2022-05-04 08:07:26

by Paulo Alcantara

[permalink] [raw]
Subject: Re: CIFS regression mounting vers=1.0 NTLMSSP when hostname is too long

Byron Stanoszek <[email protected]> writes:

> I would like to report a regression in the CIFS fs. Sometime between Linux 4.14
> and 5.16, mounting CIFS with option vers=1.0 (and
> CONFIG_CIFS_ALLOW_INSECURE_LEGACY=y set appropriately) with security type
> NTLMSSP stopped working for me. The server side is a Windows 2003 Server.
>
> I found that this behavior depends on the length of the Linux client's
> host+domain name (e.g. utsname()->nodename), where the mount works as long as
> the name is 16 characters or less. Anything 17 or above returns -EIO, per the
> following example:

Looks like your server is expecting the WorkstationName field in
AUTHENTICATE_MESSAGE payload to be 16 bytes long. That is, NetBIOS name
length as per rfc1001.

> I implemented a workaround using the following patch:
>
> Signed-off-by: Byron Stanoszek <[email protected]>
> ---
> --- a/fs/cifs/cifsglob.h
> +++ b/fs/cifs/cifsglob.h
> @@ -101,7 +101,7 @@
> #define XATTR_DOS_ATTRIB "user.DOSATTRIB"
> #endif
>
> -#define CIFS_MAX_WORKSTATION_LEN (__NEW_UTS_LEN + 1) /* reasonable max for client */
> +#define CIFS_MAX_WORKSTATION_LEN 16
>
> /*
> * CIFS vfs client Status information (based on what we know.)
>
> I don't know if this patch is correct or will have any real effect outside of
> the NTLMSSP session connect sequence, but it worked in my case.

Perhaps we should be use TCP_Server_Info::workstation_RFC1001_name in
fs/cifs/sess.c:build_ntlmssp_auth_blob() instead only when connecting to
old servers by using insecure dialects -- like SMB1, in your case.


2022-05-04 22:53:49

by Steven French

[permalink] [raw]
Subject: Re: CIFS regression mounting vers=1.0 NTLMSSP when hostname is too long

makes sense - do you see anything related in the NTLMSSP doc?

Want to spin up a patch for SMB1 for this?

On 5/3/22 20:35, Paulo Alcantara wrote:
> Byron Stanoszek <[email protected]> writes:
>
>> I would like to report a regression in the CIFS fs. Sometime between Linux 4.14
>> and 5.16, mounting CIFS with option vers=1.0 (and
>> CONFIG_CIFS_ALLOW_INSECURE_LEGACY=y set appropriately) with security type
>> NTLMSSP stopped working for me. The server side is a Windows 2003 Server.
>>
>> I found that this behavior depends on the length of the Linux client's
>> host+domain name (e.g. utsname()->nodename), where the mount works as long as
>> the name is 16 characters or less. Anything 17 or above returns -EIO, per the
>> following example:
> Looks like your server is expecting the WorkstationName field in
> AUTHENTICATE_MESSAGE payload to be 16 bytes long. That is, NetBIOS name
> length as per rfc1001.
>
>> I implemented a workaround using the following patch:
>>
>> Signed-off-by: Byron Stanoszek <[email protected]>
>> ---
>> --- a/fs/cifs/cifsglob.h
>> +++ b/fs/cifs/cifsglob.h
>> @@ -101,7 +101,7 @@
>> #define XATTR_DOS_ATTRIB "user.DOSATTRIB"
>> #endif
>>
>> -#define CIFS_MAX_WORKSTATION_LEN (__NEW_UTS_LEN + 1) /* reasonable max for client */
>> +#define CIFS_MAX_WORKSTATION_LEN 16
>>
>> /*
>> * CIFS vfs client Status information (based on what we know.)
>>
>> I don't know if this patch is correct or will have any real effect outside of
>> the NTLMSSP session connect sequence, but it worked in my case.
> Perhaps we should be use TCP_Server_Info::workstation_RFC1001_name in
> fs/cifs/sess.c:build_ntlmssp_auth_blob() instead only when connecting to
> old servers by using insecure dialects -- like SMB1, in your case.

2022-05-09 08:00:13

by Paulo Alcantara

[permalink] [raw]
Subject: Re: CIFS regression mounting vers=1.0 NTLMSSP when hostname is too long

Hi Steve,

Steven French <[email protected]> writes:

> makes sense - do you see anything related in the NTLMSSP doc?

I'll quote some relevant parts from MS-NLMP which make sense to me:

3.1.5.1.2 Client Receives a CHALLENGE_MESSAGE from the Server
...
If the NTLMSSP_NEGOTIATE_VERSION flag is set by the client application,
the Version field MUST be set to the current version (section 2.2.2.10),
and the Workstation field MUST be set to NbMachineName.

3.2.1.1 Variables Internal to the Protocol
...
NbMachineName: A string that indicates the NetBIOS machine name of the
server.

2.2.2.1 AV_PAIR
...
MsvAvNbComputerName: The server's NetBIOS computer name. The name MUST
be in Unicode, and is not null-terminated. This type of information MUST
be present in the AV_pair list.

and indeed we set NTLMSSP_NEGOTIATE_VERSION in
fs/cifs/sess.c:build_ntlmssp_smb3_negotiate_blob().

Unless I didn't miss anything obvious, I think we should be sending
NetBIOS name or simply truncate utsname()->nodename to 16 bytes as
previously proposed by Byron regardless what protocol version is being
used.

Tom, what is your opinion on that?