linux/fs/cifs
Germano Percossi 395664439c Fix default behaviour for empty domains and add domainauto option
With commit 2b149f119 many things have been fixed/introduced.
However, the default behaviour for RawNTLMSSP authentication
seems to be wrong in case the domain is not passed on the command line.

The main points (see below) of the patch are:
 - It alignes behaviour with Windows clients
 - It fixes backward compatibility
 - It fixes UPN

I compared this behavour with the one from a Windows 10 command line
client. When no domains are specified on the command line, I traced
the packets and observed that the client does send an empty
domain to the server.
In the linux kernel case, the empty domain is replaced by the
primary domain communicated by the SMB server.
This means that, if the credentials are valid against the local server
but that server is part of a domain, then the kernel module will
ask to authenticate against that domain and we will get LOGON failure.

I compared the packet trace from the smbclient when no domain is passed
and, in that case, a default domain from the client smb.conf is taken.
Apparently, connection succeeds anyway, because when the domain passed
is not valid (in my case WORKGROUP), then the local one is tried and
authentication succeeds. I tried with any kind of invalid domain and
the result was always a connection.

So, trying to interpret what to do and picking a valid domain if none
is passed, seems the wrong thing to do.
To this end, a new option "domainauto" has been added in case the
user wants a mechanism for guessing.

Without this patch, backward compatibility also is broken.
With kernel 3.10, the default auth mechanism was NTLM.
One of our testing servers accepted NTLM and, because no
domains are passed, authentication was local.

Moving to RawNTLMSSP forced us to change our command line
to add a fake domain to pass to prevent this mechanism to kick in.

For the same reasons, UPN is broken because the domain is specified
in the username.
The SMB server will work out the domain from the UPN and authenticate
against the right server.
Without the patch, though, given the domain is empty, it gets replaced
with another domain that could be the wrong one for the authentication.

Signed-off-by: Germano Percossi <germano.percossi@citrix.com>
Acked-by: Pavel Shilovsky <pshilov@microsoft.com>
Signed-off-by: Steve French <smfrench@gmail.com>
2016-12-15 01:42:38 -06:00
..
asn1.c [CIFS] cifs: Rename cERROR and cFYI to cifs_dbg 2013-05-04 22:17:23 -05:00
cache.c [CIFS] cifs: Rename cERROR and cFYI to cifs_dbg 2013-05-04 22:17:23 -05:00
cifs_debug.c Display number of credits available 2016-10-12 12:08:31 -05:00
cifs_debug.h lib: update single-char callers of strtobool() 2016-03-17 15:09:34 -07:00
cifs_dfs_ref.c cifs: remove any preceding delimiter from prefix_path 2016-05-17 14:09:33 -05:00
cifs_fs_sb.h CIFS: Add new mount option to set owner uid and gid from special sids in acl 2016-10-14 14:22:01 -05:00
cifs_ioctl.h Enable previous version support 2016-10-13 19:48:11 -05:00
cifs_spnego.c cifs: Create dedicated keyring for spnego operations 2016-05-19 21:56:30 -05:00
cifs_spnego.h
cifs_unicode.c File names with trailing period or space need special case conversion 2016-06-24 12:05:52 -05:00
cifs_unicode.h File names with trailing period or space need special case conversion 2016-06-24 12:05:52 -05:00
cifs_uniupr.h
cifsacl.c CIFS: Retrieve uid and gid from special sid if enabled 2016-10-14 14:22:16 -05:00
cifsacl.h cifs: fix SID binary to string conversion 2012-12-11 11:48:49 -06:00
cifsencrypt.c Fix default behaviour for empty domains and add domainauto option 2016-12-15 01:42:38 -06:00
cifsfs.c CIFS: Add new mount option to set owner uid and gid from special sids in acl 2016-10-14 14:22:01 -05:00
cifsfs.h cifs: don't use ->d_time 2016-09-16 12:44:21 +02:00
cifsglob.h Fix default behaviour for empty domains and add domainauto option 2016-12-15 01:42:38 -06:00
cifspdu.h Add way to query server fs info for smb3 2015-08-20 10:19:25 -05:00
cifsproto.h CIFS: Fix a possible memory corruption during reconnect 2016-12-05 12:08:33 -08:00
cifssmb.c CIFS: iterate over posix acl xattr entry correctly in ACL_to_cifs_posix() 2016-11-28 23:08:53 -06:00
connect.c Fix default behaviour for empty domains and add domainauto option 2016-12-15 01:42:38 -06:00
dir.c cifs: don't use ->d_time 2016-09-16 12:44:21 +02:00
dns_resolve.c cifs: fix composing of mount options for DFS referrals 2013-05-24 13:08:31 -05:00
dns_resolve.h
export.c [CIFS] cifs: Rename cERROR and cFYI to cifs_dbg 2013-05-04 22:17:23 -05:00
file.c CIFS: Fix a possible double locking of mutex during reconnect 2016-12-05 12:52:01 -08:00
fscache.c NFS client updates for Linux 3.13 2013-11-08 05:57:46 +09:00
fscache.h CIFS: FS-Cache: Uncache unread pages in cifs_readpages() before freeing them 2013-09-18 10:17:03 -05:00
inode.c Merge remote-tracking branch 'jk/vfs' into work.misc 2016-10-08 11:06:08 -04:00
ioctl.c CIFS: Decrease verbosity of ioctl call 2016-12-02 16:04:33 -08:00
Kconfig Allow parsing vers=3.11 on cifs mount 2015-06-27 20:23:32 -07:00
link.c cifs: use %16phN for formatting md5 sum 2016-12-15 00:21:37 -06:00
Makefile cifs: Switch to generic xattr handlers 2016-04-23 15:33:03 -04:00
misc.c Clarify locking of cifs file and tcon structures and make more granular 2016-10-12 12:08:32 -05:00
netmisc.c Fix signed/unsigned pointer warning 2014-12-14 14:55:57 -06:00
nterr.c CIFS: Rename 7 error codes to NT_ style 2012-07-24 10:25:10 -05:00
nterr.h CIFS: Rename 7 error codes to NT_ style 2012-07-24 10:25:10 -05:00
ntlmssp.h cifs: dynamic allocation of ntlmssp blob 2016-06-23 23:45:07 -05:00
readdir.c Clarify locking of cifs file and tcon structures and make more granular 2016-10-12 12:08:32 -05:00
rfc1002pdu.h
sess.c cifs: check hash calculating succeeded 2016-06-23 23:45:17 -05:00
smb1ops.c Fix that several functions handle incorrect value of mapchars 2015-05-10 19:56:35 -05:00
smb2file.c CIFS: Fix a possible memory corruption in push locks 2016-12-05 11:08:55 -08:00
smb2glob.h SMB3: Add mount parameter to allow user to override max credits 2016-10-12 12:08:33 -05:00
smb2inode.c Do not send SMB3 SET_INFO request if nothing is changing 2016-10-13 19:46:51 -05:00
smb2maperror.c Fix problem recognizing symlinks 2014-10-02 14:10:04 -05:00
smb2misc.c Clarify locking of cifs file and tcon structures and make more granular 2016-10-12 12:08:32 -05:00
smb2ops.c Cleanup missing frees on some ioctls 2016-10-13 19:48:20 -05:00
smb2pdu.c CIFS: Fix a possible double locking of mutex during reconnect 2016-12-05 12:52:01 -08:00
smb2pdu.h CIFS: Fix a possible double locking of mutex during reconnect 2016-12-05 12:52:01 -08:00
smb2proto.h CIFS: Fix a possible memory corruption during reconnect 2016-12-05 12:08:33 -08:00
smb2status.h CIFS: Add SMB2 status codes 2012-07-24 10:25:13 -05:00
smb2transport.c cifs: merge the hash calculation helpers 2016-03-28 14:05:27 -04:00
smbencrypt.c cifs: Fix smbencrypt() to stop pointing a scatterlist at the stack 2016-12-14 01:44:16 -06:00
smberr.h
smbfsctl.h [SMB3] Send durable handle v2 contexts when use of persistent handles required 2015-11-03 09:26:27 -06:00
transport.c cifs: quit playing games with draining iovecs 2016-03-28 14:05:32 -04:00
winucase.c [CIFS] quiet sparse compile warning 2013-09-08 14:54:24 -05:00
xattr.c Add way to query creation time of file via cifs xattr 2016-10-12 12:08:31 -05:00