[linux-cifs-client] Question on current state of sec=krb5* integration in cifs.ko
Jeff Layton
jlayton at redhat.com
Fri Oct 23 10:24:19 MDT 2009
On Fri, 23 Oct 2009 20:00:59 +0400
"Q (Igor Mammedov)" <qwerty0987654321 at mail.ru> wrote:
> On Fri, Oct 23, 2009 at 6:19 PM, Jeff Layton <jlayton at redhat.com> wrote:
> > On Fri, 23 Oct 2009 15:54:29 +0200
> > Holger Rauch <holger.rauch at empic.de> wrote:
> >
> >> Hi Jeff,
> >>
> >> first of all, thanks for your quick reply.
> >>
> >> On Fri, 23 Oct 2009, Jeff Layton wrote:
> >>
> >> > On Fri, 23 Oct 2009 13:12:14 +0200
> >> > Holger Rauch <holger.rauch at empic.de> wrote:
> >> > > [...]
> >> > > I just tried that. Mount options in /etc/fstab are
> >> > >
> >> > > noauto,sec=krb5i,iocharset=iso8859-15
> >> > >
> >> > > When I issue the mount cmd, it asks me for a password.
> >> >
> >> > That probably means that you have a fairly old mount.cifs program. The
> >> > more recent ones don't prompt for a password when sec=krb5* is
> >> > specified. Try adding the "guest" option which will disable password
> >> > prompting.
> >>
> >> Ok, I tried that (debugging output included as well; interestingly
> >> enough, "mount.cifs -V" only outputs the help message, even if
> >> mount.cifs is called with an absolute path). This happenend on a
> >> Debian Lenny system having the shipped kernel version (uname -r):
> >>
> >> 2.6.26-2-686-bigmem
> >>
> >> Since "mount.cifs -V" didn't come up with version info, I used
> >> "apt-cache show smbfs" ("smbfs" is the Debian package mount.cifs is
> >> contained in). It has the same version as the other Samba packages
> >> shipped with Debian: 3.2.5
> >>
> >> ==============
> >>
> >> pia:~# mount -t cifs //server/myuser
> >> /cifs/user --verbose -o
> >> sec=krb5i,user=myuser,guest,iocharset=iso8859-15
> >> parsing options: rw,sec=krb5i,user=myuser,guest,iocharset=iso8859-15
> >>
> >> mount.cifs kernel mount options
> >> unc=//server\myuser,ip=ww.xx.yy.zz,ver=1,rw,sec=krb5i,user=myuser,guest,iocharset=iso8859-15
> >>
> >> mount error 95 = Operation not supported
> >> Refer to the mount.cifs(8) manual page (e.g.man mount.cifs)
> >> pia:~# dmesg
> >> [8046556.840192] fs/cifs/cifsfs.c: Devname:
> >> //prag-old.er.heitec.net/hrauch flags: 64
> >> [8046556.847954] fs/cifs/connect.c: CIFS VFS: in cifs_mount as Xid:
> >> 15 with uid: 0
> >> [8046556.895920] fs/cifs/connect.c: iocharset set to iso8859-15
> >> [8046556.903932] fs/cifs/connect.c: Username: myuser
> >> [8046556.911928] fs/cifs/connect.c: UNC:
> >> \\server\myuser ip: ww.xx.yy.zz
> >> [8046556.916743] fs/cifs/connect.c: Socket created
> >> [8046556.924050] fs/cifs/connect.c: sndbuf 16384 rcvbuf 87380
> >> rcvtimeo 0x7fffffff
> >> [8046556.935312] fs/cifs/connect.c: Existing smb sess not found
> >> [8046556.935312] fs/cifs/connect.c: Demultiplex PID: 6171
> >> [8046556.946262] fs/cifs/cifssmb.c: secFlags 0x1009
> >> [8046556.950328] fs/cifs/cifssmb.c: Kerberos only mechanism, enable
> >> extended security
> >> [8046556.957962] fs/cifs/transport.c: For smb_command 114
> >> [8046556.962692] fs/cifs/transport.c: Sending smb of length 78
> >> [8046556.968883] fs/cifs/connect.c: rfc1002 length 0xbe
> >> [8046556.974665] fs/cifs/cifssmb.c: Dialect: 2
> >> [8046556.978940] fs/cifs/asn1.c: OID len = 7 oid = 0x1 0x2 0x348
> >> 0x1bb92
> >> [8046556.989230] fs/cifs/asn1.c: OID len = 7 oid = 0x1 0x2 0x348 0xbb92
> >> [8046556.991772] fs/cifs/asn1.c: OID len = 10 oid = 0x1 0x3 0x6 0x1
> >> [8046556.998296] fs/cifs/asn1.c: Need to call asn1_octets_decode()
> >> function for cifs/server at MYREALM
> >> [8046557.008389] fs/cifs/cifssmb.c: Must sign - secFlags 0x1009
> >> [8046557.015170] CIFS VFS: signing required but server lacks support
> >
> >
> > I think this message explains the problem ^^^^
> >
> > You've request krb5i, but your server doesn't support signing. You
> > might want to try sec=krb5 and see if that works.
>
> That there won't be much security left with sec=krb, because of
> it would lack even signed cisf packets. And as far as I remember,
> the client doesn't do mutual authentication of the server, so
> the server may be faked by any machine registered in the ADS
> domain.
> Any ways, we can use current cifs only to authenticate client
> on the server only, but there won't be much security in the sense
> of transmitted data or checking if we speak with real server.
>
My intention was not to claim that using krb5 instead of krb5i was a
good idea...simply that he might want to try it to make sure that was
the only problem.
Obviously, fixing the server to support signing would be a better
long term solution.
--
Jeff Layton <jlayton at redhat.com>
More information about the linux-cifs-client
mailing list