Hopefully the attached will help clarify things. Two traces performing the same operation on a 3.10 kernel, as used by XenServer 7.0, and on the 4.4 kernel used by the current development version of XenServer. Connection was being made to a Windows 8.1 machine with a share exposed to the Windows "Everyone" user - which requires authentication. Mount command being executed was mount -t cifs //10.62.98.3/Share /tmp-smb/ -o guest No other share configuration was performed, i.e. no guest or anonymous access. On the 3.10 kernel this responds with permission denied as we'd expect. On the 4.4 kernel without the patch below the session establishment process enters a non-terminating loop chasing DFS referrals (as can be seen at the end of the 4.4 pcap trace, this repeats forever so I've trimmed the trace). It's possible that the behaviour of Server class Windows will behave differently but mapping to shares to a client class OS is supported use case for us. Thanks, Mark. -----Original Message----- From: linux-cifs-owner@xxxxxxxxxxxxxxx [mailto:linux-cifs-owner@xxxxxxxxxxxxxxx] On Behalf Of Aurélien Aptel Sent: 29 November 2016 15:44 To: Mark Syms <Mark.Syms@xxxxxxxxxx>; sfrench@xxxxxxxxx; linux-cifs@xxxxxxxxxxxxxxx Cc: Mark Syms <Mark.Syms@xxxxxxxxxx> Subject: Re: [PATCH] CIFS: handle guest access errors to Windows shares I've tried setting up a guest share on a Windows 2016 server and mounting it before and after your patch. Powershell setup follows. To setup the share I had to enable the guest account PS> net user guest /active:yes Make the directory, give perms, make share PS> mkdir C:\guestshare PS> icacls C:\guestshare /grant 'Everyone:(OI)(CI)F' PS> New-SmbShare -name guestshare -path C:\guestshare -fullaccess Everyone After this, smbclient -N works: % smbclient //$(vmip win2016)/guestshare -N OS=[Windows Server 2016 Standard 14393] Server=[Windows Server 2016 Standard 6.3] smb: \> ^D On the wire: CLIENT -> SERVER SMB Negotiate Protocol Request SERVER -> CLIENT SMB Negotiate Protocol Response CLIENT -> SERVER SMB Session Setup AndX Request, NTLMSSP_NEGOTIATE SERVER -> CLIENT SMB Session Setup AndX Response, NTLMSSP_CHALLENGE, Error: STATUS_MORE_PROCESSING_REQUIRED CLIENT -> SERVER SMB Session Setup AndX Request, NTLMSSP_AUTH, User: WORKGROUP\aaptel SERVER -> CLIENT SMB Session Setup AndX Response | Action: 0x0001 | .... .... .... ...1 = Guest: Logged in as GUEST CLIENT -> SERVER SMB Tree Connect AndX Request, Path: \\SERVER\IPC$ SERVER -> CLIENT SMB Tree Connect AndX Response CLIENT -> SERVER SMB Trans2 Request, GET_DFS_REFERRAL, File: \SERVER\guestshare SERVER -> CLIENT SMB Trans2 Response, GET_DFS_REFERRAL, Error: STATUS_NOT_FOUND CLIENT -> SERVER SMB Tree Disconnect Request SERVER -> CLIENT SMB Tree Disconnect Response CLIENT -> SERVER SMB Tree Connect AndX Request, Path: \\SERVER\GUESTSHARE SERVER -> CLIENT SMB Tree Connect AndX Response CLIENT -> SERVER SMB Echo Request SERVER -> CLIENT SMB Echo Response CLIENT -> SERVER SMB Tree Disconnect Request SERVER -> CLIENT SMB Tree Disconnect Response But from cifs.ko master (with or without your patch) I get this: # mount -t cifs -vvv //WS2016/guestshare /mnt -o ip=10.160.65.202,guest CIFS VFS: SMB signature verification returned error = -13 CIFS VFS: SMB signature verification returned error = -13 CIFS VFS: cifs_mount failed w/return code = -13 mount error(13): Permission denied Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) On the wire: CLIENT -> SERVER SMB Negotiate Protocol Request SERVER -> CLIENT SMB Negotiate Protocol Response CLIENT -> SERVER SMB Session Setup AndX Request, NTLMSSP_NEGOTIATE SERVER -> CLIENT SMB Session Setup AndX Response, NTLMSSP_CHALLENGE, Error: STATUS_MORE_PROCESSING_REQUIRED CLIENT -> SERVER SMB Session Setup AndX Request, NTLMSSP_AUTH, User: SUSE\ SERVER -> CLIENT SMB Session Setup AndX Response | Action: 0x0000 | .... .... .... ...0 = Guest: Not logged in as GUEST CLIENT -> SERVER SMB Tree Connect AndX Request, Path: \\WS2016\guestshare SERVER -> CLIENT SMB Tree Connect AndX Response, Error: STATUS_ACCESS_DENIED CLIENT -> SERVER SMB Logoff AndX Request SERVER -> CLIENT SMB Logoff AndX Response So why is it failing in this case? The server is an AD of the domain SUSE. I gave `guest` mount option but that option is actually ignored on purpose. Since I gave no username, domain or password cifs.ko tries to login with "SUSE\". In the Session Setup response this results in the Action field being set to "non-guest" and the tree connect laters fails. smbclient uses "WORKGROUP\<my user name>" when I login with -N. If I use -U 'SUSE\' like cifs.ko does it fails. Similarly, if I use a non-empty, non-existing user in cifs.ko (e.g. "SUSE\xyz" instead of "SUSE\", it works). So to summarize I couldn't reproduce Mark's bug against Window Server 2016 (same behaviour with and without the patch). But I have discovered that the way cifs.ko picks the username/domain when none are provided is not correct in my scenario. ... After re-reading Mark email I've just realized he said it happens when using the guest account to do a tree connect on a share that *requires* a real account. So with the guest account still activated I've added deny rules: PS> icacls C:\guestshare /deny 'Guest:(OI)(CI)F' PS> Block-SmbShareAccess -name guestshare -accountname guest -force But the tree connect still works with both cifs.ko and smbclient. What is denies with thoses rules are anything past the connexion it seems. cifs.ko fails for permissions reasons because it tries to query things at the root level as part of mounting. In anycase I was not able to make cifs.ko hang during any of my tests. I would be curious to see a network trace of your scenario. -- Aurélien Aptel / SUSE Labs Samba Team GPG: 1839 CB5F 9F5B FB9B AA97 8C99 03C8 A49B 521B D5D3 SUSE Linux GmbH, Maxfeldstraße 5, 90409 Nürnberg, Germany GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nürnberg) -- To unsubscribe from this list: send the line "unsubscribe linux-cifs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
Attachment:
smb-4.4-ssp.pcap
Description: smb-4.4-ssp.pcap
Attachment:
smb-3.10-ssp.pcap
Description: smb-3.10-ssp.pcap
