Commit eea5119f authored by Steve French's avatar Steve French
Browse files

smb3: add support for IAKerb 



There are now more servers which advertise support for IAKerb (passthrough
Kerberos authentication via proxy).  IAKerb is a public extension industry
standard Kerberos protocol that allows a client without line-of-sight
to a Domain Controller to authenticate. There can be cases where we
would fail to mount if the server only advertises the OID for IAKerb
in SPNEGO/GSSAPI.  Add code to allow us to still upcall to userspace
in these cases to obtain the Kerberos ticket.

Signed-off-by: default avatarSteve French <stfrench@microsoft.com>
parent 021840c1

fs/smb/client/asn1.c

+2 −0
Original line number Diff line number Diff line
@@ -52,6 +52,8 @@ int cifs_neg_token_init_mech_type(void *context, size_t hdrlen, 
		server->sec_kerberos = true;

	else if (oid == OID_ntlmssp)

		server->sec_ntlmssp = true;

	else if (oid == OID_IAKerb)

		server->sec_iakerb = true;

	else {

		char buf[50];

fs/smb/client/cifs_spnego.c

+3 −1
Original line number Diff line number Diff line
@@ -138,11 +138,13 @@ cifs_get_spnego_key(struct cifs_ses *sesInfo, 


	dp = description + strlen(description);



	/* for now, only sec=krb5 and sec=mskrb5 are valid */

	/* for now, only sec=krb5 and sec=mskrb5 and iakerb are valid */

	if (server->sec_kerberos)

		sprintf(dp, ";sec=krb5");

	else if (server->sec_mskerberos)

		sprintf(dp, ";sec=mskrb5");

	else if (server->sec_iakerb)

		sprintf(dp, ";sec=iakerb");

	else {

		cifs_dbg(VFS, "unknown or missing server auth type, use krb5\n");

		sprintf(dp, ";sec=krb5");

fs/smb/client/cifsglob.h

+4 −0
Original line number Diff line number Diff line
@@ -151,6 +151,7 @@ enum securityEnum { 
	NTLMv2,			/* Legacy NTLM auth with NTLMv2 hash */

	RawNTLMSSP,		/* NTLMSSP without SPNEGO, NTLMv2 hash */

	Kerberos,		/* Kerberos via SPNEGO */

	IAKerb,			/* Kerberos proxy */

};



enum upcall_target_enum {
@@ -781,6 +782,7 @@ struct TCP_Server_Info { 
	bool	sec_kerberosu2u;	/* supports U2U Kerberos */

	bool	sec_kerberos;		/* supports plain Kerberos */

	bool	sec_mskerberos;		/* supports legacy MS Kerberos */

	bool	sec_iakerb;		/* supports pass-through auth for Kerberos (krb5 proxy) */

	bool	large_buf;		/* is current buffer large? */

	/* use SMBD connection instead of socket */

	bool	rdma;
@@ -2148,6 +2150,8 @@ static inline char *get_security_type_str(enum securityEnum sectype) 
		return "Kerberos";

	case NTLMv2:

		return "NTLMv2";

	case IAKerb:

		return "IAKerb";

	default:

		return "Unknown";

	}

fs/smb/client/sess.c

+2 −1
Original line number Diff line number Diff line
@@ -1235,12 +1235,13 @@ cifs_select_sectype(struct TCP_Server_Info *server, enum securityEnum requested) 
		switch (requested) {

		case Kerberos:

		case RawNTLMSSP:

		case IAKerb:

			return requested;

		case Unspecified:

			if (server->sec_ntlmssp &&

			    (global_secflags & CIFSSEC_MAY_NTLMSSP))

				return RawNTLMSSP;

			if ((server->sec_kerberos || server->sec_mskerberos) &&

			if ((server->sec_kerberos || server->sec_mskerberos || server->sec_iakerb) &&

			    (global_secflags & CIFSSEC_MAY_KRB5))

				return Kerberos;

			fallthrough;

fs/smb/client/smb2pdu.c

+1 −1
Original line number Diff line number Diff line
@@ -1429,7 +1429,7 @@ smb2_select_sectype(struct TCP_Server_Info *server, enum securityEnum requested) 
		if (server->sec_ntlmssp &&

			(global_secflags & CIFSSEC_MAY_NTLMSSP))

			return RawNTLMSSP;

		if ((server->sec_kerberos || server->sec_mskerberos) &&

		if ((server->sec_kerberos || server->sec_mskerberos || server->sec_iakerb) &&

			(global_secflags & CIFSSEC_MAY_KRB5))

			return Kerberos;

		fallthrough;