Bug in NetApp Filer SMB protocol implementation make CIFS share unmountable from Ubuntu

Below is the patch posted to the upstream bug report which is basically a hack to work around the NetApp bug. Upstream even notes, "That doesn't quite look right... Just because the server supports extended security we can't assume that we're
actually using extended security. I think we'll need to do something different if we want to work around this netapp bug." With that said, I can build a jaunty test kernel for TESTING PURPOSES ONLY. This will not qualify for an SRU nor be supported going forward.

+++ cifssmb.c 2009-09-01 14:20:34.000000000 +0200
@@ -647,7 +647,8 @@
        if (pSMBr->EncryptionKeyLength == CIFS_CRYPTO_KEY_SIZE) {
                memcpy(server->cryptKey, pSMBr->u.EncryptionKey,
                       CIFS_CRYPTO_KEY_SIZE);
- } else if ((pSMBr->hdr.Flags2 & SMBFLG2_EXT_SEC)
+ } else if (((pSMBr->hdr.Flags2 & SMBFLG2_EXT_SEC)
+ || (server->capabilities & CAP_EXTENDED_SECURITY))
                        && (pSMBr->EncryptionKeyLength == 0)) {
                /* decode security blob */
        } else if (server->secMode & SECMODE_PW_ENCRYPT) {
@@ -657,7 +658,7 @@

        /* BB might be helpful to save off the domain of server here */

- if ((pSMBr->hdr.Flags2 & SMBFLG2_EXT_SEC) &&
+ if ((pSMBr->hdr.Flags2 & SMBFLG2_EXT_SEC) ||
                (server->capabilities & CAP_EXTENDED_SECURITY)) {
                count = pSMBr->ByteCount;
                if (count < 16) {

Understood. A kernel with the above patch applied would, at least, allow us to confirm that the bug is really where we think it is. We can then report our finding upstream to Samba, and collaborate to test a permanent solution.

Thanks a lot!

Test kernel is available at:

http://people.canonical.com/~ogasawara/lp479272/

Leann, would it be too much to ask for a 32 bits build? Thanks! :)

Hi Etienne,

I've pushed i386 builds to http://people.canonical.com/~ogasawara/lp479272/i386/

Thanks Leann. The patch works, to a certain extent. We can now mount a share from the NetApp Filer, where we could not before. However, we had to use option "sec=krb5" with mount.cifs, where "sec=krb5i" (Kerberos authentication with packet signing) would be preferred and works with other kerberized CIFS server.

For the record, the command line used to mount a share from the NetApp Filer is:

    $ mount.cifs -o sec=krb5,file_mode=0600,dir_mode=0700 //fqdn-of-netapp-filer/sharename /home/user/mountpoint

Also for the record, we are using Likewise Open 5.0.3991.1 (package likewise-open5 5.0.3991.1-0ubuntu2).

I was just about to post a bug report on krb-5 when I spotted this bug report.

Is it certain this is a samba bug? We were hit by it too, And I stumbled over this thread on the MIT mailing list:

http://mailman.mit.edu/pipermail/kerberos/2010-June/016213.html

Ubuntu 10.04 and 10.10 are affected (krb 1.8.1) , but the Debian Wheezy 20110328 works with our Netapp (and uses krb 1.8.3).

I just tested Lucid with the kerberos version from Sam Hartman's PPA (1.9.0) and I cannot connect to the netapp cifs share with it, I still get KRB5KRB_AP_ERR_MODIFIED back from the netapp.
I then realized the samba version in Wheezy would have a number of netapp related workarounds applied, which is why it works there.

So, sorry for the noise :-(

This bug was filed against a series that is no longer supported and so is being marked as Won't Fix. If this issue still exists in a supported series, please file a new bug.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.