[linux-cifs-client] Is NTLMv2 really supported?
Derek Piper
dcpiper at indiana.edu
Tue May 23 14:51:33 GMT 2006
Hi,
I've been trying to get CIFS 1.42b working with a Windows share that
will only authenticate via NTLMv2. In looking at the debug data (cifsFYI
set to 3) I see that it was not calling the
CIFSNTLMSSPNegotiateSessSetup() function. I saw that I had to also
enabled 'ExtendedSecurity'. When doing that, it says the 'operation is
not supported'.
Despite it saying in the CHANGES file that NTLMv2 is supported, it is
clear that it is not. This section from line 467 of cifssmb.c just leads
to a dead-end that will never work since decode_negTokenInit() always
returns 1, we will always get the 'operation not supported' error for
extended security, which is required to authenticate with NTMLv2
cifssmb.c;467:
rc = decode_negTokenInit(pSMBr->u.
extended_response.
SecurityBlob,
count - 16,
&server->secType);
if(rc == 1) {
/* BB Need to fill struct for sessetup here */
rc = -EOPNOTSUPP;
} else {
rc = -EINVAL;
}
So, it doesn't look like the code is even written yet to handle that
yet, judging by the comment?. I'm just trying to understand if it really
is or isn't enabled so we can take that information under advisement
when talking with our network admins that have implemented this
site-wide policy.
Below are the relevant /proc entries, a log with ExtendedSecurity set
to zero (then looking through the code I was able to see that the flag
is required to get to the NTLMv2 setup), and again with the
ExtendedSecurity enabled and thus the 'operation not supported' error.
Is it likely this will be supported in the near future?
Thanks,
Derek
::::::::::::::
/proc/fs/cifs/DebugData
::::::::::::::
Display Internal CIFS Data Structures for Debugging
---------------------------------------------------
CIFS Version 1.42
Active VFS Requests: 0
Servers:
Shares:
::::::::::::::
/proc/fs/cifs/Experimental
::::::::::::::
1
::::::::::::::
/proc/fs/cifs/ExtendedSecurity
::::::::::::::
0
::::::::::::::
/proc/fs/cifs/LinuxExtensionsEnabled
::::::::::::::
1
::::::::::::::
/proc/fs/cifs/LookupCacheEnabled
::::::::::::::
1
::::::::::::::
/proc/fs/cifs/MultiuserMount
::::::::::::::
0
::::::::::::::
/proc/fs/cifs/NTLMV2Enabled
::::::::::::::
1
::::::::::::::
/proc/fs/cifs/OplockEnabled
::::::::::::::
1
::::::::::::::
/proc/fs/cifs/PacketSigningEnabled
::::::::::::::
1
::::::::::::::
/proc/fs/cifs/Stats
::::::::::::::
Resources in use
CIFS Session: 0
Share (unique mount targets): 0
SMB Request/Response Buffer: 0 Pool size: 4
SMB Small Req/Resp Buffer: 0 Pool size: 30
Total Large 41 Small 36 Allocations
Operations (MIDs): 0
4 session 1 share reconnects
Total vfs operations: 15 maximum at one time: 1
::::::::::::::
/proc/fs/cifs/cifsFYI
::::::::::::::
3
::::::::::::::
/proc/fs/cifs/traceSMB
::::::::::::::
0
With /proc/fs/cifs/ExtendedSecurity set to 0:
mount error 13 = Permission denied
May 23 10:19:41 dcpiper kernel: fs/cifs/cifsfs.c: Devname:
//156.56.93.9/C$ flags: 64
May 23 10:19:41 dcpiper kernel: fs/cifs/connect.c: CIFS VFS: in
cifs_mount as Xid: 12 with uid: 0
May 23 10:19:41 dcpiper kernel: fs/cifs/connect.c: Domain name set
May 23 10:19:41 dcpiper kernel: fs/cifs/connect.c: Username: dcpiper
May 23 10:19:41 dcpiper kernel: fs/cifs/connect.c: UNC:
\\156.56.93.9\C$ ip: 156.56.93.9
May 23 10:19:41 dcpiper kernel: fs/cifs/connect.c: Socket created
May 23 10:19:41 dcpiper kernel: fs/cifs/connect.c: sndbuf 16384 rcvbuf
87380 rcvtimeo 0x7fffffff
May 23 10:19:41 dcpiper kernel: fs/cifs/connect.c: Demultiplex PID: 26001
May 23 10:19:41 dcpiper kernel: fs/cifs/connect.c: Existing smb sess
not found
May 23 10:19:41 dcpiper kernel: fs/cifs/transport.c: For smb_command 114
May 23 10:19:41 dcpiper kernel: fs/cifs/transport.c: Sending smb of
length 47
May 23 10:19:41 dcpiper kernel: fs/cifs/connect.c: rfc1002 length 0x6b)
May 23 10:19:41 dcpiper kernel: fs/cifs/connect.c: Security Mode: 0x3
Capabilities: 0xe3fd Time Zone: 240
May 23 10:19:41 dcpiper kernel: fs/cifs/connect.c: In sesssetup
May 23 10:19:41 dcpiper kernel: fs/cifs/transport.c: For smb_command 115
May 23 10:19:41 dcpiper kernel: fs/cifs/transport.c: Sending smb of
length 234
May 23 10:19:41 dcpiper kernel: fs/cifs/connect.c: rfc1002 length 0x27)
May 23 10:19:41 dcpiper kernel: Status code returned 0xc000006d
NT_STATUS_LOGON_FAILURE
May 23 10:19:41 dcpiper kernel: fs/cifs/netmisc.c: !!Mapping smb error
code 5to POSIX err -13 !!
May 23 10:19:41 dcpiper kernel: CIFS VFS: Send error in SessSetup = -13
May 23 10:19:41 dcpiper kernel: fs/cifs/connect.c: No session or bad tcon
May 23 10:19:41 dcpiper kernel: fs/cifs/connect.c: CIFS VFS: leaving
cifs_mount (xid = 12) rc = -13
May 23 10:19:41 dcpiper kernel: CIFS VFS: cifs_mount failed w/return
code = -13
With /proc/fs/cifs/ExtendedSecurity set to 1:
mount error 95 = Operation not supported
May 23 10:13:39 dcpiper kernel: fs/cifs/cifsfs.c: Devname:
//156.56.93.9/C$ flags: 64
May 23 10:13:39 dcpiper kernel: fs/cifs/connect.c: CIFS VFS: in
cifs_mount as Xid: 11 with uid: 0
May 23 10:13:39 dcpiper kernel: fs/cifs/connect.c: Domain name set
May 23 10:13:39 dcpiper kernel: fs/cifs/connect.c: Username: dcpiper
May 23 10:13:39 dcpiper kernel: fs/cifs/connect.c: UNC:
\\156.56.93.9\C$ ip: 156.56.93.9
May 23 10:13:39 dcpiper kernel: fs/cifs/connect.c: Socket created
May 23 10:13:39 dcpiper kernel: fs/cifs/connect.c: sndbuf 16384 rcvbuf
87380 rcvtimeo 0x7fffffff
May 23 10:13:39 dcpiper kernel: fs/cifs/connect.c: Demultiplex PID: 25914
May 23 10:13:39 dcpiper kernel: fs/cifs/connect.c: Existing smb sess
not found
May 23 10:13:39 dcpiper kernel: fs/cifs/transport.c: For smb_command 114
May 23 10:13:39 dcpiper kernel: fs/cifs/transport.c: Sending smb of
length 47
May 23 10:13:39 dcpiper kernel: fs/cifs/connect.c: rfc1002 length 0xb5)
May 23 10:13:39 dcpiper kernel: fs/cifs/asn1.c: OID len = 7 oid = 0x1
0x2 0x348 0xbb92
May 23 10:13:39 dcpiper kernel: fs/cifs/asn1.c: OID len = 7 oid = 0x1
0x2 0x348 0x1bb92
May 23 10:13:39 dcpiper kernel: fs/cifs/asn1.c: OID len = 8 oid = 0x1
0x2 0x348 0x1bb92
May 23 10:13:39 dcpiper kernel: fs/cifs/asn1.c: OID len = 10 oid = 0x1
0x3 0x60x1
May 23 10:13:39 dcpiper kernel: fs/cifs/asn1.c: Need to call
asn1_octets_decode() function for this info-iri$@ADS.IU.EDU
May 23 10:13:39 dcpiper kernel: fs/cifs/connect.c: No session or bad tcon
May 23 10:13:39 dcpiper kernel: fs/cifs/connect.c: CIFS VFS: leaving
cifs_mount (xid = 11) rc = -95
May 23 10:13:39 dcpiper kernel: CIFS VFS: cifs_mount failed w/return
code = -95
--
Derek Piper - dcpiper at indiana.edu - (812) 856 0111
IRI 323, School of Informatics
Indiana University, Bloomington, Indiana
More information about the linux-cifs-client
mailing list