Bug in NetApp Filer SMB protocol implementation make CIFS share unmountable from Ubuntu
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
samba |
Fix Released
|
Medium
|
|||
linux (Ubuntu) |
Won't Fix
|
Medium
|
Unassigned |
Bug Description
Reportedly, a bug in NetApp Filer SMB protocol implementation make it impossible to mount a CIFS share on such a server from Ubuntu using mount.cifs and the cifs kernel module when using Kerberos authentication. The problem is being discussed in upstream Samba bug tracker at:
https:/
The bug is triggered by trying to mount the CIFS share using a command such as:
mount.cifs //netappfiler/share /mnt -o sec=krb5i
Note that using sec=krb5 does not work either. When using NTLM authentication (by not specifying a sec=... mount option), the mount works as expected.
This have been confirmed in jaunty so far on kernel 2.6.28-15-generic. We are in the process of testing on karmic, and on jaunty using mainline kernel.
We have logs, but the content are somewhat sensitive and would take great effort to sanitize. The important bit is that we have exactly the same error in dmesg as the snippet that is posted in the upstream Samba bug report linked above (dialect:2; negprot rc -5). If you need anything specific in term of log, please ask and I will get it for you.
affects: | linux-meta (Ubuntu) → linux (Ubuntu) |
Changed in samba: | |
status: | Unknown → In Progress |
Changed in samba: | |
importance: | Unknown → Medium |
Changed in samba: | |
status: | In Progress → Fix Released |
Below is the patch posted to the upstream bug report which is basically a hack to work around the NetApp bug. Upstream even notes, "That doesn't quite look right... Just because the server supports extended security we can't assume that we're
actually using extended security. I think we'll need to do something different if we want to work around this netapp bug." With that said, I can build a jaunty test kernel for TESTING PURPOSES ONLY. This will not qualify for an SRU nor be supported going forward.
+++ cifssmb.c 2009-09-01 14:20:34.000000000 +0200 >EncryptionKeyL ength == CIFS_CRYPTO_ KEY_SIZE) {
memcpy( server- >cryptKey, pSMBr-> u.EncryptionKey ,
CIFS_ CRYPTO_ KEY_SIZE) ; >hdr.Flags2 & SMBFLG2_EXT_SEC) >capabilities & CAP_EXTENDED_ SECURITY) )
&& (pSMBr- >EncryptionKeyL ength == 0)) {
@@ -647,7 +647,8 @@
if (pSMBr-
- } else if ((pSMBr->hdr.Flags2 & SMBFLG2_EXT_SEC)
+ } else if (((pSMBr-
+ || (server-
/* decode security blob */
} else if (server->secMode & SECMODE_PW_ENCRYPT) {
@@ -657,7 +658,7 @@
/* BB might be helpful to save off the domain of server here */
- if ((pSMBr->hdr.Flags2 & SMBFLG2_EXT_SEC) &&
(server- >capabilities & CAP_EXTENDED_ SECURITY) ) {
count = pSMBr->ByteCount;
+ if ((pSMBr->hdr.Flags2 & SMBFLG2_EXT_SEC) ||
if (count < 16) {