| Message ID | 20240417103856.1619778-1-robert.malz@canonical.com |
|---|---|
| Headers | show |
| Series | fix ntlmssp auth when there is no key exchange | expand |
On 17.04.24 12:38, Robert Malz wrote: > BugLink: https://bugs.launchpad.net/bugs/2061986 > > [ Impact ] > > * Mounting SMB share from server without Key Exchange capability is failing with Access Denied error > > * Even though SMB server during Session Setup Response in NTLMSSP_CHALLANGE message does not advertise > Key Exchange capabilities SMB client < 5.16 will forcefully use it leading to error response during > TCON requests. > > * Issue can be reproduced on 5.15 or older Kernels, there is no reproduction on 6.5 Kernel > > * This scenario was fixed in upstream commit 9de0737d5ba0425c3154d5d83da12a8fa8595c0f > > * An example of server without Key Exchange capability is Oracle Solaris 11.4 SMB zfs, meaning > mounting share from that server will result in ACCESS_DENIED error. > > [ Test Plan ] > > * So far issue was reported only with Oracle Solaris 11.04 smb server and Ubuntu with Kernel <= 5.15 > > * To reproduce, setup Oracle Solaris SMB server and try to mount share on 22.04/20.04 (5.15/5.04) > > * With server configured, mount share using ubuntu SMB client > Expected result: mount operation should succeed > Actual result: mount returns Permission denied error > > [ Where problems could occur ] > > * Upstream patch is changing smb client behavior based on server NTLMSSP_CHALLENGE Negotiate Flags, > if server does not advertise Key Exchange Capability but requires it from client communication might > be broken. It is unknown if such servers are used, such instance should be treated as a server bug. > > * Patch is available in upstream kernel since 5.16, any issues associated with it should be already > detected. > > * Patch adds additional requirement checks on server NTLM flags, although it is possible to hit > these checks, I was not able to find any instances of that occurring. > > * To lower regression potential, upstream patch backported to Ubuntu 5.15 and 5.04 Kernels have been > tested in following environments: > smb server: Oracle Solaris 11.04, Ubuntu 22.04 HWE > smb client: Ubuntu 22.04, Ubuntu 20.04 > During testing no issues have been detected. > > [ Other Info ] > > * Error message coming from SMB client is the same as providing incorrect credentials, which might > confuse users. > > Paulo Alcantara (1): > cifs: fix ntlmssp auth when there is no key exchange > > fs/cifs/sess.c | 54 +++++++++++++++++++++++++++++++++----------------- > 1 file changed, 36 insertions(+), 18 deletions(-) > Acked-by: Stefan Bader <stefan.bader@canonical.com>
On 17/04/2024 12:38, Robert Malz wrote: > BugLink: https://bugs.launchpad.net/bugs/2061986 > > [ Impact ] > > * Mounting SMB share from server without Key Exchange capability is failing with Access Denied error > > * Even though SMB server during Session Setup Response in NTLMSSP_CHALLANGE message does not advertise > Key Exchange capabilities SMB client < 5.16 will forcefully use it leading to error response during > TCON requests. > > * Issue can be reproduced on 5.15 or older Kernels, there is no reproduction on 6.5 Kernel > > * This scenario was fixed in upstream commit 9de0737d5ba0425c3154d5d83da12a8fa8595c0f > > * An example of server without Key Exchange capability is Oracle Solaris 11.4 SMB zfs, meaning > mounting share from that server will result in ACCESS_DENIED error. > > [ Test Plan ] > > * So far issue was reported only with Oracle Solaris 11.04 smb server and Ubuntu with Kernel <= 5.15 > > * To reproduce, setup Oracle Solaris SMB server and try to mount share on 22.04/20.04 (5.15/5.04) > > * With server configured, mount share using ubuntu SMB client > Expected result: mount operation should succeed > Actual result: mount returns Permission denied error > > [ Where problems could occur ] > > * Upstream patch is changing smb client behavior based on server NTLMSSP_CHALLENGE Negotiate Flags, > if server does not advertise Key Exchange Capability but requires it from client communication might > be broken. It is unknown if such servers are used, such instance should be treated as a server bug. > > * Patch is available in upstream kernel since 5.16, any issues associated with it should be already > detected. > > * Patch adds additional requirement checks on server NTLM flags, although it is possible to hit > these checks, I was not able to find any instances of that occurring. > > * To lower regression potential, upstream patch backported to Ubuntu 5.15 and 5.04 Kernels have been > tested in following environments: > smb server: Oracle Solaris 11.04, Ubuntu 22.04 HWE > smb client: Ubuntu 22.04, Ubuntu 20.04 > During testing no issues have been detected. > > [ Other Info ] > > * Error message coming from SMB client is the same as providing incorrect credentials, which might > confuse users. > > Paulo Alcantara (1): > cifs: fix ntlmssp auth when there is no key exchange > > fs/cifs/sess.c | 54 +++++++++++++++++++++++++++++++++----------------- > 1 file changed, 36 insertions(+), 18 deletions(-) > Acked-by: Roxana Nicolescu <roxana.nicolescu@canonical.com>
On 17/04/2024 12:38, Robert Malz wrote: > BugLink: https://bugs.launchpad.net/bugs/2061986 > > [ Impact ] > > * Mounting SMB share from server without Key Exchange capability is failing with Access Denied error > > * Even though SMB server during Session Setup Response in NTLMSSP_CHALLANGE message does not advertise > Key Exchange capabilities SMB client < 5.16 will forcefully use it leading to error response during > TCON requests. > > * Issue can be reproduced on 5.15 or older Kernels, there is no reproduction on 6.5 Kernel > > * This scenario was fixed in upstream commit 9de0737d5ba0425c3154d5d83da12a8fa8595c0f > > * An example of server without Key Exchange capability is Oracle Solaris 11.4 SMB zfs, meaning > mounting share from that server will result in ACCESS_DENIED error. > > [ Test Plan ] > > * So far issue was reported only with Oracle Solaris 11.04 smb server and Ubuntu with Kernel <= 5.15 > > * To reproduce, setup Oracle Solaris SMB server and try to mount share on 22.04/20.04 (5.15/5.04) > > * With server configured, mount share using ubuntu SMB client > Expected result: mount operation should succeed > Actual result: mount returns Permission denied error > > [ Where problems could occur ] > > * Upstream patch is changing smb client behavior based on server NTLMSSP_CHALLENGE Negotiate Flags, > if server does not advertise Key Exchange Capability but requires it from client communication might > be broken. It is unknown if such servers are used, such instance should be treated as a server bug. > > * Patch is available in upstream kernel since 5.16, any issues associated with it should be already > detected. > > * Patch adds additional requirement checks on server NTLM flags, although it is possible to hit > these checks, I was not able to find any instances of that occurring. > > * To lower regression potential, upstream patch backported to Ubuntu 5.15 and 5.04 Kernels have been > tested in following environments: > smb server: Oracle Solaris 11.04, Ubuntu 22.04 HWE > smb client: Ubuntu 22.04, Ubuntu 20.04 > During testing no issues have been detected. > > [ Other Info ] > > * Error message coming from SMB client is the same as providing incorrect credentials, which might > confuse users. > > Paulo Alcantara (1): > cifs: fix ntlmssp auth when there is no key exchange > > fs/cifs/sess.c | 54 +++++++++++++++++++++++++++++++++----------------- > 1 file changed, 36 insertions(+), 18 deletions(-) > Applied to jammy, focal master-next branches. Thanks!