• Germano Percossi's avatar
    Fix default behaviour for empty domains and add domainauto option · 39566443
    Germano Percossi authored
    With commit 2b149f11 many things have been fixed/introduced.
    However, the default behaviour for RawNTLMSSP authentication
    seems to be wrong in case the domain is not passed on the command line.
    
    The main points (see below) of the patch are:
     - It alignes behaviour with Windows clients
     - It fixes backward compatibility
     - It fixes UPN
    
    I compared this behavour with the one from a Windows 10 command line
    client. When no domains are specified on the command line, I traced
    the packets and observed that the client does send an empty
    domain to the server.
    In the linux kernel case, the empty domain is replaced by the
    primary domain communicated by the SMB server.
    This means that, if the credentials are valid against the local server
    but that server is part of a domain, then the kernel module will
    ask to authenticate against that domain and we will get LOGON failure.
    
    I compared the packet trace from the smbclient when no domain is passed
    and, in that case, a default domain from the client smb.conf is taken.
    Apparently, connection succeeds anyway, because when the domain passed
    is not valid (in my case WORKGROUP), then the local one is tried and
    authentication succeeds. I tried with any kind of invalid domain and
    the result was always a connection.
    
    So, trying to interpret what to do and picking a valid domain if none
    is passed, seems the wrong thing to do.
    To this end, a new option "domainauto" has been added in case the
    user wants a mechanism for guessing.
    
    Without this patch, backward compatibility also is broken.
    With kernel 3.10, the default auth mechanism was NTLM.
    One of our testing servers accepted NTLM and, because no
    domains are passed, authentication was local.
    
    Moving to RawNTLMSSP forced us to change our command line
    to add a fake domain to pass to prevent this mechanism to kick in.
    
    For the same reasons, UPN is broken because the domain is specified
    in the username.
    The SMB server will work out the domain from the UPN and authenticate
    against the right server.
    Without the patch, though, given the domain is empty, it gets replaced
    with another domain that could be the wrong one for the authentication.
    Signed-off-by: default avatarGermano Percossi <germano.percossi@citrix.com>
    Acked-by: default avatarPavel Shilovsky <pshilov@microsoft.com>
    Signed-off-by: default avatarSteve French <smfrench@gmail.com>
    39566443
cifsencrypt.c 24.3 KB