Merge tag '6.10-rc7-smb3-client-fix' of git://git.samba.org/sfrench/cifs-2.6

Pull smb client fix from Steve French: "Small fix, also for stable" * tag '6.10-rc7-smb3-client-fix' of git://git.samba.org/sfrench/cifs-2.6: cifs: fix setting SecurityFlags to true

Merge tag '6.10-rc7-smb3-client-fix' of git://git.samba.org/sfrench/cifs-2.6
Pull smb client fix from Steve French: "Small fix, also for stable" * tag '6.10-rc7-smb3-client-fix' of git://git.samba.org/sfrench/cifs-2.6: cifs: fix setting SecurityFlags to true
d0d0cd38 · Linus Torvalds · 528dd46d · d2346e28 · d0d0cd38 · d0d0cd38
Commit d0d0cd38 authored Jul 13, 2024 by Linus Torvalds
Hide whitespace changes
Inline Side-by-side

Showing with 13 additions and 27 deletions

Documentation/admin-guide/cifs/usage.rst Documentation/admin-guide/cifs/usage.rst +11 -25

fs/smb/client/cifsglob.h fs/smb/client/cifsglob.h +2 -2

No files found.
--- a/Documentation/admin-guide/cifs/usage.rst
+++ b/Documentation/admin-guide/cifs/usage.rst
@@ -723,40 +723,26 @@ Configuration pseudo-files:
 ======================= =======================================================
 SecurityFlags		Flags which control security negotiation and
 			also packet signing. Authentication (may/must)
-			flags (e.g. for NTLM and/or NTLMv2) may be combined with
+			flags (e.g. for NTLMv2) may be combined with
 			the signing flags.  Specifying two different password
 			hashing mechanisms (as "must use") on the other hand
 			does not make much sense. Default flags are::
-				0x07007
+				0x00C5
-			(NTLM, NTLMv2 and packet signing allowed).  The maximum
+			(NTLMv2 and packet signing allowed).  Some SecurityFlags
-			allowable flags if you want to allow mounts to servers
+			may require enabling a corresponding menuconfig option.
-			using weaker password hashes is 0x37037 (lanman,
-			plaintext, ntlm, ntlmv2, signing allowed).  Some
-			SecurityFlags require the corresponding menuconfig
-			options to be enabled.  Enabling plaintext
-			authentication currently requires also enabling
-			lanman authentication in the security flags
-			because the cifs module only supports sending
-			laintext passwords using the older lanman dialect
-			form of the session setup SMB.  (e.g. for authentication
-			using plain text passwords, set the SecurityFlags
-			to 0x30030)::
 			  may use packet signing			0x00001
 			  must use packet signing			0x01001
-			  may use NTLM (most common password hash)	0x00002
-			  must use NTLM					0x02002
 			  may use NTLMv2				0x00004
 			  must use NTLMv2				0x04004
-			  may use Kerberos security			0x00008
+			  may use Kerberos security (krb5)		0x00008
-			  must use Kerberos				0x08008
+			  must use Kerberos                             0x08008
-			  may use lanman (weak) password hash		0x00010
+			  may use NTLMSSP               		0x00080
-			  must use lanman password hash			0x10010
+			  must use NTLMSSP           			0x80080
-			  may use plaintext passwords			0x00020
+			  seal (packet encryption)			0x00040
-			  must use plaintext passwords			0x20020
+			  must seal (not implemented yet)               0x40040
-			  (reserved for future packet encryption)	0x00040
 cifsFYI			If set to non-zero value, additional debug information
 			will be logged to the system error log.  This field

--- a/fs/smb/client/cifsglob.h
+++ b/fs/smb/client/cifsglob.h
@@ -1918,8 +1918,8 @@ require use of the stronger protocol */
 #define   CIFSSEC_MUST_SEAL	0x40040 /* not supported yet */
 #define   CIFSSEC_MUST_NTLMSSP	0x80080 /* raw ntlmssp with ntlmv2 */
-#define   CIFSSEC_DEF (CIFSSEC_MAY_SIGN | CIFSSEC_MAY_NTLMV2 | CIFSSEC_MAY_NTLMSSP)
+#define   CIFSSEC_DEF (CIFSSEC_MAY_SIGN | CIFSSEC_MAY_NTLMV2 | CIFSSEC_MAY_NTLMSSP | CIFSSEC_MAY_SEAL)
-#define   CIFSSEC_MAX (CIFSSEC_MUST_NTLMV2)
+#define   CIFSSEC_MAX (CIFSSEC_MAY_SIGN | CIFSSEC_MUST_KRB5 | CIFSSEC_MAY_SEAL)
 #define   CIFSSEC_AUTH_MASK (CIFSSEC_MAY_NTLMV2 | CIFSSEC_MAY_KRB5 | CIFSSEC_MAY_NTLMSSP)
 /*
 *****************************************************************