Re: Possible regression: unable to mount CIFS 1.0 shares from older machines since 76a3c92ec9e0668e4cd0e9ff1782eb68f61a179c

Re: Possible regression: unable to mount CIFS 1.0 shares from older machines since 76a3c92ec9e0668e4cd0e9ff1782eb68f61a179c

[Thorsten Leemhuis]

Hi, this is your Linux kernel regression tracker, once again...

On 18.02.22 14:30, Davyd McColl wrote:
> Apologies for the late response - I didn't see the last bit of the
> mail asking for more info.
> 
> Thorsten: the only group policy modification I have on my win11
> machine (which was
> loaded fresh not too long ago) is to enable insecure guest logins,
> which is obviously
> required for samba shares where the share allows a guest login without
> any password.
> I have to enable this to browse the shares on my Gentoo machine from the win11
> machine anyway.

Thx for the update. I pointed Linus towards this thread two times now,
but he didn't comment on it afaics. CCing him now, maybe that will to
the trick. If not, it'll leave me with two options:

a) give up
b) submit a revert for 5.18 to force a discussion of the issue

I currently tend to do the latter due to the fact that it's something
that still works on Win11 with a simple change in the registry. But
before that:

@Steve: what's your option on this? Do you basically agree with what
Ronnie stated in
https://lore.kernel.org/lkml/CAN05THQbR4d55kx6MEHGcn-iLZKJG1C0vhq19wfo=NrB6q1Apg@mail.gmail.com/
To quote:
```
> Right now you can likely just revert it. Maybe in the next kernel too.
> But in a kernel not too far into the future some of the crypto primitives that
> this depended on will simply not exist any more in the linux kernel
> and will not be
> available through the standard api.
> 
> At that point it is no longer a matter of just reverting the patch but
> a matter of
> re-importing an equivalent crypto replacement and port cifs.ko to its new api.
> 
> That is a lot of work and maintenance for something that is obsolete.
```

And Davyd: if you have a minute, could you maybe try running 5.17-rc6
(or Linus mainline from git) with
76a3c92ec9e0668e4cd0e9ff1782eb68f61a179c reverted and check if
everything wrt to cifs continues to work?

Ciao, Thorsten

> On Fri, 28 Jan 2022 at 16:02, Thorsten Leemhuis
> <regressions@leemhuis.info> wrote:
>>
>> On 28.01.22 14:50, ronnie sahlberg wrote:
>>> On Fri, Jan 28, 2022 at 11:30 PM Thorsten Leemhuis
>>> <regressions@leemhuis.info> wrote:
>>>>
>>>> Hi, this is your Linux kernel regression tracker speaking.
>>>>
>>>> Top-posting for once, to make this easy accessible to everyone.
>>>>
>>>> Davyd, Ronnie, and/or Steve: What the status here? It seems after some
>>>> productive debugging back and forth it seems everyone forgot about this.
>>>> Or was progress made somewhere and I just missed it?
>>>
>>> I tried but can not find a system old enough to reproduce.
>>> Remember, this is an authentication mechanism that Microsoft begged
>>> people to stop using and migrate away from over 20 years ago.
>>> Win2k works just fine, as does samba3.0.
>>> I have no idea if Samba 2.0 works with current cifs.ko   but then
>>> again  I seriously doubt you can even get samba 2.0 to even compile on
>>> a modern
>>> machine as so many APIs have changed or just gone away since the late 90s.
>>>
>>> I tried, but there is just so much time you can spend on something
>>> that was declared obsolete 20 years ago.
>>
>> I can fully understand that -- otoh then I'd normally say "well, then
>> let's just revert the commit that causes this". But in this case I can
>> understand that it might not be wise.
>>
>> There is one thing that would help me to judge this situation better:
>>
>> Davyd, did a default Win11 install connect fine with standard settings
>> or did you have to modify something in the registry to make it work
>> there (which you might have done years ago in case you updated the
>> machine!), as Ronnie suspected? Or was this already clarified in this
>> thread somewhere and I just missed that (in that case: sorry!)?
>>
>> Ciao, Thorsten
>>
>>>> Ciao, Thorsten
>>>>
>>>> #regzbot poke
>>>>
>>>>
>>>> On 12.01.22 06:49, Davyd McColl wrote:
>>>>> Hi Ronnie
>>>>>
>>>>> The regular fstab line for this mount is:
>>>>>
>>>>> //mede8er/mede8er  /mnt/mede8er-smb  cifs
>>>>> noauto,guest,users,uid=daf,gid=daf,iocharset=utf8,vers=1.0,nobrl,sec=none
>>>>>  0  0
>>>>>
>>>>> Altering the end of the options from "sec=none" to
>>>>> "username=guest,sec=ntlmssp" or "guest,sec=ntlmssp" results in failure
>>>>> to mount
>>>>> (tested on my patched kernel, which still supports the original fstab
>>>>> line), with dmesg containing:
>>>>>
>>>>> [45753.525219] CIFS: VFS: Use of the less secure dialect vers=1.0 is
>>>>> not recommended unless required for acc
>>>>> ess to very old servers
>>>>> [45753.525222] CIFS: Attempting to mount \\mede8er\mede8er
>>>>> [45756.861351] CIFS: VFS: Unable to select appropriate authentication method!
>>>>> [45756.861361] CIFS: VFS: \\mede8er Send error in SessSetup = -22
>>>>> [45756.861395] CIFS: VFS: cifs_mount failed w/return code = -22
>>>>>
>>>>> There is no way that I know of to set up users for smb auth on this
>>>>> device - it only supports guest connections.
>>>>>
>>>>> -d
>>>>>
>>>>>
>>>>> On Wed, 12 Jan 2022 at 04:32, ronnie sahlberg <ronniesahlberg@gmail.com> wrote:
>>>>>>
>>>>>> Thanks for the network traces.
>>>>>>
>>>>>> In the traces, both win11 and linux are not using even NTLM but the
>>>>>> even older "share password" authentication mode where you specify a
>>>>>> password for the share in the TreeConnect command.
>>>>>> That is something I think we should not support at all.
>>>>>>
>>>>>> What is the exact mount command line you use?
>>>>>> Can you try mounting the share using a username and ntlmssp ?
>>>>>> I.e. username=your-user,sec=ntlmssp  on the mount command
>>>>>>
>>>>>> regards
>>>>>> ronnie sahlberg
>>>>>>
>>>>>> On Wed, Jan 12, 2022 at 6:57 AM Davyd McColl <davydm@gmail.com> wrote:
>>>>>>>
>>>>>>> Hi Steve
>>>>>>>
>>>>>>> As requested, wireshark captures to the device in question, as well as
>>>>>>> the fstab entry I have for the device:
>>>>>>> - win11, browsing with explorer
>>>>>>> - win11, net use
>>>>>>> - unpatched linux 5.16.0 attempt to mount
>>>>>>> - patched linux 5.16.0 successful mount
>>>>>>> - fstab entry - note that I have to specify samba version 1.0 as the
>>>>>>> default has changed and the mount fails otherwise. Explicitly
>>>>>>> specifying 2.0 errors and suggests that I should select a different
>>>>>>> version.
>>>>>>>
>>>>>>> -d
>>>>>>>
>>>>>>> On Tue, 11 Jan 2022 at 00:13, Steve French <smfrench@gmail.com> wrote:
>>>>>>>>
>>>>>>>> I would be surprised if Windows 11 still negotiates (with default
>>>>>>>> registry settings) SMB1 much less NTLMv1 in SMB1, but I have not tried
>>>>>>>> Windows 11 with an NTLMv1 only server (they are hard to find - I may
>>>>>>>> have an original NT4 and an NT3.5 CD somewhere - might be possible to
>>>>>>>> install a VM with NT3.5 but that is really really old and not sure I
>>>>>>>> can find those CDs).
>>>>>>>>
>>>>>>>> Is it possible to send me the wireshark trace (or other network trace)
>>>>>>>> of the failing mount from Linux and also the one with the succeeding
>>>>>>>> NET USE from Windows 11 to the same server?
>>>>>>>>
>>>>>>>> Hopefully it is something unrelated to NTLMv1, there has been a LOT of
>>>>>>>> pushback across the world, across products in making sure no one uses
>>>>>>>> SMB1 anymore.  See e.g.
>>>>>>>> https://techcommunity.microsoft.com/t5/storage-at-microsoft/stop-using-smb1/ba-p/425858
>>>>>>>> and https://twitter.com/nerdpyle/status/776900804712148993
>>>>>>>>
>>>>>>>> On Mon, Jan 10, 2022 at 2:30 PM Davyd McColl <davydm@gmail.com> wrote:
>>>>>>>>>
>>>>>>>>> I don't understand. I tracked down the exact commit where the issue
>>>>>>>>> occurs with a 2 hour git bisect. This was after first confirming that
>>>>>>>>> my older 5.14 kernel did not display the symptoms. I can still connect
>>>>>>>>> to the share via windows 11 explorer. I don't know what else I need to
>>>>>>>>> do here to show where the issue was introduced?
>>>>>>>>>
>>>>>>>>> Apologies for bouncing mails - literally no email client I have seems
>>>>>>>>> to be capable of plaintext emails, so every time I forget, I have to
>>>>>>>>> find a browser with the gmail web interface to reply.
>>>>>>>>>
>>>>>>>>> -d
>>>>>>>>>
>>>>>>>>> On Mon, 10 Jan 2022 at 19:31, Steve French <smfrench@gmail.com> wrote:
>>>>>>>>>>
>>>>>>>>>> I want to make sure that we don't have an unrelated regression
>>>>>>>>>> involved here since NTLMv2 replaced NTLMv1 over 20 years ago (googling
>>>>>>>>>> this e.g. I see "NTLMv2, introduced in Windows NT 4.0 SP4 and natively
>>>>>>>>>> supported in Windows 2000")  and should be the default for Windows
>>>>>>>>>> NT4, Windows 2000 etc. as well as any version of Samba from the last
>>>>>>>>>> 15 years+.  I have significant concerns with adding mechanisms that
>>>>>>>>>> were asked to be disabled ~19 years ago e.g. see
>>>>>>>>>> https://support.microsoft.com/en-us/topic/security-guidance-for-ntlmv1-and-lm-network-authentication-da2168b6-4a31-0088-fb03-f081acde6e73
>>>>>>>>>> due to security concerns.
>>>>>>>>>>
>>>>>>>>>> Can we double check that there are not other issues involved in your example?
>>>>>>>>>>
>>>>>>>>>> The concerns about NTLMv1 security concerns (and why it should never
>>>>>>>>>> be used) are very persuasive e.g. many articles like
>>>>>>>>>> https://miriamxyra.com/2017/11/08/stop-using-lan-manager-and-ntlmv1/
>>>>>>>>>>
>>>>>>>>>> On Mon, Jan 10, 2022 at 7:48 AM Davyd McColl <davydm@gmail.com> wrote:
>>>>>>>>>>>
>>>>>>>>>>> Good day
>>>>>>>>>>>
>>>>>>>>>>> I'm following advice from the thread at
>>>>>>>>>>> https://bugzilla.kernel.org/show_bug.cgi?id=215375 as to how to report
>>>>>>>>>>> this, so please bear with me and redirect me as necessary.
>>>>>>>>>>>
>>>>>>>>>>> Since commit 76a3c92ec9e0668e4cd0e9ff1782eb68f61a179c, I'm unable to
>>>>>>>>>>> mount a CIFS 1.0 share ( from a media player: mede8er med600x3d, which
>>>>>>>>>>> runs some older linux). Apparently I'm not the only one, according to
>>>>>>>>>>> that thread, though the other affected party there is windows-based.
>>>>>>>>>>>
>>>>>>>>>>> I first logged this in the Gentoo bugtracker
>>>>>>>>>>> (https://bugs.gentoo.org/821895) and a reversion patch is available
>>>>>>>>>>> there for the time being.
>>>>>>>>>>>
>>>>>>>>>>> I understand that some of the encryption methods upon which the
>>>>>>>>>>> original feature relied are to be removed and, as such, the ability to
>>>>>>>>>>> mount these older shares was removed. This is sure to affect anyone
>>>>>>>>>>> running older Windows virtual machines (or older, internally-visible
>>>>>>>>>>> windows hosts) in addition to anyone attempting to connect to shares
>>>>>>>>>>> from esoteric devices like mine.
>>>>>>>>>>>
>>>>>>>>>>> Whilst I understand the desire to clean up code and remove dead
>>>>>>>>>>> branches, I'd really appreciate it if this particular feature remains
>>>>>>>>>>> available either by kernel configuration (which suits me fine, but is
>>>>>>>>>>> likely to be a hassle for anyone running a binary distribution) or via
>>>>>>>>>>> boot parameters. In the mean-time, I'm updating my own sync software
>>>>>>>>>>> to support this older device because if I can't sync media to the
>>>>>>>>>>> player, the device is not very useful to me.
>>>>>>>>>>>
>>>>>>>>>>> Thanks
>>>>>>>>>>> -d
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> --
>>>>>>>>>> Thanks,
>>>>>>>>>>
>>>>>>>>>> Steve
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> --
>>>>>>>>> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
>>>>>>>>> If you say that getting the money is the most important thing
>>>>>>>>> You will spend your life completely wasting your time
>>>>>>>>> You will be doing things you don't like doing
>>>>>>>>> In order to go on living
>>>>>>>>> That is, to go on doing things you don't like doing
>>>>>>>>>
>>>>>>>>> Which is stupid.
>>>>>>>>>
>>>>>>>>> - Alan Watts
>>>>>>>>> https://www.youtube.com/watch?v=-gXTZM_uPMY
>>>>>>>>>
>>>>>>>>> Quidquid latine dictum sit, altum sonatur.
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> --
>>>>>>>> Thanks,
>>>>>>>>
>>>>>>>> Steve
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
>>>>>>> If you say that getting the money is the most important thing
>>>>>>> You will spend your life completely wasting your time
>>>>>>> You will be doing things you don't like doing
>>>>>>> In order to go on living
>>>>>>> That is, to go on doing things you don't like doing
>>>>>>>
>>>>>>> Which is stupid.
>>>>>>>
>>>>>>> - Alan Watts
>>>>>>> https://www.youtube.com/watch?v=-gXTZM_uPMY
>>>>>>>
>>>>>>> Quidquid latine dictum sit, altum sonatur.
>>>>>
>>>>>
>>>>>
>>>>
>>>
> 
> 
> 

Re: Possible regression: unable to mount CIFS 1.0 shares from older machines since 76a3c92ec9e0668e4cd0e9ff1782eb68f61a179c

[Davyd McColl]

Hi Thorsten

I can check out and build torvalds/linux at tag 5.17-rc6 without
reverting, but if I revert 76a3c92ec9e0668e4cd0e9ff1782eb68f61a179c
then the build fails with:

fs/cifs/sess.c: In function 'sess_auth_ntlm':
fs/cifs/sess.c:1287:45: error: passing argument 2 of 'cifs_ssetup_hdr'
from incompatible pointer type [-Werror=incompatible-pointer-types]
 1287 |         capabilities = cifs_ssetup_hdr(ses, pSMB);
      |                                             ^~~~
      |                                             |
      |                                             SESSION_SETUP_ANDX
* {aka union smb_com_session_setup_andx *}
fs/cifs/sess.c:373:54: note: expected 'struct TCP_Server_Info *' but
argument is of type 'SESSION_SETUP_ANDX *' {aka 'union
smb_com_session_setup_andx *'}
  373 |                              struct TCP_Server_Info *server,
      |                              ~~~~~~~~~~~~~~~~~~~~~~~~^~~~~~
fs/cifs/sess.c:1287:24: error: too few arguments to function 'cifs_ssetup_hdr'
 1287 |         capabilities = cifs_ssetup_hdr(ses, pSMB);
      |                        ^~~~~~~~~~~~~~~
fs/cifs/sess.c:372:14: note: declared here
  372 | static __u32 cifs_ssetup_hdr(struct cifs_ses *ses,
      |              ^~~~~~~~~~~~~~~

So this commit doesn't appear to revert easily right now - things have moved ):

The patch I've been using against gentoo-sources also fails to apply
to v5.17-rc6 ):

-d

On Wed, 2 Mar 2022 at 08:58, Thorsten Leemhuis
<regressions@leemhuis.info> wrote:
>
> Hi, this is your Linux kernel regression tracker, once again...
>
> On 18.02.22 14:30, Davyd McColl wrote:
> > Apologies for the late response - I didn't see the last bit of the
> > mail asking for more info.
> >
> > Thorsten: the only group policy modification I have on my win11
> > machine (which was
> > loaded fresh not too long ago) is to enable insecure guest logins,
> > which is obviously
> > required for samba shares where the share allows a guest login without
> > any password.
> > I have to enable this to browse the shares on my Gentoo machine from the win11
> > machine anyway.
>
> Thx for the update. I pointed Linus towards this thread two times now,
> but he didn't comment on it afaics. CCing him now, maybe that will to
> the trick. If not, it'll leave me with two options:
>
> a) give up
> b) submit a revert for 5.18 to force a discussion of the issue
>
> I currently tend to do the latter due to the fact that it's something
> that still works on Win11 with a simple change in the registry. But
> before that:
>
> @Steve: what's your option on this? Do you basically agree with what
> Ronnie stated in
> https://lore.kernel.org/lkml/CAN05THQbR4d55kx6MEHGcn-iLZKJG1C0vhq19wfo=NrB6q1Apg@mail.gmail.com/
> To quote:
> ```
> > Right now you can likely just revert it. Maybe in the next kernel too.
> > But in a kernel not too far into the future some of the crypto primitives that
> > this depended on will simply not exist any more in the linux kernel
> > and will not be
> > available through the standard api.
> >
> > At that point it is no longer a matter of just reverting the patch but
> > a matter of
> > re-importing an equivalent crypto replacement and port cifs.ko to its new api.
> >
> > That is a lot of work and maintenance for something that is obsolete.
> ```
>
> And Davyd: if you have a minute, could you maybe try running 5.17-rc6
> (or Linus mainline from git) with
> 76a3c92ec9e0668e4cd0e9ff1782eb68f61a179c reverted and check if
> everything wrt to cifs continues to work?
>
> Ciao, Thorsten
>
> > On Fri, 28 Jan 2022 at 16:02, Thorsten Leemhuis
> > <regressions@leemhuis.info> wrote:
> >>
> >> On 28.01.22 14:50, ronnie sahlberg wrote:
> >>> On Fri, Jan 28, 2022 at 11:30 PM Thorsten Leemhuis
> >>> <regressions@leemhuis.info> wrote:
> >>>>
> >>>> Hi, this is your Linux kernel regression tracker speaking.
> >>>>
> >>>> Top-posting for once, to make this easy accessible to everyone.
> >>>>
> >>>> Davyd, Ronnie, and/or Steve: What the status here? It seems after some
> >>>> productive debugging back and forth it seems everyone forgot about this.
> >>>> Or was progress made somewhere and I just missed it?
> >>>
> >>> I tried but can not find a system old enough to reproduce.
> >>> Remember, this is an authentication mechanism that Microsoft begged
> >>> people to stop using and migrate away from over 20 years ago.
> >>> Win2k works just fine, as does samba3.0.
> >>> I have no idea if Samba 2.0 works with current cifs.ko   but then
> >>> again  I seriously doubt you can even get samba 2.0 to even compile on
> >>> a modern
> >>> machine as so many APIs have changed or just gone away since the late 90s.
> >>>
> >>> I tried, but there is just so much time you can spend on something
> >>> that was declared obsolete 20 years ago.
> >>
> >> I can fully understand that -- otoh then I'd normally say "well, then
> >> let's just revert the commit that causes this". But in this case I can
> >> understand that it might not be wise.
> >>
> >> There is one thing that would help me to judge this situation better:
> >>
> >> Davyd, did a default Win11 install connect fine with standard settings
> >> or did you have to modify something in the registry to make it work
> >> there (which you might have done years ago in case you updated the
> >> machine!), as Ronnie suspected? Or was this already clarified in this
> >> thread somewhere and I just missed that (in that case: sorry!)?
> >>
> >> Ciao, Thorsten
> >>
> >>>> Ciao, Thorsten
> >>>>
> >>>> #regzbot poke
> >>>>
> >>>>
> >>>> On 12.01.22 06:49, Davyd McColl wrote:
> >>>>> Hi Ronnie
> >>>>>
> >>>>> The regular fstab line for this mount is:
> >>>>>
> >>>>> //mede8er/mede8er  /mnt/mede8er-smb  cifs
> >>>>> noauto,guest,users,uid=daf,gid=daf,iocharset=utf8,vers=1.0,nobrl,sec=none
> >>>>>  0  0
> >>>>>
> >>>>> Altering the end of the options from "sec=none" to
> >>>>> "username=guest,sec=ntlmssp" or "guest,sec=ntlmssp" results in failure
> >>>>> to mount
> >>>>> (tested on my patched kernel, which still supports the original fstab
> >>>>> line), with dmesg containing:
> >>>>>
> >>>>> [45753.525219] CIFS: VFS: Use of the less secure dialect vers=1.0 is
> >>>>> not recommended unless required for acc
> >>>>> ess to very old servers
> >>>>> [45753.525222] CIFS: Attempting to mount \\mede8er\mede8er
> >>>>> [45756.861351] CIFS: VFS: Unable to select appropriate authentication method!
> >>>>> [45756.861361] CIFS: VFS: \\mede8er Send error in SessSetup = -22
> >>>>> [45756.861395] CIFS: VFS: cifs_mount failed w/return code = -22
> >>>>>
> >>>>> There is no way that I know of to set up users for smb auth on this
> >>>>> device - it only supports guest connections.
> >>>>>
> >>>>> -d
> >>>>>
> >>>>>
> >>>>> On Wed, 12 Jan 2022 at 04:32, ronnie sahlberg <ronniesahlberg@gmail.com> wrote:
> >>>>>>
> >>>>>> Thanks for the network traces.
> >>>>>>
> >>>>>> In the traces, both win11 and linux are not using even NTLM but the
> >>>>>> even older "share password" authentication mode where you specify a
> >>>>>> password for the share in the TreeConnect command.
> >>>>>> That is something I think we should not support at all.
> >>>>>>
> >>>>>> What is the exact mount command line you use?
> >>>>>> Can you try mounting the share using a username and ntlmssp ?
> >>>>>> I.e. username=your-user,sec=ntlmssp  on the mount command
> >>>>>>
> >>>>>> regards
> >>>>>> ronnie sahlberg
> >>>>>>
> >>>>>> On Wed, Jan 12, 2022 at 6:57 AM Davyd McColl <davydm@gmail.com> wrote:
> >>>>>>>
> >>>>>>> Hi Steve
> >>>>>>>
> >>>>>>> As requested, wireshark captures to the device in question, as well as
> >>>>>>> the fstab entry I have for the device:
> >>>>>>> - win11, browsing with explorer
> >>>>>>> - win11, net use
> >>>>>>> - unpatched linux 5.16.0 attempt to mount
> >>>>>>> - patched linux 5.16.0 successful mount
> >>>>>>> - fstab entry - note that I have to specify samba version 1.0 as the
> >>>>>>> default has changed and the mount fails otherwise. Explicitly
> >>>>>>> specifying 2.0 errors and suggests that I should select a different
> >>>>>>> version.
> >>>>>>>
> >>>>>>> -d
> >>>>>>>
> >>>>>>> On Tue, 11 Jan 2022 at 00:13, Steve French <smfrench@gmail.com> wrote:
> >>>>>>>>
> >>>>>>>> I would be surprised if Windows 11 still negotiates (with default
> >>>>>>>> registry settings) SMB1 much less NTLMv1 in SMB1, but I have not tried
> >>>>>>>> Windows 11 with an NTLMv1 only server (they are hard to find - I may
> >>>>>>>> have an original NT4 and an NT3.5 CD somewhere - might be possible to
> >>>>>>>> install a VM with NT3.5 but that is really really old and not sure I
> >>>>>>>> can find those CDs).
> >>>>>>>>
> >>>>>>>> Is it possible to send me the wireshark trace (or other network trace)
> >>>>>>>> of the failing mount from Linux and also the one with the succeeding
> >>>>>>>> NET USE from Windows 11 to the same server?
> >>>>>>>>
> >>>>>>>> Hopefully it is something unrelated to NTLMv1, there has been a LOT of
> >>>>>>>> pushback across the world, across products in making sure no one uses
> >>>>>>>> SMB1 anymore.  See e.g.
> >>>>>>>> https://techcommunity.microsoft.com/t5/storage-at-microsoft/stop-using-smb1/ba-p/425858
> >>>>>>>> and https://twitter.com/nerdpyle/status/776900804712148993
> >>>>>>>>
> >>>>>>>> On Mon, Jan 10, 2022 at 2:30 PM Davyd McColl <davydm@gmail.com> wrote:
> >>>>>>>>>
> >>>>>>>>> I don't understand. I tracked down the exact commit where the issue
> >>>>>>>>> occurs with a 2 hour git bisect. This was after first confirming that
> >>>>>>>>> my older 5.14 kernel did not display the symptoms. I can still connect
> >>>>>>>>> to the share via windows 11 explorer. I don't know what else I need to
> >>>>>>>>> do here to show where the issue was introduced?
> >>>>>>>>>
> >>>>>>>>> Apologies for bouncing mails - literally no email client I have seems
> >>>>>>>>> to be capable of plaintext emails, so every time I forget, I have to
> >>>>>>>>> find a browser with the gmail web interface to reply.
> >>>>>>>>>
> >>>>>>>>> -d
> >>>>>>>>>
> >>>>>>>>> On Mon, 10 Jan 2022 at 19:31, Steve French <smfrench@gmail.com> wrote:
> >>>>>>>>>>
> >>>>>>>>>> I want to make sure that we don't have an unrelated regression
> >>>>>>>>>> involved here since NTLMv2 replaced NTLMv1 over 20 years ago (googling
> >>>>>>>>>> this e.g. I see "NTLMv2, introduced in Windows NT 4.0 SP4 and natively
> >>>>>>>>>> supported in Windows 2000")  and should be the default for Windows
> >>>>>>>>>> NT4, Windows 2000 etc. as well as any version of Samba from the last
> >>>>>>>>>> 15 years+.  I have significant concerns with adding mechanisms that
> >>>>>>>>>> were asked to be disabled ~19 years ago e.g. see
> >>>>>>>>>> https://support.microsoft.com/en-us/topic/security-guidance-for-ntlmv1-and-lm-network-authentication-da2168b6-4a31-0088-fb03-f081acde6e73
> >>>>>>>>>> due to security concerns.
> >>>>>>>>>>
> >>>>>>>>>> Can we double check that there are not other issues involved in your example?
> >>>>>>>>>>
> >>>>>>>>>> The concerns about NTLMv1 security concerns (and why it should never
> >>>>>>>>>> be used) are very persuasive e.g. many articles like
> >>>>>>>>>> https://miriamxyra.com/2017/11/08/stop-using-lan-manager-and-ntlmv1/
> >>>>>>>>>>
> >>>>>>>>>> On Mon, Jan 10, 2022 at 7:48 AM Davyd McColl <davydm@gmail.com> wrote:
> >>>>>>>>>>>
> >>>>>>>>>>> Good day
> >>>>>>>>>>>
> >>>>>>>>>>> I'm following advice from the thread at
> >>>>>>>>>>> https://bugzilla.kernel.org/show_bug.cgi?id=215375 as to how to report
> >>>>>>>>>>> this, so please bear with me and redirect me as necessary.
> >>>>>>>>>>>
> >>>>>>>>>>> Since commit 76a3c92ec9e0668e4cd0e9ff1782eb68f61a179c, I'm unable to
> >>>>>>>>>>> mount a CIFS 1.0 share ( from a media player: mede8er med600x3d, which
> >>>>>>>>>>> runs some older linux). Apparently I'm not the only one, according to
> >>>>>>>>>>> that thread, though the other affected party there is windows-based.
> >>>>>>>>>>>
> >>>>>>>>>>> I first logged this in the Gentoo bugtracker
> >>>>>>>>>>> (https://bugs.gentoo.org/821895) and a reversion patch is available
> >>>>>>>>>>> there for the time being.
> >>>>>>>>>>>
> >>>>>>>>>>> I understand that some of the encryption methods upon which the
> >>>>>>>>>>> original feature relied are to be removed and, as such, the ability to
> >>>>>>>>>>> mount these older shares was removed. This is sure to affect anyone
> >>>>>>>>>>> running older Windows virtual machines (or older, internally-visible
> >>>>>>>>>>> windows hosts) in addition to anyone attempting to connect to shares
> >>>>>>>>>>> from esoteric devices like mine.
> >>>>>>>>>>>
> >>>>>>>>>>> Whilst I understand the desire to clean up code and remove dead
> >>>>>>>>>>> branches, I'd really appreciate it if this particular feature remains
> >>>>>>>>>>> available either by kernel configuration (which suits me fine, but is
> >>>>>>>>>>> likely to be a hassle for anyone running a binary distribution) or via
> >>>>>>>>>>> boot parameters. In the mean-time, I'm updating my own sync software
> >>>>>>>>>>> to support this older device because if I can't sync media to the
> >>>>>>>>>>> player, the device is not very useful to me.
> >>>>>>>>>>>
> >>>>>>>>>>> Thanks
> >>>>>>>>>>> -d
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>> --
> >>>>>>>>>> Thanks,
> >>>>>>>>>>
> >>>>>>>>>> Steve
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>> --
> >>>>>>>>> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
> >>>>>>>>> If you say that getting the money is the most important thing
> >>>>>>>>> You will spend your life completely wasting your time
> >>>>>>>>> You will be doing things you don't like doing
> >>>>>>>>> In order to go on living
> >>>>>>>>> That is, to go on doing things you don't like doing
> >>>>>>>>>
> >>>>>>>>> Which is stupid.
> >>>>>>>>>
> >>>>>>>>> - Alan Watts
> >>>>>>>>> https://www.youtube.com/watch?v=-gXTZM_uPMY
> >>>>>>>>>
> >>>>>>>>> Quidquid latine dictum sit, altum sonatur.
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>> --
> >>>>>>>> Thanks,
> >>>>>>>>
> >>>>>>>> Steve
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>> --
> >>>>>>> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
> >>>>>>> If you say that getting the money is the most important thing
> >>>>>>> You will spend your life completely wasting your time
> >>>>>>> You will be doing things you don't like doing
> >>>>>>> In order to go on living
> >>>>>>> That is, to go on doing things you don't like doing
> >>>>>>>
> >>>>>>> Which is stupid.
> >>>>>>>
> >>>>>>> - Alan Watts
> >>>>>>> https://www.youtube.com/watch?v=-gXTZM_uPMY
> >>>>>>>
> >>>>>>> Quidquid latine dictum sit, altum sonatur.
> >>>>>
> >>>>>
> >>>>>
> >>>>
> >>>
> >
> >
> >
>


-- 
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
If you say that getting the money is the most important thing
You will spend your life completely wasting your time
You will be doing things you don't like doing
In order to go on living
That is, to go on doing things you don't like doing

Which is stupid.

- Alan Watts
https://www.youtube.com/watch?v=-gXTZM_uPMY

Quidquid latine dictum sit, altum sonatur.

Re: Possible regression: unable to mount CIFS 1.0 shares from older machines since 76a3c92ec9e0668e4cd0e9ff1782eb68f61a179c

[Linus Torvalds]

On Tue, Mar 1, 2022 at 10:58 PM Thorsten Leemhuis
<regressions@leemhuis.info> wrote:
>
> Thx for the update. I pointed Linus towards this thread two times now,
> but he didn't comment on it afaics. CCing him now, maybe that will to
> the trick.

So I have to admit that I think it's a 20+ year old legacy and
insecure protocol that nobody should be using.

When the maintainer can't really even test it, and it really has been
deprecated that long, I get the feeling that somebody who wants it to
be maintained will need to do that job himself.

This seems to be a _very_ niche thing, possibly legacy museum style
equipment, and maybe using an older kernel ends up being the answer if
nobody steps up and maintains it as an external patch.

             Linus

Re: Possible regression: unable to mount CIFS 1.0 shares from older machines since 76a3c92ec9e0668e4cd0e9ff1782eb68f61a179c

[Steve French]

We have been looking to see if we could setup some VMs for something
that old, and we are willing to test against it if it could
realistically be setup, but it has been harder than expected.  Ronnie
had some ideas and we are willing to experiment more but realistically
it is very hard to deal with 'legacy museum style' unless we have some
VMs available for old systems.

Feel free to contact Ronnie and me or Shyam etc (offline if easier) if
you have ideas on how to setup something like this.   We don't want to
be encouraging SMB1, but certainly not NTLMv1 auth with SMB1 given its
security weaknesses (especially given the particular uses hackers have
made of 25+ year old NTLMv1 weaknesses).

On Wed, Mar 2, 2022 at 6:51 PM Linus Torvalds
<torvalds@linux-foundation.org> wrote:
>
> On Tue, Mar 1, 2022 at 10:58 PM Thorsten Leemhuis
> <regressions@leemhuis.info> wrote:
> >
> > Thx for the update. I pointed Linus towards this thread two times now,
> > but he didn't comment on it afaics. CCing him now, maybe that will to
> > the trick.
>
> So I have to admit that I think it's a 20+ year old legacy and
> insecure protocol that nobody should be using.
>
> When the maintainer can't really even test it, and it really has been
> deprecated that long, I get the feeling that somebody who wants it to
> be maintained will need to do that job himself.
>
> This seems to be a _very_ niche thing, possibly legacy museum style
> equipment, and maybe using an older kernel ends up being the answer if
> nobody steps up and maintains it as an external patch.
>
>              Linus



-- 
Thanks,

Steve

Re: Possible regression: unable to mount CIFS 1.0 shares from older machines since 76a3c92ec9e0668e4cd0e9ff1782eb68f61a179c

[Thorsten Leemhuis]

On 03.03.22 02:27, Steve French wrote:
> We have been looking to see if we could setup some VMs for something
> that old, and we are willing to test against it if it could
> realistically be setup, but it has been harder than expected.  Ronnie
> had some ideas and we are willing to experiment more but realistically
> it is very hard to deal with 'legacy museum style' unless we have some
> VMs available for old systems.
> 
> Feel free to contact Ronnie and me or Shyam etc (offline if easier) if
> you have ideas on how to setup something like this.   We don't want to
> be encouraging SMB1, but certainly not NTLMv1 auth with SMB1 given its
> security weaknesses (especially given the particular uses hackers have
> made of 25+ year old NTLMv1 weaknesses).

Linus, Steve, thx for your option on this. I not sure if "museum style
equipment" really applies here, as the hardware seems to be sold in
2013/2014 and according to the reporter even got a update in 2016. But
whatever, yes, it's niche thing and what the hw manufacturer did there
was a bad idea.

Anyway, I'll stop tracking this then.

#regzbot invalid: to niche/risky/old, see Linus and Steve's messages for
details

> On Wed, Mar 2, 2022 at 6:51 PM Linus Torvalds
> <torvalds@linux-foundation.org> wrote:
>>
>> On Tue, Mar 1, 2022 at 10:58 PM Thorsten Leemhuis
>> <regressions@leemhuis.info> wrote:
>>>
>>> Thx for the update. I pointed Linus towards this thread two times now,
>>> but he didn't comment on it afaics. CCing him now, maybe that will to
>>> the trick.
>>
>> So I have to admit that I think it's a 20+ year old legacy and
>> insecure protocol that nobody should be using.
>>
>> When the maintainer can't really even test it, and it really has been
>> deprecated that long, I get the feeling that somebody who wants it to
>> be maintained will need to do that job himself.
>>
>> This seems to be a _very_ niche thing, possibly legacy museum style
>> equipment, and maybe using an older kernel ends up being the answer if
>> nobody steps up and maintains it as an external patch.
>>
>>              Linus
> 
> 
> 

Re: Possible regression: unable to mount CIFS 1.0 shares from older machines since 76a3c92ec9e0668e4cd0e9ff1782eb68f61a179c

[Clemens Leu]

Hi all

Here follows now another practical reason why it is at the moment a 
quite unhappy decision to ditch the NTLM/CIFS 1.0 support entirely.

I am on Kubuntu 20.04 LTS and the access to my Apple Time Capsule worked 
fine. This changed when kernel 5.15.0-41-generic was installed some time 
ago. Since then I have in dmesg the known "kernel: bad security option: 
ntlm" and "kernel: CIFS: VFS: bad security option: ntlm" messages and no 
access is possible any longer to the Time Capsule.

So it looks that commit "[76a3c92ec9e0668e4cd0e9ff1782eb68f61a179c] 
cifs: remove support for NTLM and weaker authentication algorithms" has 
completely broken my Time Capsule access.

Yes, I know, ntlm is more than 20 years old and a quite insecure 
protocol. It is absolutely understandable to disable it as default. 
However, it should be also regarded that there exist companies which 
decided because of narrow-minded reasons to implement only the old SMB1 
protocol also on not so old hardware. Apple is such an example, they 
really implemented on all of their Time Capsule models (which were using 
a special Samba implementation) only the stone-age variant of SMB/NTLM. 
This is true even for the last 2013 variant which was discontinued on 
April 26, 2018. Apple could for sure support a more recent SMB version 
but they didn't do it most likely to make their own AFP3 protocol look 
and perform better.

So the alternative would be AFP in my case, unfortunately it's not so 
easy. While we have thanks to Netatalk a rock-solid AFP support in Linux 
at the server side, this is unfortunately not true for the client one. 
The corresponding "afpfs-ng" (Apple Filing Protocol Library, a client 
implementation of the Apple Filing Protocol) project is unmaintained and 
dormant for years.

Long story short, the current situation in this topic is as I said quite 
unhappy. While I fully agree to disable NTLM/CIFS 1.0 as default, it 
shouldn't be removed entirely. Maybe it is possible to enable it only 
for accessing older network volumes/shares while on the same time block 
the possibility to create insecure NTLM network shares? I am aware that 
the risk in enabling this old and flawed protocol will be my own 
problem. I won't complain if I get into trouble because of it. ;-) 
Unfortunately I have no alternative other than buying a new NAS or 
downgrading to an older kernel which is also not a really practical option.

Whatever, many thanks for all your great work!

Re: Possible regression: unable to mount CIFS 1.0 shares from older machines since 76a3c92ec9e0668e4cd0e9ff1782eb68f61a179c

[Steve French]

Is using userspace tools (like Samba's "ftp like" smbclient tool) an
option to migrate these files?

On Wed, Jul 27, 2022 at 3:04 PM Clemens Leu <clemens.leu@gmail.com> wrote:
>
> Hi all
>
> Here follows now another practical reason why it is at the moment a
> quite unhappy decision to ditch the NTLM/CIFS 1.0 support entirely.
>
> I am on Kubuntu 20.04 LTS and the access to my Apple Time Capsule worked
> fine. This changed when kernel 5.15.0-41-generic was installed some time
> ago. Since then I have in dmesg the known "kernel: bad security option:
> ntlm" and "kernel: CIFS: VFS: bad security option: ntlm" messages and no
> access is possible any longer to the Time Capsule.
>
> So it looks that commit "[76a3c92ec9e0668e4cd0e9ff1782eb68f61a179c]
> cifs: remove support for NTLM and weaker authentication algorithms" has
> completely broken my Time Capsule access.
>
> Yes, I know, ntlm is more than 20 years old and a quite insecure
> protocol. It is absolutely understandable to disable it as default.
> However, it should be also regarded that there exist companies which
> decided because of narrow-minded reasons to implement only the old SMB1
> protocol also on not so old hardware. Apple is such an example, they
> really implemented on all of their Time Capsule models (which were using
> a special Samba implementation) only the stone-age variant of SMB/NTLM.
> This is true even for the last 2013 variant which was discontinued on
> April 26, 2018. Apple could for sure support a more recent SMB version
> but they didn't do it most likely to make their own AFP3 protocol look
> and perform better.
>
> So the alternative would be AFP in my case, unfortunately it's not so
> easy. While we have thanks to Netatalk a rock-solid AFP support in Linux
> at the server side, this is unfortunately not true for the client one.
> The corresponding "afpfs-ng" (Apple Filing Protocol Library, a client
> implementation of the Apple Filing Protocol) project is unmaintained and
> dormant for years.
>
> Long story short, the current situation in this topic is as I said quite
> unhappy. While I fully agree to disable NTLM/CIFS 1.0 as default, it
> shouldn't be removed entirely. Maybe it is possible to enable it only
> for accessing older network volumes/shares while on the same time block
> the possibility to create insecure NTLM network shares? I am aware that
> the risk in enabling this old and flawed protocol will be my own
> problem. I won't complain if I get into trouble because of it. ;-)
> Unfortunately I have no alternative other than buying a new NAS or
> downgrading to an older kernel which is also not a really practical option.
>
> Whatever, many thanks for all your great work!
>


-- 
Thanks,

Steve

Re: Possible regression: unable to mount CIFS 1.0 shares from older machines since 76a3c92ec9e0668e4cd0e9ff1782eb68f61a179c

[Carsten Langer]

 > We have been looking to see if we could setup some VMs for something
 > that old, and we are willing to test against it if it could
 > realistically be setup, but it has been harder than expected. Ronnie
 > had some ideas and we are willing to experiment more but realistically
 > it is very hard to deal with 'legacy museum style' unless we have some
 > VMs available for old systems.
 >
 > Feel free to contact Ronnie and me or Shyam etc (offline if easier) if
 > you have ideas on how to setup something like this.   We don't want to
 > be encouraging SMB1, but certainly not NTLMv1 auth with SMB1 given its
 > security weaknesses (especially given the particular uses hackers have
 > made of 25+ year old NTLMv1 weaknesses).

I would be willing to try to set up a VM for testing.

The issue was further discussed in
https://bugzilla.kernel.org/show_bug.cgi?id=215375
I think we could split the topic. The part important for me and others
affected
by this bug is that this regression introduced a protocol violation of
the SMB1
protocol, even for the case where users want to use SMB1 in guest mode,
i.e. without any authentication. At least in this case IMHO we do not need
to discuss NTLMv1 etc., but just make sure that the SMB1 protocol is
again correctly
followed for the case that no user/password is needed. That is what the
proposed patch is
about.

Thus my idea would be to set up an old-enough Samba server providing the
SMB1 protocol
(just) for guest mode, without user/password. If I could then prove that
without patch
the error against that VM occurs and with the patch it works fine, would
that be enough?

But I wonder what you understand by VM? A VirtualBox OVA file? Vmware?
Some Dockerfile
to create an image?
And as this will be a test against a simulated server in a network, are
there standard
requirements how the network is set up between test system and the VM?

- Carsten

Re: Possible regression: unable to mount CIFS 1.0 shares from older machines since 76a3c92ec9e0668e4cd0e9ff1782eb68f61a179c

[Steve French]

We do still need a little more data from the users affected to ensure
that it isn't something more subtle.  One user noted Windows 11 worked
as a client, but not Linux which would imply that it is probably
something other than NTLM (NTLM has been strongly discouraged if not
disabled for more than 20 years).

On Mon, Jan 10, 2022 at 9:07 PM Thorsten Leemhuis
<regressions@leemhuis.info> wrote:
>
> Hi, this is your Linux kernel regression tracker speaking.
>
> On 10.01.22 06:53, Davyd McColl wrote:
> >
> > I'm following advice from the thread at
> > https://bugzilla.kernel.org/show_bug.cgi?id=215375
> > <https://bugzilla.kernel.org/show_bug.cgi?id=215375> as to how to report
> > this, so please bear with me and redirect me as necessary.
> >
> > Since commit 76a3c92ec9e0668e4cd0e9ff1782eb68f61a179c,
>
> FWIW, that is "cifs: remove support for NTLM and weaker authentication
> algorithms"
>
> > I'm unable to
> > mount a CIFS 1.0 share ( from a media player: mede8er med600x3d, which
> > runs some older linux). Apparently I'm not the only one, according to
> > that thread, though the other affected party there is windows-based.
> >
> > I first logged this in the Gentoo bugtracker
> > (https://bugs.gentoo.org/821895 <https://bugs.gentoo.org/821895>) and a
> > reversion patch is available there for the time being.
> >
> > I understand that some of the encryption methods upon which the original
> > feature relied are to be removed and, as such, the ability to mount
> > these older shares was removed. This is sure to affect anyone running
> > older Windows virtual machines (or older, internally-visible windows
> > hosts) in addition to anyone attempting to connect to shares from
> > esoteric devices like mine.
>
> > Whilst I understand the desire to clean up code and remove dead
> > branches, I'd really appreciate it if this particular feature remains
> > available either by kernel configuration (which suits me fine, but is
> > likely to be a hassle for anyone running a binary distribution) or via
> > boot parameters. In the mean-time, I'm updating my own sync software to
> > support this older device because if I can't sync media to the player,
> > the device is not very useful to me.
>
> From my point of view this afaics looks like one of those issues where
> the "no regressions" rule gets tricky. But I told Davyd to bring it
> forward here to get it discussed in the open. I also wonder if some
> middle-ground solution could be found in this particular case -- e.g.
> one where the commit stated above gets reverted and the code then
> slightly changed to only allow weaker authentication if the user
> manually requests in somehow, for example using a module parameter or
> something in /proc or /sys.
>
> Ciao, Thorsten
>
> P.S.: Anyway, getting this tracked:
>
> #regzbot ^introduced 76a3c92ec9e0668e4cd0e9ff1782eb68f61a179c
> #regzbot title cifs: unable to shares that require NTLM or weaker
> authentication algorithms
> #regzbot link: https://bugzilla.kernel.org/show_bug.cgi?id=215375



-- 
Thanks,

Steve

Re: Possible regression: unable to mount CIFS 1.0 shares from older machines since 76a3c92ec9e0668e4cd0e9ff1782eb68f61a179c

[Thorsten Leemhuis]

Hi, this is your Linux kernel regression tracker speaking.

On 10.01.22 06:53, Davyd McColl wrote:
> 
> I'm following advice from the thread at
> https://bugzilla.kernel.org/show_bug.cgi?id=215375
> <https://bugzilla.kernel.org/show_bug.cgi?id=215375> as to how to report
> this, so please bear with me and redirect me as necessary.
> 
> Since commit 76a3c92ec9e0668e4cd0e9ff1782eb68f61a179c,

FWIW, that is "cifs: remove support for NTLM and weaker authentication
algorithms"

> I'm unable to
> mount a CIFS 1.0 share ( from a media player: mede8er med600x3d, which
> runs some older linux). Apparently I'm not the only one, according to
> that thread, though the other affected party there is windows-based.
> 
> I first logged this in the Gentoo bugtracker
> (https://bugs.gentoo.org/821895 <https://bugs.gentoo.org/821895>) and a
> reversion patch is available there for the time being.
> 
> I understand that some of the encryption methods upon which the original
> feature relied are to be removed and, as such, the ability to mount
> these older shares was removed. This is sure to affect anyone running
> older Windows virtual machines (or older, internally-visible windows
> hosts) in addition to anyone attempting to connect to shares from
> esoteric devices like mine.

> Whilst I understand the desire to clean up code and remove dead
> branches, I'd really appreciate it if this particular feature remains
> available either by kernel configuration (which suits me fine, but is
> likely to be a hassle for anyone running a binary distribution) or via
> boot parameters. In the mean-time, I'm updating my own sync software to
> support this older device because if I can't sync media to the player,
> the device is not very useful to me.

From my point of view this afaics looks like one of those issues where
the "no regressions" rule gets tricky. But I told Davyd to bring it
forward here to get it discussed in the open. I also wonder if some
middle-ground solution could be found in this particular case -- e.g.
one where the commit stated above gets reverted and the code then
slightly changed to only allow weaker authentication if the user
manually requests in somehow, for example using a module parameter or
something in /proc or /sys.

Ciao, Thorsten

P.S.: Anyway, getting this tracked:

#regzbot ^introduced 76a3c92ec9e0668e4cd0e9ff1782eb68f61a179c
#regzbot title cifs: unable to shares that require NTLM or weaker
authentication algorithms
#regzbot link: https://bugzilla.kernel.org/show_bug.cgi?id=215375