[linux-cifs-client] Problems attempting to authenticate using
NTLMv2 to cifs shares
Chris Shelton
cshelton at indiana.edu
Wed Apr 12 21:35:08 GMT 2006
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I am attempting to get NTLMv2 security working to map a number of cifs
shares, primarily from windows 2003 and 2000 servers. I have been
successfully using the cifsvfs module for quite some time.
Recently, I been trying to verify that I can connect to a server using
NTLMv2 authentication. I have retrieved and installed the new cifs
module version 1.42, per the instructions posted here:
http://lists.samba.org/archive/linux-cifs-client/2006-March/001226.html
I have successfully compiled and installed this module on a system
running vanilla kernels versions 2.6.15 and 2.6.16. The 1.42 version of
cifs works great when the older authentication methods are used.
I am a bit confused about whether or not NTLMv2 authentication is
really supported. The CHANGES file lists this under Version 1.41:
"Fix NTLMv2 security (can be enabled in /proc/fs/cifs) so customers
can configure stronger authentication."
However, the README still states:
"NTLMv2 enablement will not work since its implementation is not quite
complete yet."
I am using the following to mount my share:
mount -t cifs -o \
credentials=/etc/samba/credentials,domain=MSSGTEST,sec=ntlmv2,ip=129.79.25.132 \
//bl-fmop-hotdog/cshelton /mnt/hotdog
I have the following cifs related options set:
batboy2 init.d # more /proc/fs/cifs/*
::::::::::::::
/proc/fs/cifs/DebugData
::::::::::::::
Display Internal CIFS Data Structures for Debugging
- ---------------------------------------------------
CIFS Version 1.42
Active VFS Requests: 0
Servers:
Shares:
::::::::::::::
/proc/fs/cifs/Experimental
::::::::::::::
1
::::::::::::::
/proc/fs/cifs/ExtendedSecurity
::::::::::::::
0
::::::::::::::
/proc/fs/cifs/LinuxExtensionsEnabled
::::::::::::::
1
::::::::::::::
/proc/fs/cifs/LookupCacheEnabled
::::::::::::::
1
::::::::::::::
/proc/fs/cifs/MultiuserMount
::::::::::::::
0
::::::::::::::
/proc/fs/cifs/NTLMV2Enabled
::::::::::::::
1
::::::::::::::
/proc/fs/cifs/OplockEnabled
::::::::::::::
1
::::::::::::::
/proc/fs/cifs/PacketSigningEnabled
::::::::::::::
0
::::::::::::::
/proc/fs/cifs/Stats
::::::::::::::
Resources in use
CIFS Session: 0
Share (unique mount targets): 0
SMB Request/Response Buffer: 0 Pool size: 4
SMB Small Req/Resp Buffer: 0 Pool size: 30
Operations (MIDs): 0
0 session 0 share reconnects
Total vfs operations: 5 maximum at one time: 1
::::::::::::::
/proc/fs/cifs/cifsFYI
::::::::::::::
3
::::::::::::::
/proc/fs/cifs/traceSMB
::::::::::::::
0
When attempting to run the mount command, the following messages are
sent to syslog:
Apr 12 16:23:41 batboy2 kernel: /home/cshelton/src/cifs-1.42-scratch/fs/cifs/cifsfs.c: Devname: //bl-fmop-hotdog/cshelton flags: 64
Apr 12 16:23:41 batboy2 kernel: /home/cshelton/src/cifs-1.42-scratch/fs/cifs/connect.c: CIFS VFS: in cifs_mount as Xid: 4 with uid: 0
Apr 12 16:23:41 batboy2 kernel: /home/cshelton/src/cifs-1.42-scratch/fs/cifs/connect.c: Domain name set
Apr 12 16:23:41 batboy2 kernel: /home/cshelton/src/cifs-1.42-scratch/fs/cifs/connect.c: Username: cshelton
Apr 12 16:23:41 batboy2 kernel: /home/cshelton/src/cifs-1.42-scratch/fs/cifs/connect.c: UNC: \\bl-fmop-hotdog\cshelton ip: 129.79.25.132
Apr 12 16:23:41 batboy2 kernel: /home/cshelton/src/cifs-1.42-scratch/fs/cifs/connect.c: Socket created
Apr 12 16:23:41 batboy2 kernel: /home/cshelton/src/cifs-1.42-scratch/fs/cifs/connect.c: sndbuf 16384 rcvbuf 87380 rcvtimeo 0x7fffffff
Apr 12 16:23:41 batboy2 kernel: /home/cshelton/src/cifs-1.42-scratch/fs/cifs/connect.c: Demultiplex PID: 10323
Apr 12 16:23:41 batboy2 kernel: /home/cshelton/src/cifs-1.42-scratch/fs/cifs/connect.c: Existing smb sess not found
Apr 12 16:23:41 batboy2 kernel: /home/cshelton/src/cifs-1.42-scratch/fs/cifs/transport.c: For smb_command 114
Apr 12 16:23:41 batboy2 kernel: /home/cshelton/src/cifs-1.42-scratch/fs/cifs/transport.c: Sending smb of length 47
Apr 12 16:23:41 batboy2 kernel: /home/cshelton/src/cifs-1.42-scratch/fs/cifs/connect.c: rfc1002 length 0x63)
Apr 12 16:23:41 batboy2 kernel: /home/cshelton/src/cifs-1.42-scratch/fs/cifs/connect.c: Security Mode: 0x3 Capabilities: 0xe3fd Time Zone: 240
Apr 12 16:23:41 batboy2 kernel: /home/cshelton/src/cifs-1.42-scratch/fs/cifs/connect.c: In sesssetup
Apr 12 16:23:41 batboy2 kernel: /home/cshelton/src/cifs-1.42-scratch/fs/cifs/transport.c: For smb_command 115
Apr 12 16:23:41 batboy2 kernel: /home/cshelton/src/cifs-1.42-scratch/fs/cifs/transport.c: Sending smb of length 240
Apr 12 16:23:41 batboy2 kernel: /home/cshelton/src/cifs-1.42-scratch/fs/cifs/connect.c: rfc1002 length 0x27)
Apr 12 16:23:41 batboy2 kernel: Status code returned 0xc000006d NT_STATUS_LOGON_FAILURE
Apr 12 16:23:41 batboy2 kernel: /home/cshelton/src/cifs-1.42-scratch/fs/cifs/netmisc.c: !!Mapping smb error code 5 to POSIX err -13 !!
Apr 12 16:23:41 batboy2 kernel: CIFS VFS: Send error in SessSetup = -13
Apr 12 16:23:41 batboy2 kernel: /home/cshelton/src/cifs-1.42-scratch/fs/cifs/connect.c: No session or bad tcon
Apr 12 16:23:41 batboy2 kernel: /home/cshelton/src/cifs-1.42-scratch/fs/cifs/connect.c: CIFS VFS: leaving cifs_mount (xid = 4) rc = -13
Apr 12 16:23:41 batboy2 kernel: CIFS VFS: cifs_mount failed w/return code = -13
I am certain that the username and password included in the credentials
file is correct. I have also tried specifing the user and pass in
place of the credentials file. I also tried connecting to
\\129.79.25.132\cshelton to see if that made a difference, but no
luck.
In looking through the source code for connect.c, I was expecting to see
a message in my log similar to:
"Can use more secure NTLM version 2 password hash"
However, that section of code doesn't seem to be executed at all. Is
there something I'm missing to make this work?
chris
- --
Chris Shelton
Indiana University - Financial Management Services
- -
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)
iD8DBQFEPXKOM5TknMKatUwRAiTxAJ94sGbjQu3OC/7k2WemZtbcsg4uCwCgmQmb
ZE5X9pKuhxxjf7wHRLsdqW4=
=+yA4
-----END PGP SIGNATURE-----
More information about the linux-cifs-client
mailing list