[linux-cifs-client] Question on current state of sec=krb5* integration in cifs.ko
Q (Igor Mammedov)
qwerty0987654321 at mail.ru
Fri Oct 23 10:41:04 MDT 2009
On Fri, Oct 23, 2009 at 8:24 PM, Jeff Layton <jlayton at redhat.com> wrote:
> On Fri, 23 Oct 2009 20:00:59 +0400
> "Q (Igor Mammedov)" <qwerty0987654321 at mail.ru> wrote:
>
>> On Fri, Oct 23, 2009 at 6:19 PM, Jeff Layton <jlayton at redhat.com> wrote:
>> > On Fri, 23 Oct 2009 15:54:29 +0200
>> > Holger Rauch <holger.rauch at empic.de> wrote:
>> >
>> >> Hi Jeff,
>> >>
>> >> first of all, thanks for your quick reply.
>> >>
>> >> On Fri, 23 Oct 2009, Jeff Layton wrote:
>> >>
>> >> > On Fri, 23 Oct 2009 13:12:14 +0200
>> >> > Holger Rauch <holger.rauch at empic.de> wrote:
>> >> > > [...]
>> >> > > I just tried that. Mount options in /etc/fstab are
>> >> > >
>> >> > > noauto,sec=krb5i,iocharset=iso8859-15
>> >> > >
>> >> > > When I issue the mount cmd, it asks me for a password.
>> >> >
>> >> > That probably means that you have a fairly old mount.cifs program. The
>> >> > more recent ones don't prompt for a password when sec=krb5* is
>> >> > specified. Try adding the "guest" option which will disable password
>> >> > prompting.
>> >>
>> >> Ok, I tried that (debugging output included as well; interestingly
>> >> enough, "mount.cifs -V" only outputs the help message, even if
>> >> mount.cifs is called with an absolute path). This happenend on a
>> >> Debian Lenny system having the shipped kernel version (uname -r):
>> >>
>> >> 2.6.26-2-686-bigmem
>> >>
>> >> Since "mount.cifs -V" didn't come up with version info, I used
>> >> "apt-cache show smbfs" ("smbfs" is the Debian package mount.cifs is
>> >> contained in). It has the same version as the other Samba packages
>> >> shipped with Debian: 3.2.5
>> >>
>> >> ==============
>> >>
>> >> pia:~# mount -t cifs //server/myuser
>> >> /cifs/user --verbose -o
>> >> sec=krb5i,user=myuser,guest,iocharset=iso8859-15
>> >> parsing options: rw,sec=krb5i,user=myuser,guest,iocharset=iso8859-15
>> >>
>> >> mount.cifs kernel mount options
>> >> unc=//server\myuser,ip=ww.xx.yy.zz,ver=1,rw,sec=krb5i,user=myuser,guest,iocharset=iso8859-15
>> >>
>> >> mount error 95 = Operation not supported
>> >> Refer to the mount.cifs(8) manual page (e.g.man mount.cifs)
>> >> pia:~# dmesg
>> >> [8046556.840192] fs/cifs/cifsfs.c: Devname:
>> >> //prag-old.er.heitec.net/hrauch flags: 64
>> >> [8046556.847954] fs/cifs/connect.c: CIFS VFS: in cifs_mount as Xid:
>> >> 15 with uid: 0
>> >> [8046556.895920] fs/cifs/connect.c: iocharset set to iso8859-15
>> >> [8046556.903932] fs/cifs/connect.c: Username: myuser
>> >> [8046556.911928] fs/cifs/connect.c: UNC:
>> >> \\server\myuser ip: ww.xx.yy.zz
>> >> [8046556.916743] fs/cifs/connect.c: Socket created
>> >> [8046556.924050] fs/cifs/connect.c: sndbuf 16384 rcvbuf 87380
>> >> rcvtimeo 0x7fffffff
>> >> [8046556.935312] fs/cifs/connect.c: Existing smb sess not found
>> >> [8046556.935312] fs/cifs/connect.c: Demultiplex PID: 6171
>> >> [8046556.946262] fs/cifs/cifssmb.c: secFlags 0x1009
>> >> [8046556.950328] fs/cifs/cifssmb.c: Kerberos only mechanism, enable
>> >> extended security
>> >> [8046556.957962] fs/cifs/transport.c: For smb_command 114
>> >> [8046556.962692] fs/cifs/transport.c: Sending smb of length 78
>> >> [8046556.968883] fs/cifs/connect.c: rfc1002 length 0xbe
>> >> [8046556.974665] fs/cifs/cifssmb.c: Dialect: 2
>> >> [8046556.978940] fs/cifs/asn1.c: OID len = 7 oid = 0x1 0x2 0x348
>> >> 0x1bb92
>> >> [8046556.989230] fs/cifs/asn1.c: OID len = 7 oid = 0x1 0x2 0x348 0xbb92
>> >> [8046556.991772] fs/cifs/asn1.c: OID len = 10 oid = 0x1 0x3 0x6 0x1
>> >> [8046556.998296] fs/cifs/asn1.c: Need to call asn1_octets_decode()
>> >> function for cifs/server at MYREALM
>> >> [8046557.008389] fs/cifs/cifssmb.c: Must sign - secFlags 0x1009
>> >> [8046557.015170] CIFS VFS: signing required but server lacks support
>> >
>> >
>> > I think this message explains the problem ^^^^
>> >
>> > You've request krb5i, but your server doesn't support signing. You
>> > might want to try sec=krb5 and see if that works.
>>
>> That there won't be much security left with sec=krb, because of
>> it would lack even signed cisf packets. And as far as I remember,
>> the client doesn't do mutual authentication of the server, so
>> the server may be faked by any machine registered in the ADS
>> domain.
>> Any ways, we can use current cifs only to authenticate client
>> on the server only, but there won't be much security in the sense
>> of transmitted data or checking if we speak with real server.
>>
>
> My intention was not to claim that using krb5 instead of krb5i was a
> good idea...simply that he might want to try it to make sure that was
> the only problem.
>
> Obviously, fixing the server to support signing would be a better
> long term solution.
I'm Sorry if I was rude. Your solution to the problem is perfectly Ok.
I just complemented your answer with what security risks there are.
And implementing mutual authentication wasn't a simple thing when
I've looked at it. It will require to expand upcall protocol to do several
round-trips of SecurityBlob between KDC and cifs server.
>
> --
> Jeff Layton <jlayton at redhat.com>
>
More information about the linux-cifs-client
mailing list