[CIFS] Kerberos and CIFS ACL support part 1

Signed-off-by: Steve French <sfrench@us.ibm.com>
This commit is contained in:
Steve French 2005-12-01 22:32:42 -08:00
parent 83451879ab
commit bf82067917
4 changed files with 94 additions and 9 deletions

View File

@ -436,7 +436,17 @@ A partial list of the supported mount options follows:
SFU does). In the future the bottom 9 bits of the mode SFU does). In the future the bottom 9 bits of the mode
mode also will be emulated using queries of the security mode also will be emulated using queries of the security
descriptor (ACL). descriptor (ACL).
sec Security mode. Allowed values are:
none attempt to connection as a null user (no name)
krb5 Use Kerberos version 5 authentication
krb5i Use Kerberos authentication and packet signing
ntlm Use NTLM password hashing (default)
ntlmi Use NTLM password hashing with signing (if
/proc/fs/cifs/PacketSigningEnabled on or if
server requires signing also can be the default)
ntlmv2 Use NTLMv2 password hashing
ntlmv2i Use NTLMv2 password hashing with packet signing
The mount.cifs mount helper also accepts a few mount options before -o The mount.cifs mount helper also accepts a few mount options before -o
including: including:

36
fs/cifs/cifsacl.h Normal file
View File

@ -0,0 +1,36 @@
/*
* fs/cifs/cifsacl.h
*
* Copyright (c) International Business Machines Corp., 2005
* Author(s): Steve French (sfrench@us.ibm.com)
*
* This library is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published
* by the Free Software Foundation; either version 2.1 of the License, or
* (at your option) any later version.
*
* This library is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See
* the GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this library; if not, write to the Free Software
* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/
#ifndef _CIFSACL_H
#define _CIFSACL_H
struct cifs_sid {
__u8 revision; /* revision level */
__u8 num_subauths;
__u8 authority[6];
__u8 sub_auth[4];
/* next sub_auth if any ... */
} __attribute__((packed));
/* everyone */
const cifs_sid sid_everyone = {1, 1, {0, 0, 0, 0, 0, 0}, {0, 0, 0, 0}};
/* group users */
const cifs_sid sid_user = {1, 2 , {0, 0, 0, 0, 0, 5}, {32, 545, 0, 0}};

View File

@ -1,7 +1,7 @@
/* /*
* fs/cifs/cifspdu.h * fs/cifs/cifspdu.h
* *
* Copyright (c) International Business Machines Corp., 2002 * Copyright (c) International Business Machines Corp., 2002,2005
* Author(s): Steve French (sfrench@us.ibm.com) * Author(s): Steve French (sfrench@us.ibm.com)
* *
* This library is free software; you can redistribute it and/or modify * This library is free software; you can redistribute it and/or modify

View File

@ -82,6 +82,12 @@ struct smb_vol {
unsigned remap:1; /* set to remap seven reserved chars in filenames */ unsigned remap:1; /* set to remap seven reserved chars in filenames */
unsigned posix_paths:1; /* unset to not ask for posix pathnames. */ unsigned posix_paths:1; /* unset to not ask for posix pathnames. */
unsigned sfu_emul:1; unsigned sfu_emul:1;
unsigned krb5:1;
unsigned ntlm:1;
unsigned ntlmv2:1;
unsigned nullauth:1; /* attempt to authenticate with null user */
unsigned sign:1;
unsigned seal:1; /* encrypt */
unsigned nocase; /* request case insensitive filenames */ unsigned nocase; /* request case insensitive filenames */
unsigned nobrl; /* disable sending byte range locks to srv */ unsigned nobrl; /* disable sending byte range locks to srv */
unsigned int rsize; unsigned int rsize;
@ -777,7 +783,7 @@ cifs_parse_mount_options(char *options, const char *devname,struct smb_vol *vol)
/* vol->retry default is 0 (i.e. "soft" limited retry not hard retry) */ /* vol->retry default is 0 (i.e. "soft" limited retry not hard retry) */
vol->rw = TRUE; vol->rw = TRUE;
vol->ntlm = TRUE;
/* default is always to request posix paths. */ /* default is always to request posix paths. */
vol->posix_paths = 1; vol->posix_paths = 1;
@ -903,6 +909,39 @@ cifs_parse_mount_options(char *options, const char *devname,struct smb_vol *vol)
printk(KERN_WARNING "CIFS: ip address too long\n"); printk(KERN_WARNING "CIFS: ip address too long\n");
return 1; return 1;
} }
} else if (strnicmp(data, "sec", 3) == 0) {
if (!value || !*value) {
cERROR(1,("no security value specified"));
continue;
} else if (strnicmp(value, "krb5i", 5) == 0) {
vol->sign = 1;
vol->krb5 = 1;
} else if (strnicmp(value, "krb5p", 5) == 0) {
/* vol->seal = 1;
vol->krb5 = 1; */
cERROR(1,("Krb5 cifs privacy not supported"));
return 1;
} else if (strnicmp(value, "krb5", 4) == 0) {
vol->krb5 = 1;
} else if (strnicmp(value, "ntlmv2i", 7) == 0) {
vol->ntlmv2 = 1;
vol->sign = 1;
} else if (strnicmp(value, "ntlmv2", 6) == 0) {
vol->ntlmv2 = 1;
} else if (strnicmp(value, "ntlmi", 5) == 0) {
vol->ntlm = 1;
vol->sign = 1;
} else if (strnicmp(value, "ntlm", 4) == 0) {
/* ntlm is default so can be turned off too */
vol->ntlm = 1;
} else if (strnicmp(value, "nontlm", 6) == 0) {
vol->ntlm = 0;
} else if (strnicmp(value, "none", 4) == 0) {
vol->nullauth = 1;
} else {
cERROR(1,("bad security option: %s", value));
return 1;
}
} else if ((strnicmp(data, "unc", 3) == 0) } else if ((strnicmp(data, "unc", 3) == 0)
|| (strnicmp(data, "target", 6) == 0) || (strnicmp(data, "target", 6) == 0)
|| (strnicmp(data, "path", 4) == 0)) { || (strnicmp(data, "path", 4) == 0)) {
@ -1546,7 +1585,7 @@ cifs_mount(struct super_block *sb, struct cifs_sb_info *cifs_sb,
cFYI(1, ("Username: %s ", volume_info.username)); cFYI(1, ("Username: %s ", volume_info.username));
} else { } else {
cifserror("No username specified "); cifserror("No username specified");
/* In userspace mount helper we can get user name from alternate /* In userspace mount helper we can get user name from alternate
locations such as env variables and files on disk */ locations such as env variables and files on disk */
kfree(volume_info.UNC); kfree(volume_info.UNC);
@ -1587,7 +1626,7 @@ cifs_mount(struct super_block *sb, struct cifs_sb_info *cifs_sb,
return -EINVAL; return -EINVAL;
} else /* which servers DFS root would we conect to */ { } else /* which servers DFS root would we conect to */ {
cERROR(1, cERROR(1,
("CIFS mount error: No UNC path (e.g. -o unc=//192.168.1.100/public) specified ")); ("CIFS mount error: No UNC path (e.g. -o unc=//192.168.1.100/public) specified"));
kfree(volume_info.UNC); kfree(volume_info.UNC);
kfree(volume_info.password); kfree(volume_info.password);
FreeXid(xid); FreeXid(xid);
@ -1626,7 +1665,7 @@ cifs_mount(struct super_block *sb, struct cifs_sb_info *cifs_sb,
if (srvTcp) { if (srvTcp) {
cFYI(1, ("Existing tcp session with server found ")); cFYI(1, ("Existing tcp session with server found"));
} else { /* create socket */ } else { /* create socket */
if(volume_info.port) if(volume_info.port)
sin_server.sin_port = htons(volume_info.port); sin_server.sin_port = htons(volume_info.port);
@ -1689,11 +1728,11 @@ cifs_mount(struct super_block *sb, struct cifs_sb_info *cifs_sb,
if (existingCifsSes) { if (existingCifsSes) {
pSesInfo = existingCifsSes; pSesInfo = existingCifsSes;
cFYI(1, ("Existing smb sess found ")); cFYI(1, ("Existing smb sess found"));
kfree(volume_info.password); kfree(volume_info.password);
/* volume_info.UNC freed at end of function */ /* volume_info.UNC freed at end of function */
} else if (!rc) { } else if (!rc) {
cFYI(1, ("Existing smb sess not found ")); cFYI(1, ("Existing smb sess not found"));
pSesInfo = sesInfoAlloc(); pSesInfo = sesInfoAlloc();
if (pSesInfo == NULL) if (pSesInfo == NULL)
rc = -ENOMEM; rc = -ENOMEM;
@ -1777,7 +1816,7 @@ cifs_mount(struct super_block *sb, struct cifs_sb_info *cifs_sb,
find_unc(sin_server.sin_addr.s_addr, volume_info.UNC, find_unc(sin_server.sin_addr.s_addr, volume_info.UNC,
volume_info.username); volume_info.username);
if (tcon) { if (tcon) {
cFYI(1, ("Found match on UNC path ")); cFYI(1, ("Found match on UNC path"));
/* we can have only one retry value for a connection /* we can have only one retry value for a connection
to a share so for resources mounted more than once to a share so for resources mounted more than once
to the same server share the last value passed in to the same server share the last value passed in