ACK: [SRU][J/F][PATCH 0/1] fix ntlmssp auth when there is no key exchange

Roxana Nicolescu roxana.nicolescu at canonical.com
Thu Apr 25 18:52:06 UTC 2024 

On 17/04/2024 12:38, Robert Malz wrote:
> BugLink: https://bugs.launchpad.net/bugs/2061986
>
> [ Impact ]
>
>   * Mounting SMB share from server without Key Exchange capability is failing with Access Denied error
>
>   * Even though SMB server during Session Setup Response in NTLMSSP_CHALLANGE message does not advertise
>     Key Exchange capabilities SMB client < 5.16 will forcefully use it leading to error response during
>     TCON requests.
>
>   * Issue can be reproduced on 5.15 or older Kernels, there is no reproduction on 6.5 Kernel
>
>   * This scenario was fixed in upstream commit 9de0737d5ba0425c3154d5d83da12a8fa8595c0f
>
>   * An example of server without Key Exchange capability is Oracle Solaris 11.4 SMB zfs, meaning
>     mounting share from that server will result in ACCESS_DENIED error.
>
> [ Test Plan ]
>
>   * So far issue was reported only with Oracle Solaris 11.04 smb server and Ubuntu with Kernel <= 5.15
>
>   * To reproduce, setup Oracle Solaris SMB server and try to mount share on 22.04/20.04 (5.15/5.04)
>
>   * With server configured, mount share using ubuntu SMB client
>     Expected result: mount operation should succeed
>     Actual result: mount returns Permission denied error
>
> [ Where problems could occur ]
>
>   * Upstream patch is changing smb client behavior based on server NTLMSSP_CHALLENGE Negotiate Flags,
>     if server does not advertise Key Exchange Capability but requires it from client communication might
>     be broken. It is unknown if such servers are used, such instance should be treated as a server bug.
>
>   * Patch is available in upstream kernel since 5.16, any issues associated with it should be already
>     detected.
>
>   * Patch adds additional requirement checks on server NTLM flags, although it is possible to hit
>     these checks, I was not able to find any instances of that occurring.
>
>   * To lower regression potential, upstream patch backported to Ubuntu 5.15 and 5.04 Kernels have been
>     tested in following environments:
>     smb server: Oracle Solaris 11.04, Ubuntu 22.04 HWE
>     smb client: Ubuntu 22.04, Ubuntu 20.04
>     During testing no issues have been detected.
>
> [ Other Info ]
>
>   * Error message coming from SMB client is the same as providing incorrect credentials, which might
>     confuse users.
>
> Paulo Alcantara (1):
>    cifs: fix ntlmssp auth when there is no key exchange
>
>   fs/cifs/sess.c | 54 +++++++++++++++++++++++++++++++++-----------------
>   1 file changed, 36 insertions(+), 18 deletions(-)
>
Acked-by: Roxana Nicolescu <roxana.nicolescu at canonical.com>

More information about the kernel-team mailing list