Bug 729437 - cifs: fix NTLMSSP based signing to samba
Summary: cifs: fix NTLMSSP based signing to samba
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: kernel
Version: 6.2
Hardware: Unspecified
OS: Unspecified
low
low
Target Milestone: rc
: ---
Assignee: Jeff Layton
QA Contact: Jian Li
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-08-09 18:36 UTC by Jeff Layton
Modified: 2014-06-18 07:41 UTC (History)
5 users (show)

Fixed In Version: kernel-2.6.32-188.el6
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-12-06 14:03:21 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2011:1530 normal SHIPPED_LIVE Moderate: Red Hat Enterprise Linux 6 kernel security, bug fix and enhancement update 2011-12-06 01:45:35 UTC

Description Jeff Layton 2011-08-09 18:36:13 UTC
The 6.2 release has a stack of patches to add support for NTLMSSP authentication to cifs. There is one broken case however -- when NTLMSSP auth is used against samba and SMB signing is enabled, the client currently sends the wrong set of flags in some of the messages. Shirish P fixed this upstream recently, and fixing it for 6.2 would make testing easier:

commit a817f5fd6217851742546d6d1ee7d75512be30d0
Author: Shirish Pargaonkar <shirishpargaonkar@gmail.com>
Date:   Tue Aug 9 14:31:55 2011 -0400

    cifs: Fix signing failure when server mandates signing for NTLMSSP

Comment 1 RHEL Product and Program Management 2011-08-09 18:40:03 UTC
This request was evaluated by Red Hat Product Management for inclusion
in a Red Hat Enterprise Linux maintenance release. Product Management has 
requested further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed 
products. This request is not yet committed for inclusion in an Update release.

Comment 3 Kyle McMartin 2011-08-15 12:50:30 UTC
Patch(es) available on kernel-2.6.32-188.el6

Comment 7 Jian Li 2011-09-22 17:01:52 UTC
Test patch "39926", using mount option "sec=ntlmi", test steps are listed below.

[root@ibm-x3650-01 ~]# tshark -w output.pcap -i lo tcp port 445 &
[1] 30732
[root@ibm-x3650-01 ~]# mount.cifs //localhost/test /mnt/test -o sec=ntlmi,user=root,password=redhat
##stop tshark
[root@ibm-x3650-01 ~]# grep BSRSPYL output.pcap 
Binary file output.pcap matches

Comment 8 Jian Li 2011-09-26 04:29:11 UTC
Test mounting with sec=ntlmsspi, cifs server uses samba with mandatory signing.

Comment 9 errata-xmlrpc 2011-12-06 14:03:21 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2011-1530.html


Note You need to log in before you can comment on or make changes to this bug.