Commit d2346e28 authored by Steve French's avatar Steve French
Browse files

cifs: fix setting SecurityFlags to true 



If you try to set /proc/fs/cifs/SecurityFlags to 1 it
will set them to CIFSSEC_MUST_NTLMV2 which no longer is
relevant (the less secure ones like lanman have been removed
from cifs.ko) and is also missing some flags (like for
signing and encryption) and can even cause mount to fail,
so change this to set it to Kerberos in this case.

Also change the description of the SecurityFlags to remove mention
of flags which are no longer supported.

Cc: stable@vger.kernel.org
Reviewed-by: default avatarShyam Prasad N <sprasad@microsoft.com>
Signed-off-by: default avatarSteve French <stfrench@microsoft.com>
parent 34afb82a

Documentation/admin-guide/cifs/usage.rst

+11 −25
Original line number Diff line number Diff line
@@ -723,40 +723,26 @@ Configuration pseudo-files: 
======================= =======================================================

SecurityFlags		Flags which control security negotiation and

			also packet signing. Authentication (may/must)

			flags (e.g. for NTLM and/or NTLMv2) may be combined with

			flags (e.g. for NTLMv2) may be combined with

			the signing flags.  Specifying two different password

			hashing mechanisms (as "must use") on the other hand

			does not make much sense. Default flags are::



				0x07007



			(NTLM, NTLMv2 and packet signing allowed).  The maximum

			allowable flags if you want to allow mounts to servers

			using weaker password hashes is 0x37037 (lanman,

			plaintext, ntlm, ntlmv2, signing allowed).  Some

			SecurityFlags require the corresponding menuconfig

			options to be enabled.  Enabling plaintext

			authentication currently requires also enabling

			lanman authentication in the security flags

			because the cifs module only supports sending

			laintext passwords using the older lanman dialect

			form of the session setup SMB.  (e.g. for authentication

			using plain text passwords, set the SecurityFlags

			to 0x30030)::

				0x00C5



			(NTLMv2 and packet signing allowed).  Some SecurityFlags

			may require enabling a corresponding menuconfig option.



			  may use packet signing			0x00001

			  must use packet signing			0x01001

			  may use NTLM (most common password hash)	0x00002

			  must use NTLM					0x02002

			  may use NTLMv2				0x00004

			  must use NTLMv2				0x04004

			  may use Kerberos security			0x00008

			  may use Kerberos security (krb5)		0x00008

			  must use Kerberos                             0x08008

			  may use lanman (weak) password hash		0x00010

			  must use lanman password hash			0x10010

			  may use plaintext passwords			0x00020

			  must use plaintext passwords			0x20020

			  (reserved for future packet encryption)	0x00040

			  may use NTLMSSP               		0x00080

			  must use NTLMSSP           			0x80080

			  seal (packet encryption)			0x00040

			  must seal (not implemented yet)               0x40040



cifsFYI			If set to non-zero value, additional debug information

			will be logged to the system error log.  This field

fs/smb/client/cifsglob.h

+2 −2
Original line number Diff line number Diff line
@@ -1918,8 +1918,8 @@ require use of the stronger protocol */ 
#define   CIFSSEC_MUST_SEAL	0x40040 /* not supported yet */

#define   CIFSSEC_MUST_NTLMSSP	0x80080 /* raw ntlmssp with ntlmv2 */



#define   CIFSSEC_DEF (CIFSSEC_MAY_SIGN | CIFSSEC_MAY_NTLMV2 | CIFSSEC_MAY_NTLMSSP)

#define   CIFSSEC_MAX (CIFSSEC_MUST_NTLMV2)

#define   CIFSSEC_DEF (CIFSSEC_MAY_SIGN | CIFSSEC_MAY_NTLMV2 | CIFSSEC_MAY_NTLMSSP | CIFSSEC_MAY_SEAL)

#define   CIFSSEC_MAX (CIFSSEC_MAY_SIGN | CIFSSEC_MUST_KRB5 | CIFSSEC_MAY_SEAL)

#define   CIFSSEC_AUTH_MASK (CIFSSEC_MAY_NTLMV2 | CIFSSEC_MAY_KRB5 | CIFSSEC_MAY_NTLMSSP)

/*

 *****************************************************************