From: Steve French <smfrench@gmail.com>
To: Clemens Leu <clemens.leu@gmail.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>,
Davyd McColl <davydm@gmail.com>,
CIFS <linux-cifs@vger.kernel.org>,
LKML <linux-kernel@vger.kernel.org>,
Thorsten Leemhuis <regressions@leemhuis.info>,
regressions@lists.linux.dev,
ronnie sahlberg <ronniesahlberg@gmail.com>,
samba-technical <samba-technical@lists.samba.org>
Subject: Re: Possible regression: unable to mount CIFS 1.0 shares from older machines since 76a3c92ec9e0668e4cd0e9ff1782eb68f61a179c
Date: Wed, 27 Jul 2022 21:27:13 -0500 [thread overview]
Message-ID: <CAH2r5ms+uCF-sC1Hw6izmMhCb2jR55jB0pf8rK8OkkUh0hNGfg@mail.gmail.com> (raw)
In-Reply-To: <fda96c5c-9007-4147-3be1-8c9deca0442c@gmail.com>
Is using userspace tools (like Samba's "ftp like" smbclient tool) an
option to migrate these files?
On Wed, Jul 27, 2022 at 3:04 PM Clemens Leu <clemens.leu@gmail.com> wrote:
>
> Hi all
>
> Here follows now another practical reason why it is at the moment a
> quite unhappy decision to ditch the NTLM/CIFS 1.0 support entirely.
>
> I am on Kubuntu 20.04 LTS and the access to my Apple Time Capsule worked
> fine. This changed when kernel 5.15.0-41-generic was installed some time
> ago. Since then I have in dmesg the known "kernel: bad security option:
> ntlm" and "kernel: CIFS: VFS: bad security option: ntlm" messages and no
> access is possible any longer to the Time Capsule.
>
> So it looks that commit "[76a3c92ec9e0668e4cd0e9ff1782eb68f61a179c]
> cifs: remove support for NTLM and weaker authentication algorithms" has
> completely broken my Time Capsule access.
>
> Yes, I know, ntlm is more than 20 years old and a quite insecure
> protocol. It is absolutely understandable to disable it as default.
> However, it should be also regarded that there exist companies which
> decided because of narrow-minded reasons to implement only the old SMB1
> protocol also on not so old hardware. Apple is such an example, they
> really implemented on all of their Time Capsule models (which were using
> a special Samba implementation) only the stone-age variant of SMB/NTLM.
> This is true even for the last 2013 variant which was discontinued on
> April 26, 2018. Apple could for sure support a more recent SMB version
> but they didn't do it most likely to make their own AFP3 protocol look
> and perform better.
>
> So the alternative would be AFP in my case, unfortunately it's not so
> easy. While we have thanks to Netatalk a rock-solid AFP support in Linux
> at the server side, this is unfortunately not true for the client one.
> The corresponding "afpfs-ng" (Apple Filing Protocol Library, a client
> implementation of the Apple Filing Protocol) project is unmaintained and
> dormant for years.
>
> Long story short, the current situation in this topic is as I said quite
> unhappy. While I fully agree to disable NTLM/CIFS 1.0 as default, it
> shouldn't be removed entirely. Maybe it is possible to enable it only
> for accessing older network volumes/shares while on the same time block
> the possibility to create insecure NTLM network shares? I am aware that
> the risk in enabling this old and flawed protocol will be my own
> problem. I won't complain if I get into trouble because of it. ;-)
> Unfortunately I have no alternative other than buying a new NAS or
> downgrading to an older kernel which is also not a really practical option.
>
> Whatever, many thanks for all your great work!
>
--
Thanks,
Steve
next prev parent reply other threads:[~2022-07-28 2:27 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-01-10 6:06 Possible regression: unable to mount CIFS 1.0 shares from older machines since 76a3c92ec9e0668e4cd0e9ff1782eb68f61a179c Davyd McColl
2022-01-10 14:11 ` Thorsten Leemhuis
2022-01-10 17:31 ` Steve French
2022-01-10 20:30 ` Davyd McColl
2022-01-10 22:13 ` Steve French
2022-01-11 6:45 ` Davyd McColl
2022-01-11 21:51 ` Steve French
2022-01-11 23:26 ` Steve French
2022-01-12 2:32 ` ronnie sahlberg
2022-01-12 5:49 ` Davyd McColl
2022-01-28 13:30 ` Thorsten Leemhuis
2022-01-28 13:39 ` Davyd McColl
2022-01-28 13:50 ` ronnie sahlberg
2022-01-28 14:02 ` Thorsten Leemhuis
2022-01-28 14:23 ` ronnie sahlberg
2022-02-18 13:30 ` Davyd McColl
2022-03-02 6:58 ` Thorsten Leemhuis
2022-03-02 17:28 ` Davyd McColl
2022-03-03 0:50 ` Linus Torvalds
2022-03-03 1:27 ` Steve French
2022-03-04 6:43 ` Thorsten Leemhuis
2022-07-27 20:04 ` Clemens Leu
2022-07-28 2:27 ` Steve French [this message]
[not found] <D58238A4-F04E-458E-AB05-4A74235B2C65@getmailspring.com>
2022-01-10 12:15 ` Thorsten Leemhuis
2022-01-11 3:16 ` Steve French
2022-10-14 19:58 ` Carsten Langer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAH2r5ms+uCF-sC1Hw6izmMhCb2jR55jB0pf8rK8OkkUh0hNGfg@mail.gmail.com \
--to=smfrench@gmail.com \
--cc=clemens.leu@gmail.com \
--cc=davydm@gmail.com \
--cc=linux-cifs@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=regressions@leemhuis.info \
--cc=regressions@lists.linux.dev \
--cc=ronniesahlberg@gmail.com \
--cc=samba-technical@lists.samba.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).