[linux-cifs-client] Re: Query pertaining to PLAINTXT PASSWORD authentication

[Joel Krajden]

Hi Steve,

We have just  been sniffing the network to try and find out why the 
connection from the cifs.vfs client 1.49 will not succeed when 
communicating with our netapp filer or a current samba server when 
configured for plain text passwords.


In windows (XP) when we send in plaintext the username and password are 
sent in unicode and the filer and samba server accept the connection.

In linux if we tell the cifs client to use plaintext it sends username 
and password in ascii and the filer and samba refuse with permission denied.

The locale of the linux client is set to utf-8 and setting the io 
charset to utf-8 still does not change the username/password string 
being sent to unicode.


The cif client does claim it is using unicode and the filer or samba 
server do return the workgroup name in unicode to the client but 
username/password are sent in ascii.

Setting the samba server or filer to use encrypted passwords
works fine with the client set 0x37 for security.

Joel




Steve French wrote:
>> I was trying the ubuntu 7.10 image (linux kernel 2.6.22). I am trying to
>> access the CIFS server (supporting pain text passwords) and somehow
>> always land up with :
>>
>>> [ 5274.003101]  CIFS VFS: Server requests plain text password but
>> client support disabled
>>> [ 5274.004823]  CIFS VFS: Send error in SessSetup = -13
>>> [ 5274.133055]  CIFS VFS: cifs_mount failed w/return code = -13
> 
> Due to potential downgrade attacks (orcing plaintext across the wire),
> plaintext password support for cifs mounts requires both the build flag
> that you mention below and a change to the default security settings
> at runtime (/proc/fs/cifs/SecurityFlags) e.g. before you mount
>      "echo 0x37 > /proc/fs/cifs/SecurityFlags"
> This allows plaintext and lanman authentication. You can change the flags
> back right after the mount is complete.
> 
>> I enabled the CONFIG_CIFS_WEAK_PW_HASH flag in menuconfig for the cifs
>> client module, but see the above error. Is their a way to enable
>> plaintext authentication on the linux kernel image I am using. I have
>> also seen discussions related to enabling plain text from "echo
>> 0x37> /proc/fs/cifs/ExtendedSecurity" and "echo 39
>>> /proc/fs/cifs/SecurityFlags". I don't see the former file in my proc
>> directory and editing to the later one is not permitted.
> 
> The correct file name is "/proc/fs/cifs/SecurityFlags" and you should
> probably set it to 0x37
> or 0x27 (0x20 is plaintext, and 0x10 is LANMAN, 0x07 is the default
> allowing NTLM and NTLMv2).  If you set invalid flags you get an error
> back trying to write to that config file.
> 
> It would be great if someone wrote a little gui or cli program to configure the
> cifs proc settings (and another to dump information from /proc/fs/cifs)
> 
>> The mount command which I use is
>> sudo mount -o username=<userid>,password=<my password> //<ipaddress of
>> the server>/<my home directory on server> ./<local mount point>
>>
>> The error code sent by server is "STATUS_LOGON_FAILURE (0xc000006d)"
> 


-- 
| Joel Krajden           | Rm: EV-7105,  Tel: 514 848-2424 3052    |
| Senior Systems Analyst | Fax: 514 848-2830                       |
| Engineering &          | Email: joelk at encs.concordia.ca          |
| Computer Science       | www.encs.concordia.ca/~staffcs/joelk    |
| Concordia University   |  In a circus, the clowns are supposed   |
| Montreal, Canada       |  to make you laugh, not cry.            |