ACK: [SRU][J/F][PATCH 0/1] fix ntlmssp auth when there is no key exchange

Stefan Bader stefan.bader at canonical.com
Wed Apr 24 15:30:58 UTC 2024 

On 17.04.24 12:38, Robert Malz wrote:
> BugLink: https://bugs.launchpad.net/bugs/2061986
> 
> [ Impact ]
> 
>   * Mounting SMB share from server without Key Exchange capability is failing with Access Denied error
> 
>   * Even though SMB server during Session Setup Response in NTLMSSP_CHALLANGE message does not advertise
>     Key Exchange capabilities SMB client < 5.16 will forcefully use it leading to error response during
>     TCON requests.
> 
>   * Issue can be reproduced on 5.15 or older Kernels, there is no reproduction on 6.5 Kernel
> 
>   * This scenario was fixed in upstream commit 9de0737d5ba0425c3154d5d83da12a8fa8595c0f
> 
>   * An example of server without Key Exchange capability is Oracle Solaris 11.4 SMB zfs, meaning
>     mounting share from that server will result in ACCESS_DENIED error.
> 
> [ Test Plan ]
> 
>   * So far issue was reported only with Oracle Solaris 11.04 smb server and Ubuntu with Kernel <= 5.15
> 
>   * To reproduce, setup Oracle Solaris SMB server and try to mount share on 22.04/20.04 (5.15/5.04)
> 
>   * With server configured, mount share using ubuntu SMB client
>     Expected result: mount operation should succeed
>     Actual result: mount returns Permission denied error
> 
> [ Where problems could occur ]
> 
>   * Upstream patch is changing smb client behavior based on server NTLMSSP_CHALLENGE Negotiate Flags,
>     if server does not advertise Key Exchange Capability but requires it from client communication might
>     be broken. It is unknown if such servers are used, such instance should be treated as a server bug.
> 
>   * Patch is available in upstream kernel since 5.16, any issues associated with it should be already
>     detected.
> 
>   * Patch adds additional requirement checks on server NTLM flags, although it is possible to hit
>     these checks, I was not able to find any instances of that occurring.
> 
>   * To lower regression potential, upstream patch backported to Ubuntu 5.15 and 5.04 Kernels have been
>     tested in following environments:
>     smb server: Oracle Solaris 11.04, Ubuntu 22.04 HWE
>     smb client: Ubuntu 22.04, Ubuntu 20.04
>     During testing no issues have been detected.
> 
> [ Other Info ]
> 
>   * Error message coming from SMB client is the same as providing incorrect credentials, which might
>     confuse users.
> 
> Paulo Alcantara (1):
>    cifs: fix ntlmssp auth when there is no key exchange
> 
>   fs/cifs/sess.c | 54 +++++++++++++++++++++++++++++++++-----------------
>   1 file changed, 36 insertions(+), 18 deletions(-)
> 

Acked-by: Stefan Bader <stefan.bader at canonical.com>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0xE8675DEECBEECEA3.asc
Type: application/pgp-keys
Size: 48643 bytes
Desc: OpenPGP public key
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20240424/cf621067/attachment-0001.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20240424/cf621067/attachment-0001.sig>

More information about the kernel-team mailing list