Commit d2346e28 authored by Steve French's avatar Steve French

cifs: fix setting SecurityFlags to true

If you try to set /proc/fs/cifs/SecurityFlags to 1 it
will set them to CIFSSEC_MUST_NTLMV2 which no longer is
relevant (the less secure ones like lanman have been removed
from cifs.ko) and is also missing some flags (like for
signing and encryption) and can even cause mount to fail,
so change this to set it to Kerberos in this case.

Also change the description of the SecurityFlags to remove mention
of flags which are no longer supported.

Cc: stable@vger.kernel.org
Reviewed-by: default avatarShyam Prasad N <sprasad@microsoft.com>
Signed-off-by: default avatarSteve French <stfrench@microsoft.com>
parent 34afb82a
...@@ -723,40 +723,26 @@ Configuration pseudo-files: ...@@ -723,40 +723,26 @@ Configuration pseudo-files:
======================= ======================================================= ======================= =======================================================
SecurityFlags Flags which control security negotiation and SecurityFlags Flags which control security negotiation and
also packet signing. Authentication (may/must) also packet signing. Authentication (may/must)
flags (e.g. for NTLM and/or NTLMv2) may be combined with flags (e.g. for NTLMv2) may be combined with
the signing flags. Specifying two different password the signing flags. Specifying two different password
hashing mechanisms (as "must use") on the other hand hashing mechanisms (as "must use") on the other hand
does not make much sense. Default flags are:: does not make much sense. Default flags are::
0x07007 0x00C5
(NTLM, NTLMv2 and packet signing allowed). The maximum (NTLMv2 and packet signing allowed). Some SecurityFlags
allowable flags if you want to allow mounts to servers may require enabling a corresponding menuconfig option.
using weaker password hashes is 0x37037 (lanman,
plaintext, ntlm, ntlmv2, signing allowed). Some
SecurityFlags require the corresponding menuconfig
options to be enabled. Enabling plaintext
authentication currently requires also enabling
lanman authentication in the security flags
because the cifs module only supports sending
laintext passwords using the older lanman dialect
form of the session setup SMB. (e.g. for authentication
using plain text passwords, set the SecurityFlags
to 0x30030)::
may use packet signing 0x00001 may use packet signing 0x00001
must use packet signing 0x01001 must use packet signing 0x01001
may use NTLM (most common password hash) 0x00002
must use NTLM 0x02002
may use NTLMv2 0x00004 may use NTLMv2 0x00004
must use NTLMv2 0x04004 must use NTLMv2 0x04004
may use Kerberos security 0x00008 may use Kerberos security (krb5) 0x00008
must use Kerberos 0x08008 must use Kerberos 0x08008
may use lanman (weak) password hash 0x00010 may use NTLMSSP 0x00080
must use lanman password hash 0x10010 must use NTLMSSP 0x80080
may use plaintext passwords 0x00020 seal (packet encryption) 0x00040
must use plaintext passwords 0x20020 must seal (not implemented yet) 0x40040
(reserved for future packet encryption) 0x00040
cifsFYI If set to non-zero value, additional debug information cifsFYI If set to non-zero value, additional debug information
will be logged to the system error log. This field will be logged to the system error log. This field
......
...@@ -1918,8 +1918,8 @@ require use of the stronger protocol */ ...@@ -1918,8 +1918,8 @@ require use of the stronger protocol */
#define CIFSSEC_MUST_SEAL 0x40040 /* not supported yet */ #define CIFSSEC_MUST_SEAL 0x40040 /* not supported yet */
#define CIFSSEC_MUST_NTLMSSP 0x80080 /* raw ntlmssp with ntlmv2 */ #define CIFSSEC_MUST_NTLMSSP 0x80080 /* raw ntlmssp with ntlmv2 */
#define CIFSSEC_DEF (CIFSSEC_MAY_SIGN | CIFSSEC_MAY_NTLMV2 | CIFSSEC_MAY_NTLMSSP) #define CIFSSEC_DEF (CIFSSEC_MAY_SIGN | CIFSSEC_MAY_NTLMV2 | CIFSSEC_MAY_NTLMSSP | CIFSSEC_MAY_SEAL)
#define CIFSSEC_MAX (CIFSSEC_MUST_NTLMV2) #define CIFSSEC_MAX (CIFSSEC_MAY_SIGN | CIFSSEC_MUST_KRB5 | CIFSSEC_MAY_SEAL)
#define CIFSSEC_AUTH_MASK (CIFSSEC_MAY_NTLMV2 | CIFSSEC_MAY_KRB5 | CIFSSEC_MAY_NTLMSSP) #define CIFSSEC_AUTH_MASK (CIFSSEC_MAY_NTLMV2 | CIFSSEC_MAY_KRB5 | CIFSSEC_MAY_NTLMSSP)
/* /*
***************************************************************** *****************************************************************
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment