[SRU][J/F][PATCH 0/1] fix ntlmssp auth when there is no key exchange

Robert Malz robert.malz at canonical.com
Wed Apr 17 10:38:54 UTC 2024


BugLink: https://bugs.launchpad.net/bugs/2061986

[ Impact ]

 * Mounting SMB share from server without Key Exchange capability is failing with Access Denied error

 * Even though SMB server during Session Setup Response in NTLMSSP_CHALLANGE message does not advertise
   Key Exchange capabilities SMB client < 5.16 will forcefully use it leading to error response during
   TCON requests.

 * Issue can be reproduced on 5.15 or older Kernels, there is no reproduction on 6.5 Kernel

 * This scenario was fixed in upstream commit 9de0737d5ba0425c3154d5d83da12a8fa8595c0f

 * An example of server without Key Exchange capability is Oracle Solaris 11.4 SMB zfs, meaning
   mounting share from that server will result in ACCESS_DENIED error.

[ Test Plan ]

 * So far issue was reported only with Oracle Solaris 11.04 smb server and Ubuntu with Kernel <= 5.15

 * To reproduce, setup Oracle Solaris SMB server and try to mount share on 22.04/20.04 (5.15/5.04)

 * With server configured, mount share using ubuntu SMB client
   Expected result: mount operation should succeed
   Actual result: mount returns Permission denied error

[ Where problems could occur ]

 * Upstream patch is changing smb client behavior based on server NTLMSSP_CHALLENGE Negotiate Flags,
   if server does not advertise Key Exchange Capability but requires it from client communication might
   be broken. It is unknown if such servers are used, such instance should be treated as a server bug.

 * Patch is available in upstream kernel since 5.16, any issues associated with it should be already
   detected.

 * Patch adds additional requirement checks on server NTLM flags, although it is possible to hit
   these checks, I was not able to find any instances of that occurring.

 * To lower regression potential, upstream patch backported to Ubuntu 5.15 and 5.04 Kernels have been
   tested in following environments:
   smb server: Oracle Solaris 11.04, Ubuntu 22.04 HWE
   smb client: Ubuntu 22.04, Ubuntu 20.04
   During testing no issues have been detected.

[ Other Info ]

 * Error message coming from SMB client is the same as providing incorrect credentials, which might
   confuse users.

Paulo Alcantara (1):
  cifs: fix ntlmssp auth when there is no key exchange

 fs/cifs/sess.c | 54 +++++++++++++++++++++++++++++++++-----------------
 1 file changed, 36 insertions(+), 18 deletions(-)

-- 
2.34.1




More information about the kernel-team mailing list