Bug 5319 - Clear-text password connection on a Netapp Filer gives a 'Server Error (0x02)' with a 'Non specific error code'
Summary: Clear-text password connection on a Netapp Filer gives a 'Server Error (0x02)...
Status: RESOLVED FIXED
Alias: None
Product: CifsVFS
Classification: Unclassified
Component: kernel fs (show other bugs)
Version: 2.6
Hardware: x86 Linux
: P3 major
Target Milestone: ---
Assignee: Steve French
QA Contact:
URL: http://lists.samba.org/archive/linux-...
Keywords:
Depends on:
Blocks:
 
Reported: 2008-03-12 08:16 UTC by Ganael LAPLANCHE
Modified: 2008-09-01 05:31 UTC (History)
1 user (show)

See Also:


Attachments
fix to allow plaintext lanman passwords (477 bytes, patch)
2008-08-27 15:04 UTC, Steve French
no flags Details
New tcpdump capture using the plaintext patch (1.35 KB, application/octet-stream)
2008-08-28 08:57 UTC, Ganael LAPLANCHE
no flags Details
2nd half of patch (464 bytes, patch)
2008-08-28 10:37 UTC, Steve French
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Ganael LAPLANCHE 2008-03-12 08:16:27 UTC
Hi,

(see : http://lists.samba.org/archive/linux-cifs-client/2008-March/002722.html)

We use a Netapp filer that requires clear-text password for authentication. Old smbfs module and helper work like a charm while the new cifs ones abort connection with a 'Server Error (0x02)' (Non specific error code).

The client machine runs Kubuntu 7.10 (kernel 2.6.22-14-generic) and the Cifs module v1.50 manually compiled with CONFIG_CIFS_WEAK_PW_HASH.

Our server runs Data Ontap v7.1 (same error on v7.2) and is configured to authenticate users in a standalone mode, against an LDAP server (that's why we need clear-text authentication).

Here are network captures :

* SMBFS (connection OK)
Command : smbmount //157.99.64.123/Sis /mnt/tmp -o username=martymac,netbiosname=CIFSCLT,workgroup=WORKGROUP
URL : http://contribs.martymac.com/misc/net-captures/mount.smbfs-20080307.pcap

* CIFS (error)
Command : mount.cifs //157.99.64.123/Sis /mnt/tmp -o user=martymac,netbiosname=CIFSCLT,domain=WORKGROUP

With 0x37 as SecurityFlags :
URL : http://contribs.martymac.com/misc/net-captures/mount.cifs-20080307.pcap
A clear-text password is requested by the server, but the client sends LANMAN hashes anyway. Connection ends with a Server Error (0x02).

With more restrictive SecurityFlags (0x20020) :
URL : http://contribs.martymac.com/misc/net-captures/mount.cifs-0x20020-20080312.pcap
The clear-text password now appears during the 'Session Setup AndX Request' step. Unfortunately, the account used for the connection seems to be incorrect (a concatenation of the Domain, the client OS and the Lan manager without the very first letter) and there is no valid session key (0x00000000). Connection also ends with a Server Error (0x02).

For both tries, Syslog shows :

[10212.816000]  CIFS VFS: Send error in SessSetup = -5
[10212.816000]  CIFS VFS: cifs_mount failed w/return code = -5

I can provide more network traces / details if necessary...

Best regards,
Ganaël Laplanche.
Comment 1 Rasmus Ory Nielsen 2008-06-14 11:40:33 UTC
Any news on this one?
Comment 2 Steve French 2008-08-27 15:04:42 UTC
Created attachment 3511 [details]
fix to allow plaintext lanman passwords

To use this requires that /proc/fs/cifs/SecurityFlags be set to 0x30030 (ie LANMAN session setup, plaintext passwords)
Comment 3 Steve French 2008-08-27 15:06:47 UTC
I have attached a patch.  I briefly tested it with Samba by setting password encryption to no in smb.conf.    Plaintext authentication required setting /proc/fs/cifs/SecurityFlags to 0x30030 (enabling both LANMAN and also PLAINTEXT)
Comment 4 Rasmus Ory Nielsen 2008-08-27 15:18:10 UTC
This is great news. Thanks.
Comment 5 Steve French 2008-08-27 15:40:18 UTC
If I can get fix feedback fairly quickly from other users, I will request a merge with mainline before 2.6.27 if possible
Comment 6 Ganael LAPLANCHE 2008-08-28 08:54:24 UTC
Hi Steve,

First of all, thanks for the patch. Unfortunately, it does not work for me (still trying to mount our netapp shares).

Here is what I have done (cifs v1.52 + your patch, on gentoo, kernel 2.6.25) :

# echo 0x30030 > /proc/fs/cifs/SecurityFlags
# mount.cifs //157.99.64.122/sis /mnt/cifs -o user=martymac,netbiosname=CIFSCLT,domain=WORKGROUP

Connection still ends with this error :
Aug 28 15:39:32 <machine> CIFS VFS: Send error in SessSetup = -5
Aug 28 15:39:32 <machine> CIFS VFS: cifs_mount failed w/return code = -5

With a little bit of verbosity :
# echo 1 > /proc/fs/cifs/cifsFYI
Aug 28 15:40:37 <machine> fs/cifs/cifsfs.c: Devname: //157.99.64.122/sis flags: 64
Aug 28 15:40:37 <machine> fs/cifs/connect.c: CIFS VFS: in cifs_mount as Xid: 16 with uid: 0
Aug 28 15:40:37 <machine> fs/cifs/connect.c: Domain name set
Aug 28 15:40:37 <machine> fs/cifs/connect.c: Username: martymac
Aug 28 15:40:37 <machine> fs/cifs/netmisc.c: address conversion returned 1 for 157.99.64.122
Aug 28 15:40:37 <machine> fs/cifs/connect.c: UNC: \\157.99.64.122\sis ip: 157.99.64.122
Aug 28 15:40:37 <machine> fs/cifs/connect.c: Socket created
Aug 28 15:40:37 <machine> fs/cifs/connect.c: sndbuf 16384 rcvbuf 87380 rcvtimeo 0x7fffffffffffffff
Aug 28 15:40:37 <machine> fs/cifs/connect.c: Demultiplex PID: 29640
Aug 28 15:40:37 <machine> fs/cifs/connect.c: Existing smb sess not found
Aug 28 15:40:37 <machine> fs/cifs/cifssmb.c: secFlags 0x30030
Aug 28 15:40:37 <machine> fs/cifs/transport.c: For smb_command 114
Aug 28 15:40:37 <machine> fs/cifs/transport.c: Sending smb of length 78
Aug 28 15:40:37 <machine> fs/cifs/connect.c: rfc1002 length 0x52
Aug 28 15:40:37 <machine> fs/cifs/cifssmb.c: Dialect: 2
Aug 28 15:40:37 <machine> fs/cifs/cifssmb.c: Max buf = 16472
Aug 28 15:40:37 <machine> fs/cifs/cifssmb.c: Signing disabled
Aug 28 15:40:37 <machine> fs/cifs/cifssmb.c: negprot rc 0
Aug 28 15:40:37 <machine> fs/cifs/connect.c: Security Mode: 0x1 Capabilities: 0xd3fd TimeAdjust: -7200
Aug 28 15:40:37 <machine> fs/cifs/sess.c: sess setup type 1
Aug 28 15:40:37 <machine> fs/cifs/sess.c: Negotiating LANMAN setting up strings
Aug 28 15:40:37 <machine> fs/cifs/transport.c: For smb_command 115
Aug 28 15:40:37 <machine> fs/cifs/transport.c: Sending smb:  total_len 159
Aug 28 15:40:37 <machine> fs/cifs/connect.c: rfc1002 length 0x27
Aug 28 15:40:37 <machine> fs/cifs/netmisc.c: Mapping smb error code 1 to POSIX err -5
Aug 28 15:40:37 <machine> fs/cifs/misc.c: Null buffer passed to cifs_small_buf_release
Aug 28 15:40:37 <machine> fs/cifs/sess.c: ssetup rc from sendrecv2 is -5
Aug 28 15:40:37 <machine> fs/cifs/sess.c: ssetup freeing small buf ffff8100679ecd40
Aug 28 15:40:37 <machine> CIFS VFS: Send error in SessSetup = -5
Aug 28 15:40:37 <machine> fs/cifs/connect.c: No session or bad tcon
Aug 28 15:40:37 <machine> fs/cifs/connect.c: CIFS VFS: leaving cifs_mount (xid = 16) rc = -5
Aug 28 15:40:37 <machine> CIFS VFS: cifs_mount failed w/return code = -5

Best regards,

Ganaël.
Comment 7 Ganael LAPLANCHE 2008-08-28 08:57:06 UTC
Created attachment 3512 [details]
New tcpdump capture using the plaintext patch

This is a network capture (pcap file) taken while trying to connect to our netapp filer using the patch previously submitted.
Comment 8 Steve French 2008-08-28 10:23:05 UTC
The NetApp filer is negotiating Unicode but LANMAN session setup is ASCII only, so following is what I am testing in order to workaround this

diff --git a/fs/cifs/sess.c b/fs/cifs/sess.c
index b537fad..252fdc0 100644
--- a/fs/cifs/sess.c
+++ b/fs/cifs/sess.c
@@ -409,6 +409,8 @@ CIFS_SessSetup(unsigned int xid, struct cifsSesInfo *ses, int first_time,
 #ifdef CONFIG_CIFS_WEAK_PW_HASH
                char lnm_session_key[CIFS_SESS_KEY_SIZE];
 
+               pSMB->req.hdr.Flags2 &= ~SMBFLG2_UNICODE;
+
                /* no capabilities flags in old lanman negotiation */
 
                pSMB->old_req.PasswordLength = cpu_to_le16(CIFS_SESS_KEY_SIZE);
Comment 9 Steve French 2008-08-28 10:37:28 UTC
Created attachment 3513 [details]
2nd half of patch

This fixes the Unicode alignment problem with the ASCII strings during session setup lanman style.  It applies on top of the previous patch
Comment 10 Steve French 2008-08-28 10:38:57 UTC
Tested and seems to fix the problem - let us know if you see any other problems.  Some day I would like to add a "sec=plaintext" (or something similar to indicate forcing plaintext authentication) mount option, but don't want to add a mount option change this late in the 2.6.27 release cycle.
Comment 11 Ganael LAPLANCHE 2008-08-29 03:27:32 UTC
Great ! It works for me, thanks :)

Umount step seems to be quite long (but should not be related to this bug report). I still have to investigate...

Best regards,

Ganaël.
Comment 12 Steve French 2008-08-31 17:45:00 UTC
long umount was caused by cifs client rejecting a malformed ulogoffX response from the NetApp filer (presumably they have fixed that in later versions) - since buffer overflow is a possibility if a client chooses not to validate internal structure lengths in responses, we chose to leave the length checks in in most cases.  I don't think we were able to relax the strict length checks for this case - but the only harm is a slightly longer unmount (the cifs client closes the session when it does not get a valid response anyway) and the server may already be fixed by now.  I have reported it to NetApp at least twice.
Comment 13 Ganael LAPLANCHE 2008-09-01 05:31:17 UTC
Hi Steve,

Ok, thanks for clarifying this :)