CIFS: Fix SMB3 mount without specifying a security mechanism
diff mbox

Message ID 1492029127-4524-1-git-send-email-pshilov@microsoft.com
State New
Headers show

Commit Message

Pavel Shilovskiy April 12, 2017, 8:32 p.m. UTC
Commit ef65aaede23f ("smb2: Enforce sec= mount option") changed the
behavior of a mount command to enforce a specified security mechanism
during mounting. On another hand according to the spec if SMB3 server
doesn't respond with a security context it implies that it supports
NTLMSSP. The current code doesn't keep it in mind and fails a mount
for such servers if no security mechanism is specified. Fix this by
indicating that a server supports NTLMSSP if a security context isn't
returned during negotiate phase. This allows the code to use NTLMSSP
by default for SMB3 mounts.

Signed-off-by: Pavel Shilovsky <pshilov@microsoft.com>
---
 fs/cifs/smb2pdu.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

Comments

Steve French April 13, 2017, 3:06 p.m. UTC | #1
merged into cifs-2.6.git for-next

Let me know if missed any must fix ASAP patches that have to go in.

On Wed, Apr 12, 2017 at 3:32 PM, Pavel Shilovsky <pshilov@microsoft.com> wrote:
> Commit ef65aaede23f ("smb2: Enforce sec= mount option") changed the
> behavior of a mount command to enforce a specified security mechanism
> during mounting. On another hand according to the spec if SMB3 server
> doesn't respond with a security context it implies that it supports
> NTLMSSP. The current code doesn't keep it in mind and fails a mount
> for such servers if no security mechanism is specified. Fix this by
> indicating that a server supports NTLMSSP if a security context isn't
> returned during negotiate phase. This allows the code to use NTLMSSP
> by default for SMB3 mounts.
>
> Signed-off-by: Pavel Shilovsky <pshilov@microsoft.com>
> ---
>  fs/cifs/smb2pdu.c | 4 +++-
>  1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c
> index 1bd5d30..02da648 100644
> --- a/fs/cifs/smb2pdu.c
> +++ b/fs/cifs/smb2pdu.c
> @@ -562,8 +562,10 @@ SMB2_negotiate(const unsigned int xid, struct cifs_ses *ses)
>          * but for time being this is our only auth choice so doesn't matter.
>          * We just found a server which sets blob length to zero expecting raw.
>          */
> -       if (blob_length == 0)
> +       if (blob_length == 0) {
>                 cifs_dbg(FYI, "missing security blob on negprot\n");
> +               server->sec_ntlmssp = true;
> +       }
>
>         rc = cifs_enable_signing(server, ses->sign);
>         if (rc)
> --
> 2.7.4
>

Patch
diff mbox

diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c
index 1bd5d30..02da648 100644
--- a/fs/cifs/smb2pdu.c
+++ b/fs/cifs/smb2pdu.c
@@ -562,8 +562,10 @@  SMB2_negotiate(const unsigned int xid, struct cifs_ses *ses)
 	 * but for time being this is our only auth choice so doesn't matter.
 	 * We just found a server which sets blob length to zero expecting raw.
 	 */
-	if (blob_length == 0)
+	if (blob_length == 0) {
 		cifs_dbg(FYI, "missing security blob on negprot\n");
+		server->sec_ntlmssp = true;
+	}
 
 	rc = cifs_enable_signing(server, ses->sign);
 	if (rc)