From a013689ddb2a4ba5f0452c053c0bf00bafb686f1 Mon Sep 17 00:00:00 2001 From: Steve French Date: Thu, 4 Oct 2007 20:05:09 +0000 Subject: [CIFS] Fix cifsd so shuts down when signing fails during mount Fixes two problems: 1) we dropped down to negotiating lanman if we did not recognize the mechanism (krb5 e.g.) 2) we did not stop cifsd (thus will fail when doing rmod cifs with slab free errors) when we fail tcon but have a bad session (which is the case in which signing is required but we don't allow signing on the client) It also turns on extended security flag in the header when passing "sec=krb5" on mount command (although kerberos support is not done of course) Acked-by: Jeff Layton CC: Shaggy Signed-off-by: Steve French --- fs/cifs/cifssmb.c | 23 ++++++++++++++++++++--- 1 file changed, 20 insertions(+), 3 deletions(-) (limited to 'fs/cifs/cifssmb.c') diff --git a/fs/cifs/cifssmb.c b/fs/cifs/cifssmb.c index 90b8f8d64d6e..fda8b2490263 100644 --- a/fs/cifs/cifssmb.c +++ b/fs/cifs/cifssmb.c @@ -438,8 +438,13 @@ CIFSSMBNegotiate(unsigned int xid, struct cifsSesInfo *ses) pSMB->hdr.Mid = GetNextMid(server); pSMB->hdr.Flags2 |= (SMBFLG2_UNICODE | SMBFLG2_ERR_STATUS); + if ((secFlags & CIFSSEC_MUST_KRB5) == CIFSSEC_MUST_KRB5) pSMB->hdr.Flags2 |= SMBFLG2_EXT_SEC; + else if ((secFlags & CIFSSEC_AUTH_MASK) == CIFSSEC_MAY_KRB5) { + cFYI(1, ("Kerberos only mechanism, enable extended security")); + pSMB->hdr.Flags2 |= SMBFLG2_EXT_SEC; + } count = 0; for (i = 0; i < CIFS_NUM_PROT; i++) { @@ -573,7 +578,20 @@ CIFSSMBNegotiate(unsigned int xid, struct cifsSesInfo *ses) server->secType = NTLM; else if (secFlags & CIFSSEC_MAY_NTLMV2) server->secType = NTLMv2; - /* else krb5 ... any others ... */ + else if (secFlags & CIFSSEC_MAY_KRB5) + server->secType = Kerberos; + else if (secFlags & CIFSSEC_MAY_LANMAN) + server->secType = LANMAN; +/* #ifdef CONFIG_CIFS_EXPERIMENTAL + else if (secFlags & CIFSSEC_MAY_PLNTXT) + server->secType = ?? +#endif */ + else { + rc = -EOPNOTSUPP; + cERROR(1, ("Invalid security type")); + goto neg_err_exit; + } + /* else ... any others ...? */ /* one byte, so no need to convert this or EncryptionKeyLen from little endian */ @@ -3089,8 +3107,7 @@ CIFSSMBGetCIFSACL(const int xid, struct cifsTconInfo *tcon, __u16 fid, goto qsec_out; pSMBr = (struct smb_com_ntransact_rsp *)iov[0].iov_base; - cERROR(1, ("smb %p parm %p data %p", - pSMBr, parm, psec_desc)); /* BB removeme BB */ + cFYI(1, ("smb %p parm %p data %p", pSMBr, parm, psec_desc)); if (le32_to_cpu(pSMBr->ParameterCount) != 4) { rc = -EIO; /* bad smb */ -- cgit v1.2.3