[linux-cifs-client] Re: CaseInsensitivePassword
Steven French
sfrench at us.ibm.com
Tue Nov 30 00:38:33 GMT 2004
> smbfs sends CaseSensitive- and CaseInsensitivePassword
> (what Ethereal calls Unicode/ANSI passwords),
> while cifs-vfs only sends the latter.
That sounds backwards, but you may be close to what is related to your
issue.
See below piece of fs/cifs/connect.c
pSMB->req_no_secext.CaseInsensitivePasswordLength = 0;
pSMB->req_no_secext.CaseSensitivePasswordLength =
cpu_to_le16(CIFS_SESSION_KEY_SIZE);
The "case insensitive passord" is the old lanman password which is far too
insecure to send on the wire. The case sensitive password (NTLM
password) has various advantages and is far harder to break although still
not as good as the Kerberos tickets which we need to add support for in
cifs. The cifs vfs does not send the weak password, although multiple
clients (including smbfs's smbmnt/smbmount helpers and smbclient) can and
do send it by default (at least the option of not sending the lanman
password appears to be configurable smb.conf option for smbfs's
smbmnt/smbmount etc. now - but I have not tested that).
So a theory is that your server's authentication configuration requires
weak lanman passwords to be enabled. cifs vfs does not send the weak
lanman passwords, smbfs and most windows client do send it by default does
so it works. My reaction is that the security problems of lanman hash
are severe enough to make it a bad idea to turn it on in the cifs vfs.
There are a few ways to test this theory (e.g. turning off lanman password
support in windows registry or smb.conf and see what happens)
Steve French
Senior Software Engineer
Linux Technology Center - IBM Austin
phone: 512-838-2294
email: sfrench at-sign us dot ibm dot com
-------------- next part --------------
HTML attachment scrubbed and removed
More information about the linux-cifs-client
mailing list