[linux-cifs-client] Re: smbfs vs cifs with permissions

Steven French sfrench at us.ibm.com
Fri May 14 21:48:30 GMT 2004 

> I've looked at some tethereal traces when connecting with both cifs and 
> smbfs, and I have a theory:  when I connect with smbfs, and say 
> username=user/host, in the SMB session setup trace it has:
>                User: HOST\user
> however when I do the same with cifs, it has:
>                User: \host\user

The uppercase version would normally be the correct one - I normally 
expect the domain (or workgroup) to be specified in that field, but you 
are putting the server's hostname which is a little unusual but probably 
should work as long as there is a local Windows user defintion for "user" 
on that server system.   If there is no local definition for user on that 
server then this might result in checking for a trusted domain with that 
name so it is safer to not specify the domain name (or in your case 
servername) at all so null gets put in that field on the wire which is 
much safer - since that unambiguously asks the server to check its local 
user accounts repository to validate the user.

> Looking at the two traces, in the smbfs case the capabilities field has 
> fewer bits set, notably the unicode bit is clear. 

Yes - that is expected for this older version of the smbmount that you are 
using, which results in among other things the user and the domain being 
passed in Unicode (which is normally preferable).  I doubt that this is 
related to your problem. 

> The smbfs transmit both  an ANSI and UNICODE version of the password. By 
contrast 
> in the cifs case only a UNICODE password is transmitted.

That is an interesting point - this can break some passthrough security 
environments but is better to fail than send the weak lanman hashed 
challenge IMO.   The "ASCII version of the password" (actually the lanman 
hash of the challenge with the ASCII password) is very insecure with 
modern computers attacking it.   In the cifs vfs I had code that could 
send it originally but I disabled the code that computes and sends this 
since it is so easy to break.  Sending both - a weak and a stronger 
("Unicode" ie NTLM) password hash in the same request seems dangerous at 
best, so I only send the relatively stronger NTLM hash.   I consider this 
a security exposure in some clients (that they can easily expose such a 
weak password). 

Let me know if sending no domain (server) worked, and if the user is 
created as a local user in the target system.


Steve French
Senior Software Engineer
Linux Technology Center - IBM Austin
phone: 512-838-2294
email: sfrench at-sign us dot ibm dot com
-------------- next part --------------
HTML attachment scrubbed and removed

More information about the linux-cifs-client mailing list