Received: by 2002:ac0:e34a:0:0:0:0:0 with SMTP id g10csp181319imn; Wed, 27 Jul 2022 19:30:15 -0700 (PDT) X-Google-Smtp-Source: AGRyM1vLYZUfoe/qipqLk8C5ah/mUcvSn9WiiTBmRWdJejGAZAFvWLFMJDn2plM6AW64SzBBEYX1 X-Received: by 2002:a17:90b:4f41:b0:1f2:a900:a1ea with SMTP id pj1-20020a17090b4f4100b001f2a900a1eamr7750996pjb.131.1658975414770; Wed, 27 Jul 2022 19:30:14 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1658975414; cv=none; d=google.com; s=arc-20160816; b=s3z2I8Nk7eoAZu3Gfxtu33woSUFiEjVERqX0ffEg1T7DTZ2g7XNooZcAlsuu89HkJU BGjF5MHNb8Yrea2tfrcAXViViOv/bdSVaaK5fQCSEhWkiK3KiDRtl9eNwts9owCeMZQc j6o8ONKFjkrElmFgYFnkuePZOFkd5m5NEaXCGdE6z+NLpELEMIov+StAxy7YmxBNxYVt +XxT6twL+Bgk0Mri+SWF2gyH8YPbSSUzH1R6rkhFo3PivpMbhHbLIOEe1a8wSjyGpONh lNt0kpahbSsnT5x1HlMNiRsYs9A4FIdWr2PMVumLIlWJh6LdxW6FbzUMiMumjb+lJ5NT 92Ag== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=cZFlsUJOaADCOjobBXWN+Ry6rplJfP66zaPfTmczUmE=; b=yAGImQZpCqEgU+d0WrmwHOg12cB0JDqgA5I1flQEwTOMPyW+DmrsJofjK698UDvsMU y19nAWbtdsz/yyV6DEgrV8y3MXRpBSAsyDKdsZskDor71dmWs+MzGXMddOARskjHwFll Uf+Z1RZs/JTd4+A2624774UpMPUVNfI2Can+ZOzDyD/rydQ/MioCrtG4HKY1aJ/UJGb4 jpDw2+IgvvaWLN2g2GAafv74aVaq7ha+jBhl988ANoQYi1sTIUy3NEdg52r1eYOrQZJx Gvk3Yd0L/nvDKQNk3ADWwHdqlmlLoIAlI+rrR01utS+OupB1c4uruR9z4TCUU6KW7Kgi w3LA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=XT6C+Cts; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id p14-20020a170902780e00b0016be96cf31bsi20758054pll.273.2022.07.27.19.29.59; Wed, 27 Jul 2022 19:30:14 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=XT6C+Cts; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234361AbiG1C13 (ORCPT + 99 others); Wed, 27 Jul 2022 22:27:29 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:56100 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232427AbiG1C10 (ORCPT ); Wed, 27 Jul 2022 22:27:26 -0400 Received: from mail-vs1-xe33.google.com (mail-vs1-xe33.google.com [IPv6:2607:f8b0:4864:20::e33]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id E040731348; Wed, 27 Jul 2022 19:27:25 -0700 (PDT) Received: by mail-vs1-xe33.google.com with SMTP id k129so430034vsk.2; Wed, 27 Jul 2022 19:27:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=cZFlsUJOaADCOjobBXWN+Ry6rplJfP66zaPfTmczUmE=; b=XT6C+CtssjABaCZvXmadnHkws66JxdUFWFpS9Ci/f99W/0HcTl0nVrjqUaQ/YOahZH viPF0LtQxBhvgUqVpWoGic3U+usnS04aUEqxsPFCjRnHrc/cBYegoHrnzGTRimb17peB L9F0+7FeuS4ihTtFTP5sUuwy/WlWwvxHto457qIscz3b7xbIV/hqYbzS6vhdtjkmkWy2 ca3KxotxpYdewZFlhWWK7vTKkYcIBS23UzQSurFIsw1i4IbDtcBLU+AfjoGHEjaTNtNG Hz8/uPV1Pf5JOXr/jZdCH3baRG2duH7NOEI3lVq6JdU+GFCNjegDLhpcLMtJRXqyKJNI c8tA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=cZFlsUJOaADCOjobBXWN+Ry6rplJfP66zaPfTmczUmE=; b=2WljqwR/vB/yBrRZO4eSCGahAyPAvn6cCQ+4Z6o6asRoWSoS+bOxrwspm2XVP6Ggmg NkeBboOXBNeteIQS11fhkL3Bfh6kC4Q847mFiIaks/Y4Mwfwepu8SdtTsl86D0cgjPV5 V7r0jmV2wvKJIB4gQkInHg53M6/kIFodcHmjsf5jN8yCg1vE2kR20sZlq9jEuuil7exp 67pedricdopkdSUDdxAB8/pMqqvY13/F/jiVJuAnK4U/VvopiuMInNkl0FOd/vTO7535 2vNWzSCX/2pqRZPJKcVnciDW2qWmeh3O+f8NRu2UTsWSuagkyKWCz98ZX6iHMJX97c3s mYlQ== X-Gm-Message-State: AJIora9ah8t/B7rgvnLId2ue7fqzFeIU1HQ8I7dkvDCF3SM3rXxiIoDt Zd00E/Ve2wBqcH3gjMSLryWo8hjUzcJ14g+fB5i3YJPA X-Received: by 2002:a67:ef07:0:b0:358:611e:9105 with SMTP id j7-20020a67ef07000000b00358611e9105mr5084670vsr.61.1658975244833; Wed, 27 Jul 2022 19:27:24 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Steve French Date: Wed, 27 Jul 2022 21:27:13 -0500 Message-ID: Subject: Re: Possible regression: unable to mount CIFS 1.0 shares from older machines since 76a3c92ec9e0668e4cd0e9ff1782eb68f61a179c To: Clemens Leu Cc: Linus Torvalds , Davyd McColl , CIFS , LKML , Thorsten Leemhuis , regressions@lists.linux.dev, ronnie sahlberg , samba-technical Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM, RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Is using userspace tools (like Samba's "ftp like" smbclient tool) an option to migrate these files? On Wed, Jul 27, 2022 at 3:04 PM Clemens Leu wrote: > > Hi all > > Here follows now another practical reason why it is at the moment a > quite unhappy decision to ditch the NTLM/CIFS 1.0 support entirely. > > I am on Kubuntu 20.04 LTS and the access to my Apple Time Capsule worked > fine. This changed when kernel 5.15.0-41-generic was installed some time > ago. Since then I have in dmesg the known "kernel: bad security option: > ntlm" and "kernel: CIFS: VFS: bad security option: ntlm" messages and no > access is possible any longer to the Time Capsule. > > So it looks that commit "[76a3c92ec9e0668e4cd0e9ff1782eb68f61a179c] > cifs: remove support for NTLM and weaker authentication algorithms" has > completely broken my Time Capsule access. > > Yes, I know, ntlm is more than 20 years old and a quite insecure > protocol. It is absolutely understandable to disable it as default. > However, it should be also regarded that there exist companies which > decided because of narrow-minded reasons to implement only the old SMB1 > protocol also on not so old hardware. Apple is such an example, they > really implemented on all of their Time Capsule models (which were using > a special Samba implementation) only the stone-age variant of SMB/NTLM. > This is true even for the last 2013 variant which was discontinued on > April 26, 2018. Apple could for sure support a more recent SMB version > but they didn't do it most likely to make their own AFP3 protocol look > and perform better. > > So the alternative would be AFP in my case, unfortunately it's not so > easy. While we have thanks to Netatalk a rock-solid AFP support in Linux > at the server side, this is unfortunately not true for the client one. > The corresponding "afpfs-ng" (Apple Filing Protocol Library, a client > implementation of the Apple Filing Protocol) project is unmaintained and > dormant for years. > > Long story short, the current situation in this topic is as I said quite > unhappy. While I fully agree to disable NTLM/CIFS 1.0 as default, it > shouldn't be removed entirely. Maybe it is possible to enable it only > for accessing older network volumes/shares while on the same time block > the possibility to create insecure NTLM network shares? I am aware that > the risk in enabling this old and flawed protocol will be my own > problem. I won't complain if I get into trouble because of it. ;-) > Unfortunately I have no alternative other than buying a new NAS or > downgrading to an older kernel which is also not a really practical option. > > Whatever, many thanks for all your great work! > -- Thanks, Steve