RE: [PATCH] CIFS: handle guest access errors to Windows shares

Mark Syms <Mark.Syms@xxxxxxxxxx> · Fri, 2 Dec 2016 16:44:47 +0000

OK, I'll spin up a Win 10 machine and see how that behaves and then a WS2012R2.

	Mark.

-----Original Message-----
From: Steve French [mailto:smfrench@xxxxxxxxx] 
Sent: 02 December 2016 16:42
To: Mark Syms <Mark.Syms@xxxxxxxxxx>
Cc: Aurélien Aptel <aaptel@xxxxxxxx>; sfrench@xxxxxxxxx; linux-cifs@xxxxxxxxxxxxxxx
Subject: Re: [PATCH] CIFS: handle guest access errors to Windows shares

Note that we have seen negotiate differences - spnego encapsulated ntlmssp vs. raw ntlmssp - between standalone servers (and Windows clients acting as a server) and Windows servers acting as an AD DC.

Also note that comparing the same os in the client vs server comparison (Windows 10 vs Windows 2016) could help determine if server vs. client difference or version difference.

On Fri, Dec 2, 2016 at 10:25 AM, Mark Syms <Mark.Syms@xxxxxxxxxx> wrote:
> Hi,
>
> I've just tried a plain vanilla Debian testing machine with the vendor 4.8.0 kernel and the issue reproduces.
>
> Now, interestingly, if I issue the same mount command to a WS2016 machine configured in the same way as a Win8.1 machine it fails with permission denied as we'd expect and doesn't go into the DFS chase process. So, this appears to be something that is specific to connecting SMB to client grade OS machines.
>
>         Mark
>
> -----Original Message-----
> From: linux-cifs-owner@xxxxxxxxxxxxxxx 
> [mailto:linux-cifs-owner@xxxxxxxxxxxxxxx] On Behalf Of Aurélien Aptel
> Sent: 30 November 2016 17:32
> To: Mark Syms <Mark.Syms@xxxxxxxxxx>; sfrench@xxxxxxxxx; 
> linux-cifs@xxxxxxxxxxxxxxx
> Subject: RE: [PATCH] CIFS: handle guest access errors to Windows 
> shares
>
> Hi Mark,
>
> New setup
>
>   PS> net user guest /activate:no
>   PS> mkdir C:\guestshare
>   PS> icacls C:\guestshare /grant 'Everyone:(OI)(CI)F'
>   PS> new-smbshare -name guestshare -path C:\guestshare -fullaccess 
> Everyone
>
> I've tested v3.10, v4.4, master, master+your patch using default options (empty or no user "NU") and user=abc (U).
>
> NT_LOGON_FAILURE in session setup: LF
> This is what you seem to have in 3.10.
>
> NT_ACCESS_DENIED in tree connect to the share: AD This is what you get before your infinite loop.
>
>              |   NU       U
> --------------------------------
> 3.10         |   LF       LF
> 4.4          |   LF       LF
> master       |   AD       LF
> master+patch |   AD       LF
>
> No infinite DFS loop :(
> All these issues result in mount failing very fast with permission denied.
>
> I guess it could be from either the Windows version or the share/folder ACL. A deeper analysis of the packets might reveal more.
>
> In any case I did not notice any issues for on a basic DFS setup with the patch so I don't think it introduced any regressions, which is probably all that matters. It still bothers me a little I couldn't hit the bug.
>
> I've included kernel output w/ debugging output and network capture of my tests if anyone want to have a look at it. (master+patch = ml-guestfix).
>
> Reviewed-by: Aurelien Aptel <aaptel@xxxxxxxx>
> Tested-by: Aurelien Aptel <aaptel@xxxxxxxx>
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-cifs" 
> in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo 
> info at  http://vger.kernel.org/majordomo-info.html

--
Thanks,

Steve
��.n��������+%������w��{.n�����{�����ܨ}���Ơz�j:+v�����w����ޙ��&�)ߡ�a����z�ޗ���ݢj��w�f