Public bug reported:
[ Impact ]
* Mounting SMB share from server without Key Exchange capability is
failing with Access Denied error
* Even though SMB server during Session Setup Response in NTLMSSP_CHALLANGE
message does not advertise
Key Exchange capabilities SMB client < 5.16 will forcefully use it leading
to error response during
TCON requests.
* Issue can be reproduced on 5.15 or older Kernels, there is no reproduction
on 6.5 Kernel
* This scenario was fixed in upstream commit
9de0737d5ba0425c3154d5d83da12a8fa8595c0f
* An example of server without Key Exchange capability is Oracle Solaris 11.4
SMB zfs, meaning
mounting share from that server will result in ACCESS_DENIED error.
[ Test Plan ]
* So far issue was reported only with Oracle Solaris 11.04 smb server
and Ubuntu with Kernel <= 5.15
* To reproduce, setup Oracle Solaris SMB server and try to mount share on
22.04/20.04 (5.15/5.04)
Steps to configure SMB server:
1. Download the ISO for Oracle Solaris Common Build Edition [1]
2. Create a VM with at least 16 GB of memory - I have experienced installation
issues with less memory
3. Install Oracle Solaris using the downloaded ISO
a. Make sure to create a test user
4. Log into the VM as the root user
5. Create a test directory for the share:
a. mkdir /smbshare && chmod 777 /smbshare
6. Disable the normal Samba daemon: [2]
a. svcadm disable svc:/network/samba
b. svcadm disable svc:/network/wins
7 Configure the server to serve Samba shares using ZFS in Workgroup mode [3]
a. svcadm enable -r smb/server
b. smbadm join -w workgroup
8 Update the /etc/pam.d/other file to require authentication by adding the
following line:
a. password required pam_smb_passwd.so.1 nowarn
9. Reset the password for the test user so that it is updated in the SMB
password database
10. Create the pool and share it using Samba: [4]
a. zfs create -o mountpoint=/smbshare/ rpool/smbshare
b. zfs share -o share.smb=on rpool/smbshare%share
[1] <https://www.oracle.com/solaris/solaris11/downloads/solaris-downloads.html>
[2]
<https://docs.oracle.com/cd/E26502_01/html/E29004/migratingfromsamba.html#scrolltoc>
[3]
<https://docs.oracle.com/cd/E26502_01/html/E29004/configuringoperationmodetm.html#configureworkgroupmodetask>
[4]
<https://docs.oracle.com/cd/E26502_01/html/E29004/managingsmbshares.html#createstaticsmbsharezfstask>
* With server configured, mount share using ubuntu SMB client
Expected result: mount operation should succeed
Actual result: mount returns following error:
root@ubuntu20:/mnt# mount -t cifs -o username=rmalz //192.168.50.217/smbshare
test
Password for rmalz@//192.168.50.217/smbshare: ********
mount error(13): Permission denied
Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) and kernel log
messages (dmesg)
[ Where problems could occur ]
* Upstream patch is changing smb client behavior based on server
NTLMSSP_CHALLENGE Negotiate Flags,
if server does not advertise Key Exchange Capability but requires it from
client communication might
be broken. It is unknown if such servers are used, such instance should be
treated as a server bug.
* Patch is available in upstream kernel since 5.16, any issues associated with
it should be already
detected.
* Patch adds additional requirement checks on server NTLM flags, although it
is possible to hit
these checks, I was not able to find any instances of that occurring.
* To lower regression potential, upstream patch backported to Ubuntu 5.15 and
5.04 Kernels have been
tested in following environments:
smb server: Oracle Solaris 11.04, Ubuntu 22.04 HWE
smb client: Ubuntu 22.04, Ubuntu 20.04
During testing no issues have been detected.
[ Other Info ]
* Error message coming from SMB client is the same as providing incorrect
credentials, which might
confuse users.
* Attaching tcpdump pcaps with SMB operations from 5.15 Kernel with and
without patch.
** Affects: linux (Ubuntu)
Importance: Medium
Assignee: Robert Malz (rmalz)
Status: New
** Affects: linux (Ubuntu Focal)
Importance: Medium
Assignee: Robert Malz (rmalz)
Status: New
** Affects: linux (Ubuntu Jammy)
Importance: Medium
Assignee: Robert Malz (rmalz)
Status: New
** Changed in: linux (Ubuntu)
Assignee: (unassigned) => Robert Malz (rmalz)
** Changed in: linux (Ubuntu)
Importance: Undecided => Medium
** Also affects: linux (Ubuntu Focal)
Importance: Undecided
Status: New
** Also affects: linux (Ubuntu Jammy)
Importance: Undecided
Status: New
** Changed in: linux (Ubuntu Focal)
Assignee: (unassigned) => Robert Malz (rmalz)
** Changed in: linux (Ubuntu Jammy)
Assignee: (unassigned) => Robert Malz (rmalz)
** Changed in: linux (Ubuntu Focal)
Importance: Undecided => Medium
** Changed in: linux (Ubuntu Jammy)
Importance: Undecided => Medium
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/2061986
Title:
Mount CIFS fails with Permission denied
Status in linux package in Ubuntu:
New
Status in linux source package in Focal:
New
Status in linux source package in Jammy:
New
Bug description:
[ Impact ]
* Mounting SMB share from server without Key Exchange capability is
failing with Access Denied error
* Even though SMB server during Session Setup Response in NTLMSSP_CHALLANGE
message does not advertise
Key Exchange capabilities SMB client < 5.16 will forcefully use it leading
to error response during
TCON requests.
* Issue can be reproduced on 5.15 or older Kernels, there is no reproduction
on 6.5 Kernel
* This scenario was fixed in upstream commit
9de0737d5ba0425c3154d5d83da12a8fa8595c0f
* An example of server without Key Exchange capability is Oracle Solaris
11.4 SMB zfs, meaning
mounting share from that server will result in ACCESS_DENIED error.
[ Test Plan ]
* So far issue was reported only with Oracle Solaris 11.04 smb server
and Ubuntu with Kernel <= 5.15
* To reproduce, setup Oracle Solaris SMB server and try to mount share on
22.04/20.04 (5.15/5.04)
Steps to configure SMB server:
1. Download the ISO for Oracle Solaris Common Build Edition [1]
2. Create a VM with at least 16 GB of memory - I have experienced
installation issues with less memory
3. Install Oracle Solaris using the downloaded ISO
a. Make sure to create a test user
4. Log into the VM as the root user
5. Create a test directory for the share:
a. mkdir /smbshare && chmod 777 /smbshare
6. Disable the normal Samba daemon: [2]
a. svcadm disable svc:/network/samba
b. svcadm disable svc:/network/wins
7 Configure the server to serve Samba shares using ZFS in Workgroup mode [3]
a. svcadm enable -r smb/server
b. smbadm join -w workgroup
8 Update the /etc/pam.d/other file to require authentication by adding the
following line:
a. password required pam_smb_passwd.so.1 nowarn
9. Reset the password for the test user so that it is updated in the SMB
password database
10. Create the pool and share it using Samba: [4]
a. zfs create -o mountpoint=/smbshare/ rpool/smbshare
b. zfs share -o share.smb=on rpool/smbshare%share
[1]
<https://www.oracle.com/solaris/solaris11/downloads/solaris-downloads.html>
[2]
<https://docs.oracle.com/cd/E26502_01/html/E29004/migratingfromsamba.html#scrolltoc>
[3]
<https://docs.oracle.com/cd/E26502_01/html/E29004/configuringoperationmodetm.html#configureworkgroupmodetask>
[4]
<https://docs.oracle.com/cd/E26502_01/html/E29004/managingsmbshares.html#createstaticsmbsharezfstask>
* With server configured, mount share using ubuntu SMB client
Expected result: mount operation should succeed
Actual result: mount returns following error:
root@ubuntu20:/mnt# mount -t cifs -o username=rmalz //192.168.50.217/smbshare
test
Password for rmalz@//192.168.50.217/smbshare: ********
mount error(13): Permission denied
Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) and kernel log
messages (dmesg)
[ Where problems could occur ]
* Upstream patch is changing smb client behavior based on server
NTLMSSP_CHALLENGE Negotiate Flags,
if server does not advertise Key Exchange Capability but requires it from
client communication might
be broken. It is unknown if such servers are used, such instance should be
treated as a server bug.
* Patch is available in upstream kernel since 5.16, any issues associated
with it should be already
detected.
* Patch adds additional requirement checks on server NTLM flags, although it
is possible to hit
these checks, I was not able to find any instances of that occurring.
* To lower regression potential, upstream patch backported to Ubuntu 5.15
and 5.04 Kernels have been
tested in following environments:
smb server: Oracle Solaris 11.04, Ubuntu 22.04 HWE
smb client: Ubuntu 22.04, Ubuntu 20.04
During testing no issues have been detected.
[ Other Info ]
* Error message coming from SMB client is the same as providing incorrect
credentials, which might
confuse users.
* Attaching tcpdump pcaps with SMB operations from 5.15 Kernel with and
without patch.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2061986/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : [email protected]
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
