<br><br><div class="gmail_quote">On Sat, Apr 24, 2010 at 6:57 AM, Jeff Layton <span dir="ltr"><<a href="mailto:jlayton@redhat.com">jlayton@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Allow secType to be set on a per-session basis. This allows us to mix<br>
secTypes on a single socket. Also, add a "sign" bool to cifsSesInfo<br>
and determine whether signing should be enabled at session setup<br>
time.<br>
<br>
enum securityEnum {<br>
- PLAINTXT = 0, /* Legacy with Plaintext passwords */<br>
+ Undefined = 0, /* Uninitialized */<br>
+ Anonymous, /* Anonymous login */<br>
+ Plaintext, /* Legacy with plaintext passwords */<br>
LANMAN, /* Legacy LANMAN auth */<br>
NTLM, /* Legacy NTLM012 auth with NTLM hash */<br>
NTLMv2, /* Legacy NTLM auth with NTLMv2 hash */<br>
- RawNTLMSSP, /* NTLMSSP without SPNEGO, NTLMv2 hash */<br>
-/* NTLMSSP, */ /* can use rawNTLMSSP instead of NTLMSSP via SPNEGO */<br>
+ NTLMSSP, /* NTLMSSP, NTLMv1 hash */<br>
Kerberos, /* Kerberos via SPNEGO */<br>
};<br>
<br></blockquote><div><br>I like how this adds anonymous, and starts that with 1 rather than 0 - makes sense.<br></div><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
@@ -978,42 +978,39 @@ cifs_parse_mount_options(char *options, const char *devname,<br>
cERROR(1, "no security value specified");<br>
continue;<br>
} else if (strnicmp(value, "krb5i", 5) == 0) {<br>
- vol->secFlg |= CIFSSEC_MAY_KRB5 |<br>
- CIFSSEC_MUST_SIGN;<br>
+ vol->sectype = Kerberos;<br>
+ vol->sign = true;<br>
} else if (strnicmp(value, "krb5p", 5) == 0) {<br>
- /* vol->secFlg |= CIFSSEC_MUST_SEAL |<br>
- CIFSSEC_MAY_KRB5; */<br>
cERROR(1, "Krb5 cifs privacy not supported");<br>
return 1;<br>
} else if (strnicmp(value, "krb5", 4) == 0) {<br>
- vol->secFlg |= CIFSSEC_MAY_KRB5;<br>
+ vol->sectype = Kerberos;<br></blockquote><br></div><br>Doesn't this change behavior a lot - user can no longer pass in a list of more than one acceptable security options as before (e.g. sec=krb5, sec=ntlmv2i)<br>
and can only specify one (but doesn't know ahead of time which the server supports).<br><br>Also curious if it changed how plaintext was handled (if build with weak password support allowed, which I don't want to encourage) - IIRC we sent this via the older (LANMAN only) style session setup.<br>
<br clear="all"><br>-- <br>Thanks,<br><br>Steve<br>