From patchwork Wed Feb 7 06:08:28 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve French X-Patchwork-Id: 1896012 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256 header.s=20230601 header.b=SHL/B3n1; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org (client-ip=139.178.88.99; helo=sv.mirrors.kernel.org; envelope-from=linux-cifs+bounces-1209-incoming=patchwork.ozlabs.org@vger.kernel.org; receiver=patchwork.ozlabs.org) Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org [139.178.88.99]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4TV8nX222Wz23gT for ; Wed, 7 Feb 2024 17:08:48 +1100 (AEDT) Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sv.mirrors.kernel.org (Postfix) with ESMTPS id D68CA2893F3 for ; Wed, 7 Feb 2024 06:08:46 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id B5BC714F62; Wed, 7 Feb 2024 06:08:43 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="SHL/B3n1" X-Original-To: linux-cifs@vger.kernel.org Received: from mail-lf1-f45.google.com (mail-lf1-f45.google.com [209.85.167.45]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id EBC231CD1E for ; Wed, 7 Feb 2024 06:08:41 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.167.45 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1707286123; cv=none; b=VUdva4u6aTUTBXjKE9jPwFyVepRy9i1hct1Oj6Uqb/WH5A3WJo/Q/6njxybhxbj7ddPYW/KQ/LVxTfGtEKEVYIjtmYvPJ5oJremTsAqxlScDxCCMlazpk2UQmoolw5NndNluuwD3tPvHk8DS2NFtZDJD4lZzIhZ+gapwyGuICwI= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1707286123; c=relaxed/simple; bh=zyW37a+MDsit4ffgTm9BBNgOsy5kGiAwPXbNEmGz4qw=; h=MIME-Version:From:Date:Message-ID:Subject:To:Cc:Content-Type; b=jEFkctYPOaU/SQ667H27VI8nZpvvcD4mZiIxvG1k72Y7YPbGpOXa685MO5ZyXxwd90uFOoQyRecQY+wCbj1XGbuBMyDXObD85LMlQz/h+rKBV6g5o3c+AXkFxjIxVBrW9sPVAO3EGE5FxIxGtcDYGGBB0/ymNh54ZA6onsBwctI= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=SHL/B3n1; arc=none smtp.client-ip=209.85.167.45 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Received: by mail-lf1-f45.google.com with SMTP id 2adb3069b0e04-51142b5b76dso392525e87.2 for ; Tue, 06 Feb 2024 22:08:41 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1707286120; x=1707890920; darn=vger.kernel.org; h=cc:to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=ADXEMElfjIHUfaepUHiUfsHqNMNprQGCgn7+GCgP9EE=; b=SHL/B3n1lefH1kisDT7wNlcTDdTixHtvCA2YzI/rQ6Ave1Fo31dcKNcWtmLvMOLn7u fNkaRG/oKryvR8nRvpdZv8vfhB94U9Q16u+cWycq1IV4eiKRaGW90sZxQ3JxDX3eaxV2 LniTij5vhhj/l4Dg0b1po1Vv+GMynqf5qLdgQU42CBPoS3VDA2MTgcxoZYe3KFnC2+o2 kU/KLqGEATjgI9SY3xYNTqLHzp4xwbazwqTuoiCIDGhF6+Eb53bc0yoSdhmmj5MwNxiB wHp/jm41LDgWq4SptCyNCsSVBWSqfXAi5sCye2wqwKo1j6M/XVJpUrXF4K5JmJjBkxnH PyYg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1707286120; x=1707890920; h=cc:to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=ADXEMElfjIHUfaepUHiUfsHqNMNprQGCgn7+GCgP9EE=; b=vVG77JoZFIaCjwTXx6E6kMA+l8jKu5k+PYgJ6dmJt8XY/iJcJwiUImds61v/hB9bOm d9BOArV9EWlks7YFlOlY2DCssqNzSllysiZVnExoX/IAKT46/4tUGpd1m0gkxaIHXH1E 1WW1xSa036YI4F+bRStdGOrotO5vIhJBZIs7Yac8dpf32DZ0VniuJf43rqCP8KPB2YAt E+3r/4otvlU3sTCy8jemx0cpfQJ+b9OeYgVn30BkQ2rHDelFrCMgRF/HtjBuXoCeFket txy4DLvGkHiv5n/Y5trPyy6l4yLWWKIMyuIxnmbr4rI6euhTRoxm222YB65xVj2jFfnv Uj/A== X-Forwarded-Encrypted: i=1; AJvYcCXXYmm9m5kSgubmYo6L7/R+9ae+yoep6FnhG4Hs+ZLWgMMFT3dU3G3zJ7hcJG9A1WXxbZ/rRK/l/nZopydEuAC1yjoWxVosiPfXYA== X-Gm-Message-State: AOJu0YxW9imrnJ7zivB3Gkrdr7RMGjWCA6psyxVjY/nKBNnNC6/s4R/Z B9bKughqyMm0uvMp/EF5VAAP3Ipgmq01jHIzpmlaLxm4QaRZ+nHRAQ4F8UUxRDcq3mu3WSqcHvR kTUrC0yEmJqXqxtQVll3OqLlNh75NGNwOcLo= X-Google-Smtp-Source: AGHT+IEegdTGD0uwj8MW5iwQbvbtw0M2QT7eszRTwqGLA3sBmKNqd8Ht3r/OZO5EZ1PXLyQqBWolBkOZK4rd0PPmhyU= X-Received: by 2002:ac2:5f52:0:b0:511:47cf:d09d with SMTP id 18-20020ac25f52000000b0051147cfd09dmr3082269lfz.3.1707286119645; Tue, 06 Feb 2024 22:08:39 -0800 (PST) Precedence: bulk X-Mailing-List: linux-cifs@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 From: Steve French Date: Wed, 7 Feb 2024 00:08:28 -0600 Message-ID: Subject: [PATCH][smb client] updating warning message for sec=krb5p To: samba-technical , CIFS Cc: Shyam Prasad N smb3: clarify mount warning When a user tries to use the "sec=krb5p" mount parameter to encrypt data on connection to a server (when authenticating with Kerberos), we indicate that it is not supported, but do not note the equivalent recommended mount parameter ("sec=krb5,seal") which turns on encryption for that mount (and uses Kerberos for auth). Without an updated mount warning it could confuse some NFS users. Note that for SMB3+ we support encryption, but consider it ("seal") a distinct mount parameter since the same user may choose to encrypt to one share but not another from the same client. Update the warning message to reduce confusion. See attached. From 608b0d580f917e02b6afd1be3e479b29587bb88a Mon Sep 17 00:00:00 2001 From: Steve French Date: Tue, 6 Feb 2024 23:57:18 -0600 Subject: [PATCH] smb3: clarify mount warning When a user tries to use the "sec=krb5p" mount parameter to encrypt data on connection to a server (when authenticating with Kerberos), we indicate that it is not supported, but do not note the equivalent recommended mount parameter ("sec=krb5,seal") which turns on encryption for that mount (and uses Kerberos for auth). Update the warning message. Signed-off-by: Steve French --- fs/smb/client/fs_context.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/smb/client/fs_context.c b/fs/smb/client/fs_context.c index 600a77052c3b..6993cd358b94 100644 --- a/fs/smb/client/fs_context.c +++ b/fs/smb/client/fs_context.c @@ -211,7 +211,7 @@ cifs_parse_security_flavors(struct fs_context *fc, char *value, struct smb3_fs_c switch (match_token(value, cifs_secflavor_tokens, args)) { case Opt_sec_krb5p: - cifs_errorf(fc, "sec=krb5p is not supported!\n"); + cifs_errorf(fc, "sec=krb5p is not supported. Use sec=krb5,seal instead\n"); return 1; case Opt_sec_krb5i: ctx->sign = true; -- 2.40.1