[linux-cifs-client] Question on current state of sec=krb5* integration in cifs.ko

Q (Igor Mammedov) qwerty0987654321 at mail.ru
Fri Oct 23 10:00:59 MDT 2009 

On Fri, Oct 23, 2009 at 6:19 PM, Jeff Layton <jlayton at redhat.com> wrote:
> On Fri, 23 Oct 2009 15:54:29 +0200
> Holger Rauch <holger.rauch at empic.de> wrote:
>
>> Hi Jeff,
>>
>> first of all, thanks for your quick reply.
>>
>> On Fri, 23 Oct 2009, Jeff Layton wrote:
>>
>> > On Fri, 23 Oct 2009 13:12:14 +0200
>> > Holger Rauch <holger.rauch at empic.de> wrote:
>> > > [...]
>> > > I just tried that. Mount options in /etc/fstab are
>> > >
>> > > noauto,sec=krb5i,iocharset=iso8859-15
>> > >
>> > > When I issue the mount cmd, it asks me for a password.
>> >
>> > That probably means that you have a fairly old mount.cifs program. The
>> > more recent ones don't prompt for a password when sec=krb5* is
>> > specified. Try adding the "guest" option which will disable password
>> > prompting.
>>
>> Ok, I tried that (debugging output included as well; interestingly
>> enough, "mount.cifs -V" only outputs the help message, even if
>> mount.cifs is called with an absolute path). This happenend on a
>> Debian Lenny system having the shipped kernel version (uname -r):
>>
>> 2.6.26-2-686-bigmem
>>
>> Since "mount.cifs -V" didn't come up with version info, I used
>> "apt-cache show smbfs" ("smbfs" is the Debian package mount.cifs is
>> contained in). It has the same version as the other Samba packages
>> shipped with Debian: 3.2.5
>>
>> ==============
>>
>> pia:~# mount -t cifs //server/myuser
>> /cifs/user --verbose -o
>> sec=krb5i,user=myuser,guest,iocharset=iso8859-15
>> parsing options: rw,sec=krb5i,user=myuser,guest,iocharset=iso8859-15
>>
>> mount.cifs kernel mount options
>> unc=//server\myuser,ip=ww.xx.yy.zz,ver=1,rw,sec=krb5i,user=myuser,guest,iocharset=iso8859-15
>>
>> mount error 95 = Operation not supported
>> Refer to the mount.cifs(8) manual page (e.g.man mount.cifs)
>> pia:~# dmesg
>> [8046556.840192]  fs/cifs/cifsfs.c: Devname:
>> //prag-old.er.heitec.net/hrauch flags: 64
>> [8046556.847954]  fs/cifs/connect.c: CIFS VFS: in cifs_mount as Xid:
>> 15 with uid: 0
>> [8046556.895920]  fs/cifs/connect.c: iocharset set to iso8859-15
>> [8046556.903932]  fs/cifs/connect.c: Username: myuser
>> [8046556.911928]  fs/cifs/connect.c: UNC:
>> \\server\myuser ip: ww.xx.yy.zz
>> [8046556.916743]  fs/cifs/connect.c: Socket created
>> [8046556.924050]  fs/cifs/connect.c: sndbuf 16384 rcvbuf 87380
>> rcvtimeo 0x7fffffff
>> [8046556.935312]  fs/cifs/connect.c: Existing smb sess not found
>> [8046556.935312]  fs/cifs/connect.c: Demultiplex PID: 6171
>> [8046556.946262]  fs/cifs/cifssmb.c: secFlags 0x1009
>> [8046556.950328]  fs/cifs/cifssmb.c: Kerberos only mechanism, enable
>> extended security
>> [8046556.957962]  fs/cifs/transport.c: For smb_command 114
>> [8046556.962692]  fs/cifs/transport.c: Sending smb of length 78
>> [8046556.968883]  fs/cifs/connect.c: rfc1002 length 0xbe
>> [8046556.974665]  fs/cifs/cifssmb.c: Dialect: 2
>> [8046556.978940]  fs/cifs/asn1.c: OID len = 7 oid = 0x1 0x2 0x348
>> 0x1bb92
>> [8046556.989230]  fs/cifs/asn1.c: OID len = 7 oid = 0x1 0x2 0x348 0xbb92
>> [8046556.991772]  fs/cifs/asn1.c: OID len = 10 oid = 0x1 0x3 0x6 0x1
>> [8046556.998296]  fs/cifs/asn1.c: Need to call asn1_octets_decode()
>> function for cifs/server at MYREALM
>> [8046557.008389]  fs/cifs/cifssmb.c: Must sign - secFlags 0x1009
>> [8046557.015170]  CIFS VFS: signing required but server lacks support
>
>
> I think this message explains the problem ^^^^
>
> You've request krb5i, but your server doesn't support signing. You
> might want to try sec=krb5 and see if that works.

That there won't be much security left with sec=krb, because of
it would lack even signed cisf packets. And as far as I remember,
the client doesn't do mutual authentication of the server, so
the server may be faked by any machine registered in the ADS
domain.
Any ways, we can use current cifs only to authenticate client
on the server only, but there won't be much security in the sense
of transmitted data or checking if we speak with real server.

>> [8046557.022305]  fs/cifs/cifssmb.c: negprot rc -95
>> [8046557.136096]  fs/cifs/connect.c: No session or bad tcon
>> [8046557.213439]  fs/cifs/connect.c: CIFS VFS: leaving cifs_mount (xid
>> = 15) rc = -95
>> [8046557.221012]  CIFS VFS: cifs_mount failed w/return code = -95
>>
>> ==============
>>
>> Do I need a more recent kernel? If so, which one would you recommend?
>>
>> Thanks in advance for any hints & kind regards,
>>
>>        Holger
>>
>
>
> --
> Jeff Layton <jlayton at redhat.com>
> _______________________________________________
> linux-cifs-client mailing list
> linux-cifs-client at lists.samba.org
> https://lists.samba.org/mailman/listinfo/linux-cifs-client
>

More information about the linux-cifs-client mailing list