On Fri, 23 Sep 2011 10:14:32 -0500 Shirish Pargaonkar <shirishpargaonkar@xxxxxxxxx> wrote: > On Fri, Sep 23, 2011 at 8:43 AM, Jeff Layton <jlayton@xxxxxxxxxx> wrote: > > On Fri, 23 Sep 2011 17:55:05 +0530 > > Suresh Jayaraman <sjayaraman@xxxxxxxx> wrote: > > > >> On 09/23/2011 05:46 PM, Jeff Layton wrote: > >> > A printk warning was added to the kernel about the default security > >> > mode changing in 3.1. As best I can tell though, that has not happened > >> > even though the release is imminent. Are you still planning to change > >> > that? If not, are you planning to fix the printk? > >> > > >> > >> Did you mean this one? > >> http://www.spinics.net/lists/linux-cifs/msg03976.html > >> > >> I remember Steve posted this patch sometime ago but I'm not seeing them > >> in the cifs development tree.. > >> > >> > >> -Suresh > > > > Yeah, that's the one. Seems a little late to be adding these sorts of > > behavior changes in 3.1 though, so I'm just wondering what the plan is. > > > > I also have some concerns about defaulting to raw NTLMv2 auth since (at > > least) win2k8 rejects unless you go in and tweak registry keys. It > > would seem to me to be better to decide the default based on the > > negotiation: > > > > Set extended security bit in the NegProt by default > > > > If the server sets it, then use NTLMSSP > > Not sure if there are any cifs/smb servers that support > extended security mechanisms but ntlmssp not being > one of them, we ought to consider that such a setup > before choosing ntlmssp if the server set extended > security bit in negprot response. > Seems unlikely. If the server doesn't support NTLMSSP then it probably won't allow login via any password mechanism. That said, it wouldn't hurt to also fall back to non-NTLMSSP auth if the server doesn't list NTLMSSP in the SPNEGO blob in the NEGOTIATE reply. That has a (slight) chance of working... > > > > If it doesn't then use old NTLM (or NTLMv2) > > > > That means an overhaul of how sec_mode is handled though, since that's > > currently decided too early to do it that way. > > > > -- > > Jeff Layton <jlayton@xxxxxxxxxx> > > -- > > To unsubscribe from this list: send the line "unsubscribe linux-cifs" in > > the body of a message to majordomo@xxxxxxxxxxxxxxx > > More majordomo info at http://vger.kernel.org/majordomo-info.html > > -- Jeff Layton <jlayton@xxxxxxxxxx> -- To unsubscribe from this list: send the line "unsubscribe linux-cifs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
