[linux-cifs-client] Is NTLMv2 really supported?

Derek Piper dcpiper at indiana.edu
Tue May 23 14:51:33 GMT 2006 

	Hi,

	I've been trying to get CIFS 1.42b working with a Windows share that 
will only authenticate via NTLMv2. In looking at the debug data (cifsFYI 
set to 3) I see that it was not calling the
CIFSNTLMSSPNegotiateSessSetup() function. I saw that I had to also 
enabled 'ExtendedSecurity'. When doing that, it says the 'operation is 
not supported'.
	Despite it saying in the CHANGES file that NTLMv2 is supported, it is 
clear that it is not. This section from line 467 of cifssmb.c just leads 
to a dead-end that will never work since decode_negTokenInit() always 
returns 1, we will always get the 'operation not supported' error for 
extended security, which is required to authenticate with NTMLv2

cifssmb.c;467:

	rc = decode_negTokenInit(pSMBr->u.
					extended_response.
					SecurityBlob,
					count - 16,
					&server->secType);
	if(rc == 1) {
	/* BB Need to fill struct for sessetup here */
		rc = -EOPNOTSUPP;
	} else {
		rc = -EINVAL;
	}

So, it doesn't look like the code is even written yet to handle that 
yet, judging by the comment?. I'm just trying to understand if it really 
is or isn't enabled so we can take that information under advisement 
when talking with our network admins that have implemented this 
site-wide policy.
	Below are the relevant /proc entries, a log with ExtendedSecurity set 
to zero (then looking through the code I was able to see that the flag 
is required to get to the NTLMv2 setup), and again with the 
ExtendedSecurity enabled and thus the 'operation not supported' error.
	Is it likely this will be supported in the near future?

	Thanks,

	Derek

::::::::::::::
/proc/fs/cifs/DebugData
::::::::::::::
Display Internal CIFS Data Structures for Debugging
---------------------------------------------------
CIFS Version 1.42
Active VFS Requests: 0
Servers:
Shares:
::::::::::::::
/proc/fs/cifs/Experimental
::::::::::::::
1
::::::::::::::
/proc/fs/cifs/ExtendedSecurity
::::::::::::::
0
::::::::::::::
/proc/fs/cifs/LinuxExtensionsEnabled
::::::::::::::
1
::::::::::::::
/proc/fs/cifs/LookupCacheEnabled
::::::::::::::
1
::::::::::::::
/proc/fs/cifs/MultiuserMount
::::::::::::::
0
::::::::::::::
/proc/fs/cifs/NTLMV2Enabled
::::::::::::::
1
::::::::::::::
/proc/fs/cifs/OplockEnabled
::::::::::::::
1
::::::::::::::
/proc/fs/cifs/PacketSigningEnabled
::::::::::::::
1
::::::::::::::
/proc/fs/cifs/Stats
::::::::::::::
Resources in use
CIFS Session: 0
Share (unique mount targets): 0
SMB Request/Response Buffer: 0 Pool size: 4
SMB Small Req/Resp Buffer: 0 Pool size: 30
Total Large 41 Small 36 Allocations
Operations (MIDs): 0

4 session 1 share reconnects
Total vfs operations: 15 maximum at one time: 1

::::::::::::::
/proc/fs/cifs/cifsFYI
::::::::::::::
3
::::::::::::::
/proc/fs/cifs/traceSMB
::::::::::::::
0


With /proc/fs/cifs/ExtendedSecurity set to 0:

mount error 13 = Permission denied

May 23 10:19:41 dcpiper kernel:  fs/cifs/cifsfs.c: Devname: 
//156.56.93.9/C$ flags: 64
May 23 10:19:41 dcpiper kernel:  fs/cifs/connect.c: CIFS VFS: in 
cifs_mount as Xid: 12 with uid: 0
May 23 10:19:41 dcpiper kernel:  fs/cifs/connect.c: Domain name set
May 23 10:19:41 dcpiper kernel:  fs/cifs/connect.c: Username: dcpiper
May 23 10:19:41 dcpiper kernel:  fs/cifs/connect.c: UNC: 
\\156.56.93.9\C$ ip: 156.56.93.9
May 23 10:19:41 dcpiper kernel:  fs/cifs/connect.c: Socket created
May 23 10:19:41 dcpiper kernel:  fs/cifs/connect.c: sndbuf 16384 rcvbuf 
87380 rcvtimeo 0x7fffffff
May 23 10:19:41 dcpiper kernel:  fs/cifs/connect.c: Demultiplex PID: 26001
May 23 10:19:41 dcpiper kernel:  fs/cifs/connect.c: Existing smb sess 
not found
May 23 10:19:41 dcpiper kernel:  fs/cifs/transport.c: For smb_command 114
May 23 10:19:41 dcpiper kernel:  fs/cifs/transport.c: Sending smb of 
length 47
May 23 10:19:41 dcpiper kernel:  fs/cifs/connect.c: rfc1002 length 0x6b)
May 23 10:19:41 dcpiper kernel:  fs/cifs/connect.c: Security Mode: 0x3 
Capabilities: 0xe3fd Time Zone: 240
May 23 10:19:41 dcpiper kernel:  fs/cifs/connect.c: In sesssetup
May 23 10:19:41 dcpiper kernel:  fs/cifs/transport.c: For smb_command 115
May 23 10:19:41 dcpiper kernel:  fs/cifs/transport.c: Sending smb of 
length 234
May 23 10:19:41 dcpiper kernel:  fs/cifs/connect.c: rfc1002 length 0x27)
May 23 10:19:41 dcpiper kernel: Status code returned 0xc000006d 
NT_STATUS_LOGON_FAILURE
May 23 10:19:41 dcpiper kernel:  fs/cifs/netmisc.c:  !!Mapping smb error 
code 5to POSIX err -13 !!
May 23 10:19:41 dcpiper kernel:  CIFS VFS: Send error in SessSetup = -13
May 23 10:19:41 dcpiper kernel:  fs/cifs/connect.c: No session or bad tcon
May 23 10:19:41 dcpiper kernel:  fs/cifs/connect.c: CIFS VFS: leaving 
cifs_mount (xid = 12) rc = -13
May 23 10:19:41 dcpiper kernel:  CIFS VFS: cifs_mount failed w/return 
code = -13




With /proc/fs/cifs/ExtendedSecurity set to 1:

mount error 95 = Operation not supported

May 23 10:13:39 dcpiper kernel:  fs/cifs/cifsfs.c: Devname: 
//156.56.93.9/C$ flags: 64
May 23 10:13:39 dcpiper kernel:  fs/cifs/connect.c: CIFS VFS: in 
cifs_mount as Xid: 11 with uid: 0
May 23 10:13:39 dcpiper kernel:  fs/cifs/connect.c: Domain name set
May 23 10:13:39 dcpiper kernel:  fs/cifs/connect.c: Username: dcpiper
May 23 10:13:39 dcpiper kernel:  fs/cifs/connect.c: UNC: 
\\156.56.93.9\C$ ip: 156.56.93.9
May 23 10:13:39 dcpiper kernel:  fs/cifs/connect.c: Socket created
May 23 10:13:39 dcpiper kernel:  fs/cifs/connect.c: sndbuf 16384 rcvbuf 
87380 rcvtimeo 0x7fffffff
May 23 10:13:39 dcpiper kernel:  fs/cifs/connect.c: Demultiplex PID: 25914
May 23 10:13:39 dcpiper kernel:  fs/cifs/connect.c: Existing smb sess 
not found
May 23 10:13:39 dcpiper kernel:  fs/cifs/transport.c: For smb_command 114
May 23 10:13:39 dcpiper kernel:  fs/cifs/transport.c: Sending smb of 
length 47
May 23 10:13:39 dcpiper kernel:  fs/cifs/connect.c: rfc1002 length 0xb5)
May 23 10:13:39 dcpiper kernel:  fs/cifs/asn1.c: OID len = 7 oid = 0x1 
0x2 0x348 0xbb92
May 23 10:13:39 dcpiper kernel:  fs/cifs/asn1.c: OID len = 7 oid = 0x1 
0x2 0x348 0x1bb92
May 23 10:13:39 dcpiper kernel:  fs/cifs/asn1.c: OID len = 8 oid = 0x1 
0x2 0x348 0x1bb92
May 23 10:13:39 dcpiper kernel:  fs/cifs/asn1.c: OID len = 10 oid = 0x1 
0x3 0x60x1
May 23 10:13:39 dcpiper kernel:  fs/cifs/asn1.c: Need to call 
asn1_octets_decode() function for this info-iri$@ADS.IU.EDU
May 23 10:13:39 dcpiper kernel:  fs/cifs/connect.c: No session or bad tcon
May 23 10:13:39 dcpiper kernel:  fs/cifs/connect.c: CIFS VFS: leaving 
cifs_mount (xid = 11) rc = -95
May 23 10:13:39 dcpiper kernel:  CIFS VFS: cifs_mount failed w/return 
code = -95

-- 
Derek Piper - dcpiper at indiana.edu - (812) 856 0111
IRI 323, School of Informatics
Indiana University, Bloomington, Indiana

More information about the linux-cifs-client mailing list