On Wed, Feb 16, 2011 at 3:05 PM, Shirish Pargaonkar <shirishpargaonkar@xxxxxxxxx> wrote: > On Wed, Feb 16, 2011 at 2:53 PM, Steve French <smfrench@xxxxxxxxx> wrote: >> On Wed, Feb 16, 2011 at 2:27 PM, <shirishpargaonkar@xxxxxxxxx> wrote: >>> From: Shirish Pargaonkar <shirishpargaonkar@xxxxxxxxx> >>> >>> >>> Fix lanman (lm) authentication code. >>> >>> Change lm response length back to 24 from 16. >>> Parse lanmani mount option. >> >> lanman21 (and earlier dialects) did not support packet signing >> (requires NTLM12 or later dialect. I don't know what happens if >> you try to set sec=lanmani with your patch >> but I would not expect it to ever force signing and work. >> >> >> We note this in our readme e.g. >> sign Must use packet signing (helps avoid unwanted data modification >> by intermediate systems in the route). Note that signing >> does not work with lanman or plaintext authentication. > > Steve, is that a limitation within cifs client or protocol limitation? > I think there is a session key calculation associated with lanman > authentication. The protocol first defined packet signing in NTLM12 dialect. The flag was undefined before then, and the fields for the signature itself in the header were reserved. Remember that LANMAN dialect uses an older format of SMB SessionSetupX as well. I am not opposed to adding the new mount option lanmani if you can demonstrate it working to Windows or Samba, but it is likely signing won't work if you force the older dialect and try the new sec=lamnami -- Thanks, Steve -- To unsubscribe from this list: send the line "unsubscribe linux-cifs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
