
 that they represent all for that share, not just those for which the server
 returned success.
        
-Also note that "cat /proc/fs/cifs/DebugData" will display information about 
+Also note that "cat /proc/fs/cifs/DebugData" will display information about
 the active sessions and the shares that are mounted.
-Enabling Kerberos (extended security) works when CONFIG_CIFS_EXPERIMENTAL is
-on but requires a user space helper (from the Samba project). NTLM and NTLMv2 and
+Enabling Kerberos (extended security) works but requires version 1.2 or later
-LANMAN support do not require this helper.
+of the helper program cifs.upcall to be present and to be configured in the
+/etc/request-key.conf file.  The cifs.upcall helper program is from the Samba
+project(http://www.samba.org). NTLM and NTLMv2 and LANMAN support do not
+require this helper. Note that NTLMv2 security (which does not require the
+cifs.upcall helper program), instead of using Kerberos, is sufficient for
+some use cases.
+Enabling DFS support (used to access shares transparently in an MS-DFS
+global name space) requires that CONFIG_CIFS_EXPERIMENTAL be enabled.  In
+addition, DFS support for target shares which are specified as UNC
+names which begin with host names (rather than IP addresses) requires
+a user space helper (such as cifs.upcall) to be present in order to
+translate host names to ip address, and the user space helper must also
+be configured in the file /etc/request-key.conf
+To use cifs Kerberos and DFS support, the Linux keyutils package should be
+installed and something like the following lines should be added to the
+/etc/request-key.conf file:
+create cifs.spnego * * /usr/local/sbin/cifs.upcall %k
+create dns_resolver * * /usr/local/sbin/cifs.upcall %k
diff --git a/fs/cifs/asn1.c b/fs/cifs/asn1.c
index 5fabd2caf93c..1b09f1670061 100644
--- a/fs/cifs/asn1.c
+++ b/fs/cifs/asn1.c
@@ -476,6 +476,7 @@ decode_negTokenInit(unsigned char *security_blob, int length,
        unsigned int cls, con, tag, oidlen, rc;
        bool use_ntlmssp = false;
        bool use_kerberos = false;
+        bool use_mskerberos = false;
        *secType = NTLM; /* BB eventually make Kerberos or NLTMSSP the default*/
@@ -574,10 +575,12 @@ decode_negTokenInit(unsigned char *security_blob, int length,
                                         *(oid + 1), *(oid + 2), *(oid + 3)));
                                if (compare_oid(oid, oidlen, MSKRB5_OID,
-                                                MSKRB5_OID_LEN))
+                                                MSKRB5_OID_LEN) &&
-                                        use_kerberos = true;
+                                                !use_kerberos)
+                                        use_mskerberos = true;
                                else if (compare_oid(oid, oidlen, KRB5_OID,
-                                                     KRB5_OID_LEN))
+                                                     KRB5_OID_LEN) &&
+                                                     !use_mskerberos)
                                        use_kerberos = true;
                                else if (compare_oid(oid, oidlen, NTLMSSP_OID,
                                                     NTLMSSP_OID_LEN))
@@ -630,6 +633,8 @@ decode_negTokenInit(unsigned char *security_blob, int length,
        if (use_kerberos)
                *secType = Kerberos;
+        else if (use_mskerberos)
+                *secType = MSKerberos;
        else if (use_ntlmssp)
                *secType = NTLMSSP;
diff --git a/fs/cifs/cifs_spnego.c b/fs/cifs/cifs_spnego.c
index 2434ab0e8791..117ef4bba68e 100644
--- a/fs/cifs/cifs_spnego.c
+++ b/fs/cifs/cifs_spnego.c
@@ -114,9 +114,11 @@ cifs_get_spnego_key(struct cifsSesInfo *sesInfo)
        dp = description + strlen(description);
-        /* for now, only sec=krb5 is valid */
+        /* for now, only sec=krb5 and sec=mskrb5 are valid */
        if (server->secType == Kerberos)
                sprintf(dp, ";sec=krb5");
+        else if (server->secType == MSKerberos)
+                sprintf(dp, ";sec=mskrb5");
        else
                goto out;
diff --git a/fs/cifs/cifs_spnego.h b/fs/cifs/cifs_spnego.h
index 05a34b17a1ab..e4041ec4d712 100644
--- a/fs/cifs/cifs_spnego.h
+++ b/fs/cifs/cifs_spnego.h
@@ -23,7 +23,7 @@
 #ifndef _CIFS_SPNEGO_H
 #define _CIFS_SPNEGO_H
-#define CIFS_SPNEGO_UPCALL_VERSION 1
+#define CIFS_SPNEGO_UPCALL_VERSION 2
 /*
 * The version field should always be set to CIFS_SPNEGO_UPCALL_VERSION.
diff --git a/fs/cifs/cifsglob.h b/fs/cifs/cifsglob.h
index 7e1cf262effe..8dfd6f24d488 100644
--- a/fs/cifs/cifsglob.h
+++ b/fs/cifs/cifsglob.h
@@ -80,7 +80,8 @@ enum securityEnum {
        NTLMv2,                 /* Legacy NTLM auth with NTLMv2 hash */
        RawNTLMSSP,             /* NTLMSSP without SPNEGO */
        NTLMSSP,                /* NTLMSSP via SPNEGO */
-        Kerberos                /* Kerberos via SPNEGO */
+        Kerberos,               /* Kerberos via SPNEGO */
+        MSKerberos,             /* MS Kerberos via SPNEGO */
 };
 enum protocolEnum {
diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c
index 0711db65afe8..4c13bcdb92a5 100644
--- a/fs/cifs/connect.c
+++ b/fs/cifs/connect.c
@@ -3598,19 +3598,21 @@ int cifs_setup_session(unsigned int xid, struct cifsSesInfo *pSesInfo,
        char ntlm_session_key[CIFS_SESS_KEY_SIZE];
        bool ntlmv2_flag = false;
        int first_time = 0;
+        struct TCP_Server_Info *server = pSesInfo->server;
        /* what if server changes its buffer size after dropping the session? */
-        if (pSesInfo->server->maxBuf == 0) /* no need to send on reconnect */ {
+        if (server->maxBuf == 0) /* no need to send on reconnect */ {
                rc = CIFSSMBNegotiate(xid, pSesInfo);
-                if (rc == -EAGAIN) /* retry only once on 1st time connection */ {
+                if (rc == -EAGAIN) {
+                        /* retry only once on 1st time connection */
                        rc = CIFSSMBNegotiate(xid, pSesInfo);
                        if (rc == -EAGAIN)
                                rc = -EHOSTDOWN;
                }
                if (rc == 0) {
                        spin_lock(&GlobalMid_Lock);
-                        if (pSesInfo->server->tcpStatus != CifsExiting)
+                        if (server->tcpStatus != CifsExiting)
-                                pSesInfo->server->tcpStatus = CifsGood;
+                                server->tcpStatus = CifsGood;
                        else
                                rc = -EHOSTDOWN;
                        spin_unlock(&GlobalMid_Lock);
@@ -3623,23 +3625,22 @@ int cifs_setup_session(unsigned int xid, struct cifsSesInfo *pSesInfo,
                goto ss_err_exit;
        pSesInfo->flags = 0;
-        pSesInfo->capabilities = pSesInfo->server->capabilities;
+        pSesInfo->capabilities = server->capabilities;
        if (linuxExtEnabled == 0)
                pSesInfo->capabilities &= (~CAP_UNIX);
        /*      pSesInfo->sequence_number = 0;*/
        cFYI(1, ("Security Mode: 0x%x Capabilities: 0x%x TimeAdjust: %d",
-                 pSesInfo->server->secMode,
+                 server->secMode, server->capabilities, server->timeAdj));
-                 pSesInfo->server->capabilities,
-                 pSesInfo->server->timeAdj));
        if (experimEnabled < 2)
                rc = CIFS_SessSetup(xid, pSesInfo, first_time, nls_info);
        else if (extended_security
                        && (pSesInfo->capabilities & CAP_EXTENDED_SECURITY)
-                        && (pSesInfo->server->secType == NTLMSSP)) {
+                        && (server->secType == NTLMSSP)) {
                rc = -EOPNOTSUPP;
        } else if (extended_security
                        && (pSesInfo->capabilities & CAP_EXTENDED_SECURITY)
-                        && (pSesInfo->server->secType == RawNTLMSSP)) {
+                        && (server->secType == RawNTLMSSP)) {
                cFYI(1, ("NTLMSSP sesssetup"));
                rc = CIFSNTLMSSPNegotiateSessSetup(xid, pSesInfo, &ntlmv2_flag,
                                                   nls_info);
@@ -3668,12 +3669,12 @@ int cifs_setup_session(unsigned int xid, struct cifsSesInfo *pSesInfo,
                        } else {
                                SMBNTencrypt(pSesInfo->password,
-                                             pSesInfo->server->cryptKey,
+                                             server->cryptKey,
                                             ntlm_session_key);
                                if (first_time)
                                        cifs_calculate_mac_key(
-                                             &pSesInfo->server->mac_signing_key,
+                                             &server->mac_signing_key,
                                             ntlm_session_key,
                                             pSesInfo->password);
                        }
@@ -3686,13 +3687,13 @@ int cifs_setup_session(unsigned int xid, struct cifsSesInfo *pSesInfo,
                                                      nls_info);
                }
        } else { /* old style NTLM 0.12 session setup */
-                SMBNTencrypt(pSesInfo->password, pSesInfo->server->cryptKey,
+                SMBNTencrypt(pSesInfo->password, server->cryptKey,
                             ntlm_session_key);
                if (first_time)
-                        cifs_calculate_mac_key(
+                        cifs_calculate_mac_key(&server->mac_signing_key,
-                                        &pSesInfo->server->mac_signing_key,
+                                                ntlm_session_key,
-                                        ntlm_session_key, pSesInfo->password);
+                                                pSesInfo->password);
                rc = CIFSSessSetup(xid, pSesInfo, ntlm_session_key, nls_info);
        }
diff --git a/fs/cifs/inode.c b/fs/cifs/inode.c
index 848286861c31..9c548f110102 100644
--- a/fs/cifs/inode.c
+++ b/fs/cifs/inode.c
@@ -546,7 +546,8 @@ int cifs_get_inode_info(struct inode **pinode,
                if ((inode->i_mode & S_IWUGO) == 0 &&
                    (attr & ATTR_READONLY) == 0)
                        inode->i_mode |= (S_IWUGO & default_mode);
-                        inode->i_mode &= ~S_IFMT;
+                inode->i_mode &= ~S_IFMT;
        }
        /* clear write bits if ATTR_READONLY is set */
        if (attr & ATTR_READONLY)
diff --git a/fs/cifs/sess.c b/fs/cifs/sess.c
index ed150efbe27c..b537fad3bf50 100644
--- a/fs/cifs/sess.c
+++ b/fs/cifs/sess.c
@@ -505,7 +505,7 @@ CIFS_SessSetup(unsigned int xid, struct cifsSesInfo *ses, int first_time,
                        unicode_ssetup_strings(&bcc_ptr, ses, nls_cp);
                } else
                        ascii_ssetup_strings(&bcc_ptr, ses, nls_cp);
-        } else if (type == Kerberos) {
+        } else if (type == Kerberos || type == MSKerberos) {
 #ifdef CONFIG_CIFS_UPCALL
                struct cifs_spnego_msg *msg;
                spnego_key = cifs_get_spnego_key(ses);
@@ -516,6 +516,15 @@ CIFS_SessSetup(unsigned int xid, struct cifsSesInfo *ses, int first_time,
                }
                msg = spnego_key->payload.data;
+                /* check version field to make sure that cifs.upcall is
+                   sending us a response in an expected form */
+                if (msg->version != CIFS_SPNEGO_UPCALL_VERSION) {
+                        cERROR(1, ("incorrect version of cifs.upcall (expected"
+                                   " %d but got %d)",
+                                   CIFS_SPNEGO_UPCALL_VERSION, msg->version));
+                        rc = -EKEYREJECTED;
+                        goto ssetup_exit;
+                }
                /* bail out if key is too long */
                if (msg->sesskey_len >
                    sizeof(ses->server->mac_signing_key.data.krb5)) {

diff --git a/fs/Kconfig b/fs/Kconfig index d3873583360b..f0427105a619 100644 --- a/fs/Kconfig +++ b/fs/Kconfig
@@ -1984,7 +1984,6 @@ config CIFS_EXPERIMENTAL
1984		1984
1985	config CIFS_UPCALL	1985	config CIFS_UPCALL
1986	bool "Kerberos/SPNEGO advanced session setup (EXPERIMENTAL)"	1986	bool "Kerberos/SPNEGO advanced session setup (EXPERIMENTAL)"
1987	depends on CIFS_EXPERIMENTAL
1988	depends on KEYS	1987	depends on KEYS
1989	help	1988	help
1990	Enables an upcall mechanism for CIFS which accesses	1989	Enables an upcall mechanism for CIFS which accesses


diff --git a/fs/cifs/CHANGES b/fs/cifs/CHANGES index f5d0083e09fa..526041a52d35 100644 --- a/fs/cifs/CHANGES +++ b/fs/cifs/CHANGES
@@ -4,7 +4,11 @@ Fix premature write failure on congested networks (we would give up
4	on EAGAIN from the socket too quickly on large writes).	4	on EAGAIN from the socket too quickly on large writes).
5	Cifs_mkdir and cifs_create now respect the setgid bit on parent dir.	5	Cifs_mkdir and cifs_create now respect the setgid bit on parent dir.
6	Fix endian problems in acl (mode from/to cifs acl) on bigendian	6	Fix endian problems in acl (mode from/to cifs acl) on bigendian
7	architectures.	7	architectures. Fix problems with preserving timestamps on copying open
		8	files (e.g. "cp -a") to Windows servers. For mkdir and create honor setgid bit
		9	on parent directory when server supports Unix Extensions but not POSIX
		10	create. Update cifs.upcall version to handle new Kerberos sec flags
		11	(this requires update of cifs.upcall program from Samba).
8		12
9	Version 1.53	13	Version 1.53
10	------------	14	------------


diff --git a/fs/cifs/README b/fs/cifs/README index 2bd6fe556f88..68b5c1169d9d 100644 --- a/fs/cifs/README +++ b/fs/cifs/README
@@ -642,8 +642,30 @@ The statistics for the number of total SMBs and oplock breaks are different in
642	that they represent all for that share, not just those for which the server	642	that they represent all for that share, not just those for which the server
643	returned success.	643	returned success.
644		644
645	Also note that "cat /proc/fs/cifs/DebugData" will display information about	645	Also note that "cat /proc/fs/cifs/DebugData" will display information about
646	the active sessions and the shares that are mounted.	646	the active sessions and the shares that are mounted.
647	Enabling Kerberos (extended security) works when CONFIG_CIFS_EXPERIMENTAL is	647
648	on but requires a user space helper (from the Samba project). NTLM and NTLMv2 and	648	Enabling Kerberos (extended security) works but requires version 1.2 or later
649	LANMAN support do not require this helper.	649	of the helper program cifs.upcall to be present and to be configured in the
		650	/etc/request-key.conf file. The cifs.upcall helper program is from the Samba
		651	project(http://www.samba.org). NTLM and NTLMv2 and LANMAN support do not
		652	require this helper. Note that NTLMv2 security (which does not require the
		653	cifs.upcall helper program), instead of using Kerberos, is sufficient for
		654	some use cases.
		655
		656	Enabling DFS support (used to access shares transparently in an MS-DFS
		657	global name space) requires that CONFIG_CIFS_EXPERIMENTAL be enabled. In
		658	addition, DFS support for target shares which are specified as UNC
		659	names which begin with host names (rather than IP addresses) requires
		660	a user space helper (such as cifs.upcall) to be present in order to
		661	translate host names to ip address, and the user space helper must also
		662	be configured in the file /etc/request-key.conf
		663
		664	To use cifs Kerberos and DFS support, the Linux keyutils package should be
		665	installed and something like the following lines should be added to the
		666	/etc/request-key.conf file:
		667
		668	create cifs.spnego * * /usr/local/sbin/cifs.upcall %k
		669	create dns_resolver * * /usr/local/sbin/cifs.upcall %k
		670
		671


diff --git a/fs/cifs/asn1.c b/fs/cifs/asn1.c index 5fabd2caf93c..1b09f1670061 100644 --- a/fs/cifs/asn1.c +++ b/fs/cifs/asn1.c
@@ -476,6 +476,7 @@ decode_negTokenInit(unsigned char *security_blob, int length,
476	unsigned int cls, con, tag, oidlen, rc;	476	unsigned int cls, con, tag, oidlen, rc;
477	bool use_ntlmssp = false;	477	bool use_ntlmssp = false;
478	bool use_kerberos = false;	478	bool use_kerberos = false;
		479	bool use_mskerberos = false;
479		480
480	secType = NTLM; / BB eventually make Kerberos or NLTMSSP the default*/	481	secType = NTLM; / BB eventually make Kerberos or NLTMSSP the default*/
481		482
@@ -574,10 +575,12 @@ decode_negTokenInit(unsigned char *security_blob, int length,
574	(oid + 1), (oid + 2), *(oid + 3)));	575	(oid + 1), (oid + 2), *(oid + 3)));
575		576
576	if (compare_oid(oid, oidlen, MSKRB5_OID,	577	if (compare_oid(oid, oidlen, MSKRB5_OID,
577	MSKRB5_OID_LEN))	578	MSKRB5_OID_LEN) &&
578	use_kerberos = true;	579	!use_kerberos)
		580	use_mskerberos = true;
579	else if (compare_oid(oid, oidlen, KRB5_OID,	581	else if (compare_oid(oid, oidlen, KRB5_OID,
580	KRB5_OID_LEN))	582	KRB5_OID_LEN) &&
		583	!use_mskerberos)
581	use_kerberos = true;	584	use_kerberos = true;
582	else if (compare_oid(oid, oidlen, NTLMSSP_OID,	585	else if (compare_oid(oid, oidlen, NTLMSSP_OID,
583	NTLMSSP_OID_LEN))	586	NTLMSSP_OID_LEN))
@@ -630,6 +633,8 @@ decode_negTokenInit(unsigned char *security_blob, int length,
630		633
631	if (use_kerberos)	634	if (use_kerberos)
632	*secType = Kerberos;	635	*secType = Kerberos;
		636	else if (use_mskerberos)
		637	*secType = MSKerberos;
633	else if (use_ntlmssp)	638	else if (use_ntlmssp)
634	*secType = NTLMSSP;	639	*secType = NTLMSSP;
635		640


diff --git a/fs/cifs/cifs_spnego.c b/fs/cifs/cifs_spnego.c index 2434ab0e8791..117ef4bba68e 100644 --- a/fs/cifs/cifs_spnego.c +++ b/fs/cifs/cifs_spnego.c
@@ -114,9 +114,11 @@ cifs_get_spnego_key(struct cifsSesInfo *sesInfo)
114		114
115	dp = description + strlen(description);	115	dp = description + strlen(description);
116		116
117	/* for now, only sec=krb5 is valid */	117	/* for now, only sec=krb5 and sec=mskrb5 are valid */
118	if (server->secType == Kerberos)	118	if (server->secType == Kerberos)
119	sprintf(dp, ";sec=krb5");	119	sprintf(dp, ";sec=krb5");
		120	else if (server->secType == MSKerberos)
		121	sprintf(dp, ";sec=mskrb5");
120	else	122	else
121	goto out;	123	goto out;
122		124


diff --git a/fs/cifs/cifs_spnego.h b/fs/cifs/cifs_spnego.h index 05a34b17a1ab..e4041ec4d712 100644 --- a/fs/cifs/cifs_spnego.h +++ b/fs/cifs/cifs_spnego.h
@@ -23,7 +23,7 @@
23	#ifndef _CIFS_SPNEGO_H	23	#ifndef _CIFS_SPNEGO_H
24	#define _CIFS_SPNEGO_H	24	#define _CIFS_SPNEGO_H
25		25
26	#define CIFS_SPNEGO_UPCALL_VERSION 1	26	#define CIFS_SPNEGO_UPCALL_VERSION 2
27		27
28	/*	28	/*
29	* The version field should always be set to CIFS_SPNEGO_UPCALL_VERSION.	29	* The version field should always be set to CIFS_SPNEGO_UPCALL_VERSION.


diff --git a/fs/cifs/cifsglob.h b/fs/cifs/cifsglob.h index 7e1cf262effe..8dfd6f24d488 100644 --- a/fs/cifs/cifsglob.h +++ b/fs/cifs/cifsglob.h
@@ -80,7 +80,8 @@ enum securityEnum {
80	NTLMv2, /* Legacy NTLM auth with NTLMv2 hash */	80	NTLMv2, /* Legacy NTLM auth with NTLMv2 hash */
81	RawNTLMSSP, /* NTLMSSP without SPNEGO */	81	RawNTLMSSP, /* NTLMSSP without SPNEGO */
82	NTLMSSP, /* NTLMSSP via SPNEGO */	82	NTLMSSP, /* NTLMSSP via SPNEGO */
83	Kerberos /* Kerberos via SPNEGO */	83	Kerberos, /* Kerberos via SPNEGO */
		84	MSKerberos, /* MS Kerberos via SPNEGO */
84	};	85	};
85		86
86	enum protocolEnum {	87	enum protocolEnum {


diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c index 0711db65afe8..4c13bcdb92a5 100644 --- a/fs/cifs/connect.c +++ b/fs/cifs/connect.c
@@ -3598,19 +3598,21 @@ int cifs_setup_session(unsigned int xid, struct cifsSesInfo *pSesInfo,
3598	char ntlm_session_key[CIFS_SESS_KEY_SIZE];	3598	char ntlm_session_key[CIFS_SESS_KEY_SIZE];
3599	bool ntlmv2_flag = false;	3599	bool ntlmv2_flag = false;
3600	int first_time = 0;	3600	int first_time = 0;
		3601	struct TCP_Server_Info *server = pSesInfo->server;
3601		3602
3602	/* what if server changes its buffer size after dropping the session? */	3603	/* what if server changes its buffer size after dropping the session? */
3603	if (pSesInfo->server->maxBuf == 0) /* no need to send on reconnect */ {	3604	if (server->maxBuf == 0) /* no need to send on reconnect */ {
3604	rc = CIFSSMBNegotiate(xid, pSesInfo);	3605	rc = CIFSSMBNegotiate(xid, pSesInfo);
3605	if (rc == -EAGAIN) /* retry only once on 1st time connection */ {	3606	if (rc == -EAGAIN) {
		3607	/* retry only once on 1st time connection */
3606	rc = CIFSSMBNegotiate(xid, pSesInfo);	3608	rc = CIFSSMBNegotiate(xid, pSesInfo);
3607	if (rc == -EAGAIN)	3609	if (rc == -EAGAIN)
3608	rc = -EHOSTDOWN;	3610	rc = -EHOSTDOWN;
3609	}	3611	}
3610	if (rc == 0) {	3612	if (rc == 0) {
3611	spin_lock(&GlobalMid_Lock);	3613	spin_lock(&GlobalMid_Lock);
3612	if (pSesInfo->server->tcpStatus != CifsExiting)	3614	if (server->tcpStatus != CifsExiting)
3613	pSesInfo->server->tcpStatus = CifsGood;	3615	server->tcpStatus = CifsGood;
3614	else	3616	else
3615	rc = -EHOSTDOWN;	3617	rc = -EHOSTDOWN;
3616	spin_unlock(&GlobalMid_Lock);	3618	spin_unlock(&GlobalMid_Lock);
@@ -3623,23 +3625,22 @@ int cifs_setup_session(unsigned int xid, struct cifsSesInfo *pSesInfo,
3623	goto ss_err_exit;	3625	goto ss_err_exit;
3624		3626
3625	pSesInfo->flags = 0;	3627	pSesInfo->flags = 0;
3626	pSesInfo->capabilities = pSesInfo->server->capabilities;	3628	pSesInfo->capabilities = server->capabilities;
3627	if (linuxExtEnabled == 0)	3629	if (linuxExtEnabled == 0)
3628	pSesInfo->capabilities &= (~CAP_UNIX);	3630	pSesInfo->capabilities &= (~CAP_UNIX);
3629	/* pSesInfo->sequence_number = 0;*/	3631	/* pSesInfo->sequence_number = 0;*/
3630	cFYI(1, ("Security Mode: 0x%x Capabilities: 0x%x TimeAdjust: %d",	3632	cFYI(1, ("Security Mode: 0x%x Capabilities: 0x%x TimeAdjust: %d",
3631	pSesInfo->server->secMode,	3633	server->secMode, server->capabilities, server->timeAdj));
3632	pSesInfo->server->capabilities,	3634
3633	pSesInfo->server->timeAdj));
3634	if (experimEnabled < 2)	3635	if (experimEnabled < 2)
3635	rc = CIFS_SessSetup(xid, pSesInfo, first_time, nls_info);	3636	rc = CIFS_SessSetup(xid, pSesInfo, first_time, nls_info);
3636	else if (extended_security	3637	else if (extended_security
3637	&& (pSesInfo->capabilities & CAP_EXTENDED_SECURITY)	3638	&& (pSesInfo->capabilities & CAP_EXTENDED_SECURITY)
3638	&& (pSesInfo->server->secType == NTLMSSP)) {	3639	&& (server->secType == NTLMSSP)) {
3639	rc = -EOPNOTSUPP;	3640	rc = -EOPNOTSUPP;
3640	} else if (extended_security	3641	} else if (extended_security
3641	&& (pSesInfo->capabilities & CAP_EXTENDED_SECURITY)	3642	&& (pSesInfo->capabilities & CAP_EXTENDED_SECURITY)
3642	&& (pSesInfo->server->secType == RawNTLMSSP)) {	3643	&& (server->secType == RawNTLMSSP)) {
3643	cFYI(1, ("NTLMSSP sesssetup"));	3644	cFYI(1, ("NTLMSSP sesssetup"));
3644	rc = CIFSNTLMSSPNegotiateSessSetup(xid, pSesInfo, &ntlmv2_flag,	3645	rc = CIFSNTLMSSPNegotiateSessSetup(xid, pSesInfo, &ntlmv2_flag,
3645	nls_info);	3646	nls_info);
@@ -3668,12 +3669,12 @@ int cifs_setup_session(unsigned int xid, struct cifsSesInfo *pSesInfo,
3668		3669
3669	} else {	3670	} else {
3670	SMBNTencrypt(pSesInfo->password,	3671	SMBNTencrypt(pSesInfo->password,
3671	pSesInfo->server->cryptKey,	3672	server->cryptKey,
3672	ntlm_session_key);	3673	ntlm_session_key);
3673		3674
3674	if (first_time)	3675	if (first_time)
3675	cifs_calculate_mac_key(	3676	cifs_calculate_mac_key(
3676	&pSesInfo->server->mac_signing_key,	3677	&server->mac_signing_key,
3677	ntlm_session_key,	3678	ntlm_session_key,
3678	pSesInfo->password);	3679	pSesInfo->password);
3679	}	3680	}
@@ -3686,13 +3687,13 @@ int cifs_setup_session(unsigned int xid, struct cifsSesInfo *pSesInfo,
3686	nls_info);	3687	nls_info);
3687	}	3688	}
3688	} else { /* old style NTLM 0.12 session setup */	3689	} else { /* old style NTLM 0.12 session setup */
3689	SMBNTencrypt(pSesInfo->password, pSesInfo->server->cryptKey,	3690	SMBNTencrypt(pSesInfo->password, server->cryptKey,
3690	ntlm_session_key);	3691	ntlm_session_key);
3691		3692
3692	if (first_time)	3693	if (first_time)
3693	cifs_calculate_mac_key(	3694	cifs_calculate_mac_key(&server->mac_signing_key,
3694	&pSesInfo->server->mac_signing_key,	3695	ntlm_session_key,
3695	ntlm_session_key, pSesInfo->password);	3696	pSesInfo->password);
3696		3697
3697	rc = CIFSSessSetup(xid, pSesInfo, ntlm_session_key, nls_info);	3698	rc = CIFSSessSetup(xid, pSesInfo, ntlm_session_key, nls_info);
3698	}	3699	}


diff --git a/fs/cifs/inode.c b/fs/cifs/inode.c index 848286861c31..9c548f110102 100644 --- a/fs/cifs/inode.c +++ b/fs/cifs/inode.c
@@ -546,7 +546,8 @@ int cifs_get_inode_info(struct inode **pinode,
546	if ((inode->i_mode & S_IWUGO) == 0 &&	546	if ((inode->i_mode & S_IWUGO) == 0 &&
547	(attr & ATTR_READONLY) == 0)	547	(attr & ATTR_READONLY) == 0)
548	inode->i_mode \|= (S_IWUGO & default_mode);	548	inode->i_mode \|= (S_IWUGO & default_mode);
549	inode->i_mode &= ~S_IFMT;	549
		550	inode->i_mode &= ~S_IFMT;
550	}	551	}
551	/* clear write bits if ATTR_READONLY is set */	552	/* clear write bits if ATTR_READONLY is set */
552	if (attr & ATTR_READONLY)	553	if (attr & ATTR_READONLY)


diff --git a/fs/cifs/sess.c b/fs/cifs/sess.c index ed150efbe27c..b537fad3bf50 100644 --- a/fs/cifs/sess.c +++ b/fs/cifs/sess.c
@@ -505,7 +505,7 @@ CIFS_SessSetup(unsigned int xid, struct cifsSesInfo *ses, int first_time,
505	unicode_ssetup_strings(&bcc_ptr, ses, nls_cp);	505	unicode_ssetup_strings(&bcc_ptr, ses, nls_cp);
506	} else	506	} else
507	ascii_ssetup_strings(&bcc_ptr, ses, nls_cp);	507	ascii_ssetup_strings(&bcc_ptr, ses, nls_cp);
508	} else if (type == Kerberos) {	508	} else if (type == Kerberos \|\| type == MSKerberos) {
509	#ifdef CONFIG_CIFS_UPCALL	509	#ifdef CONFIG_CIFS_UPCALL
510	struct cifs_spnego_msg *msg;	510	struct cifs_spnego_msg *msg;
511	spnego_key = cifs_get_spnego_key(ses);	511	spnego_key = cifs_get_spnego_key(ses);
@@ -516,6 +516,15 @@ CIFS_SessSetup(unsigned int xid, struct cifsSesInfo *ses, int first_time,
516	}	516	}
517		517
518	msg = spnego_key->payload.data;	518	msg = spnego_key->payload.data;
		519	/* check version field to make sure that cifs.upcall is
		520	sending us a response in an expected form */
		521	if (msg->version != CIFS_SPNEGO_UPCALL_VERSION) {
		522	cERROR(1, ("incorrect version of cifs.upcall (expected"
		523	" %d but got %d)",
		524	CIFS_SPNEGO_UPCALL_VERSION, msg->version));
		525	rc = -EKEYREJECTED;
		526	goto ssetup_exit;
		527	}
519	/* bail out if key is too long */	528	/* bail out if key is too long */
520	if (msg->sesskey_len >	529	if (msg->sesskey_len >
521	sizeof(ses->server->mac_signing_key.data.krb5)) {	530	sizeof(ses->server->mac_signing_key.data.krb5)) {