[linux-cifs-client] Re: Linux CIFS client with Samba 2.0.x or 2.2.x
?
Steven French
sfrench at us.ibm.com
Mon May 17 16:16:56 GMT 2004
> So my question is, should I expect the Linux CIFS client to work with
> Samba 2.0.x or 2.2.x?
I have not tested with Samba 2.0.x so can not speculate on whether it
would work, but the error that you mention
> [2004/05/15 17:45:46, 0] smbd/nttrans.c:map_share_mode(443)
> map_share_mode: Incorrect value 80000000 for desired_access to file
\path\to\file
refers to an important flag which Samba now supports, but apparently did
not that long ago, but may be easy enough for the cifs client to retry
using different desired_access. I would be much more concerned about
problems with Samba 2.2, which is more commonly deployed, and which I used
to test the cifs client with extensively, but I think that the example
that you are using may be a security restriction that is better to leave
the way it is (and should not affect Samba servers in non-passthrough
mode).
> server is configured with "security = server" and "password server =
> MYPDC". If I increase the debug level on the server, I can see that
> it logs these messages:
>
> connected to password server MYPDC
> ...
> password server MYPDC rejected the password
A likely cause for this is that the cifs client does not send the older
insecure "lanman hash" of the password (sometimes referred to as ASCII
password), although I used to have the code for that present in
fs/cifs/connect.c but ifdef out (for those who really wanted to reenable
it, they could). It looks like for passthrough mode (when a password
server is configured) in older Samba, Samba may require (or at least in
some cases requires) that the client send at least the insecure password
hash which I don't think is worth the security risk. smbfs usually will
work mostly for these backlevel cases since it sends both the insecure and
slightly more secure NTLM password hashes. I am uncomfortable with
sending such an insecure password hash on the cifs client since they can
be broken so quickly with modern computers. I am not 100% certain that
the older Samba always requires the lanman password hash when configured
that way, but I have had two or three reports that lead me to that
conclusion.
Steve French
Senior Software Engineer
Linux Technology Center - IBM Austin
phone: 512-838-2294
email: sfrench at-sign us dot ibm dot com
-------------- next part --------------
HTML attachment scrubbed and removed
More information about the linux-cifs-client
mailing list