cifs: fix setting SecurityFlags to true

If you try to set /proc/fs/cifs/SecurityFlags to 1 it
will set them to CIFSSEC_MUST_NTLMV2 which no longer is
relevant (the less secure ones like lanman have been removed
from cifs.ko) and is also missing some flags (like for
signing and encryption) and can even cause mount to fail,
so change this to set it to Kerberos in this case.

Also change the description of the SecurityFlags to remove mention
of flags which are no longer supported.

Cc: stable@vger.kernel.org
Reviewed-by: Shyam Prasad N <sprasad@microsoft.com>
Signed-off-by: Steve French <stfrench@microsoft.com>

diff --git a/Documentation/admin-guide/cifs/usage.rst b/Documentation/admin-guide/cifs/usage.rst
index aa8290a29dc88b0efdf56500ea40b1a97ddccc9c..fd4b56c0996f47d6f11c93db442eabca3f252264 100644 (file)
--- a/Documentation/admin-guide/cifs/usage.rst
+++ b/Documentation/admin-guide/cifs/usage.rst
@@ -723,40 +723,26 @@ Configuration pseudo-files:
 ======================= =======================================================
 SecurityFlags          Flags which control security negotiation and
                        also packet signing. Authentication (may/must)
-                       flags (e.g. for NTLM and/or NTLMv2) may be combined with
+                       flags (e.g. for NTLMv2) may be combined with
                        the signing flags.  Specifying two different password
                        hashing mechanisms (as "must use") on the other hand
                        does not make much sense. Default flags are::
 
-                               0x07007
-
-                       (NTLM, NTLMv2 and packet signing allowed).  The maximum
-                       allowable flags if you want to allow mounts to servers
-                       using weaker password hashes is 0x37037 (lanman,
-                       plaintext, ntlm, ntlmv2, signing allowed).  Some
-                       SecurityFlags require the corresponding menuconfig
-                       options to be enabled.  Enabling plaintext
-                       authentication currently requires also enabling
-                       lanman authentication in the security flags
-                       because the cifs module only supports sending
-                       laintext passwords using the older lanman dialect
-                       form of the session setup SMB.  (e.g. for authentication
-                       using plain text passwords, set the SecurityFlags
-                       to 0x30030)::
+                               0x00C5
+
+                       (NTLMv2 and packet signing allowed).  Some SecurityFlags
+                       may require enabling a corresponding menuconfig option.
 
                          may use packet signing                        0x00001
                          must use packet signing                       0x01001
-                         may use NTLM (most common password hash)      0x00002
-                         must use NTLM                                 0x02002
                          may use NTLMv2                                0x00004
                          must use NTLMv2                               0x04004
-                         may use Kerberos security                     0x00008
-                         must use Kerberos                             0x08008
-                         may use lanman (weak) password hash           0x00010
-                         must use lanman password hash                 0x10010
-                         may use plaintext passwords                   0x00020
-                         must use plaintext passwords                  0x20020
-                         (reserved for future packet encryption)       0x00040
+                         may use Kerberos security (krb5)              0x00008
+                         must use Kerberos                             0x08008
+                         may use NTLMSSP                               0x00080
+                         must use NTLMSSP                              0x80080
+                         seal (packet encryption)                      0x00040
+                         must seal (not implemented yet)               0x40040
 
 cifsFYI                        If set to non-zero value, additional debug information
                        will be logged to the system error log.  This field

diff --git a/fs/smb/client/cifsglob.h b/fs/smb/client/cifsglob.h
index 557b68e99d0a096498678d10de5dc37befe79172..a865941724c029b2abf17c817d34711d05bcad36 100644 (file)
--- a/fs/smb/client/cifsglob.h
+++ b/fs/smb/client/cifsglob.h
@@ -1918,8 +1918,8 @@ require use of the stronger protocol */
 #define   CIFSSEC_MUST_SEAL    0x40040 /* not supported yet */
 #define   CIFSSEC_MUST_NTLMSSP 0x80080 /* raw ntlmssp with ntlmv2 */
 
-#define   CIFSSEC_DEF (CIFSSEC_MAY_SIGN | CIFSSEC_MAY_NTLMV2 | CIFSSEC_MAY_NTLMSSP)
-#define   CIFSSEC_MAX (CIFSSEC_MUST_NTLMV2)
+#define   CIFSSEC_DEF (CIFSSEC_MAY_SIGN | CIFSSEC_MAY_NTLMV2 | CIFSSEC_MAY_NTLMSSP | CIFSSEC_MAY_SEAL)
+#define   CIFSSEC_MAX (CIFSSEC_MAY_SIGN | CIFSSEC_MUST_KRB5 | CIFSSEC_MAY_SEAL)
 #define   CIFSSEC_AUTH_MASK (CIFSSEC_MAY_NTLMV2 | CIFSSEC_MAY_KRB5 | CIFSSEC_MAY_NTLMSSP)
 /*
  *****************************************************************