From: Clemens Leu <clemens.leu@gmail.com>
To: torvalds@linux-foundation.org
Cc: davydm@gmail.com, linux-cifs@vger.kernel.org,
linux-kernel@vger.kernel.org, regressions@leemhuis.info,
regressions@lists.linux.dev, ronniesahlberg@gmail.com,
smfrench@gmail.com
Subject: Re: Possible regression: unable to mount CIFS 1.0 shares from older machines since 76a3c92ec9e0668e4cd0e9ff1782eb68f61a179c
Date: Wed, 27 Jul 2022 22:04:33 +0200 [thread overview]
Message-ID: <fda96c5c-9007-4147-3be1-8c9deca0442c@gmail.com> (raw)
In-Reply-To: <CAHk-=wjSBvRk-ksUBOiQzJd=e19UZKvOSZs1UHahK5U0QVh6RQ@mail.gmail.com>
Hi all
Here follows now another practical reason why it is at the moment a
quite unhappy decision to ditch the NTLM/CIFS 1.0 support entirely.
I am on Kubuntu 20.04 LTS and the access to my Apple Time Capsule worked
fine. This changed when kernel 5.15.0-41-generic was installed some time
ago. Since then I have in dmesg the known "kernel: bad security option:
ntlm" and "kernel: CIFS: VFS: bad security option: ntlm" messages and no
access is possible any longer to the Time Capsule.
So it looks that commit "[76a3c92ec9e0668e4cd0e9ff1782eb68f61a179c]
cifs: remove support for NTLM and weaker authentication algorithms" has
completely broken my Time Capsule access.
Yes, I know, ntlm is more than 20 years old and a quite insecure
protocol. It is absolutely understandable to disable it as default.
However, it should be also regarded that there exist companies which
decided because of narrow-minded reasons to implement only the old SMB1
protocol also on not so old hardware. Apple is such an example, they
really implemented on all of their Time Capsule models (which were using
a special Samba implementation) only the stone-age variant of SMB/NTLM.
This is true even for the last 2013 variant which was discontinued on
April 26, 2018. Apple could for sure support a more recent SMB version
but they didn't do it most likely to make their own AFP3 protocol look
and perform better.
So the alternative would be AFP in my case, unfortunately it's not so
easy. While we have thanks to Netatalk a rock-solid AFP support in Linux
at the server side, this is unfortunately not true for the client one.
The corresponding "afpfs-ng" (Apple Filing Protocol Library, a client
implementation of the Apple Filing Protocol) project is unmaintained and
dormant for years.
Long story short, the current situation in this topic is as I said quite
unhappy. While I fully agree to disable NTLM/CIFS 1.0 as default, it
shouldn't be removed entirely. Maybe it is possible to enable it only
for accessing older network volumes/shares while on the same time block
the possibility to create insecure NTLM network shares? I am aware that
the risk in enabling this old and flawed protocol will be my own
problem. I won't complain if I get into trouble because of it. ;-)
Unfortunately I have no alternative other than buying a new NAS or
downgrading to an older kernel which is also not a really practical option.
Whatever, many thanks for all your great work!
next prev parent reply other threads:[~2022-07-27 20:04 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <CAJjP=Bt52AW_w2sKnM=MbckPkH1hevPMJVWm_Wf+wThmR72YTg@mail.gmail.com>
[not found] ` <CAH2r5mt_2f==5reyc0HmMLvYJVmP4Enykwauo+LQoFGFbVFeRQ@mail.gmail.com>
[not found] ` <CAJjP=BvNVOj3KRnhFgk6xiwnxVhxE-sN98-pr6e1Kzc5Xg5EvQ@mail.gmail.com>
[not found] ` <CAH2r5mvsetx5G+c=8ePh+X8ng7FvMrnuM9+FJ4Sid4b3E+T41Q@mail.gmail.com>
[not found] ` <CAJjP=BvqZUnJPq=C0OUKbXr=mbJd7a6YDSJC-sNY1j_33_e-uw@mail.gmail.com>
[not found] ` <CAN05THSGwCKckQoeB6D91iBv0Sed+ethK7tde7GSc1UzS-0OYg@mail.gmail.com>
[not found] ` <CAJjP=BvcWrF-k_sFxak1mgHAHVVS7_JZow+h_47XB1VzG2+Drw@mail.gmail.com>
[not found] ` <ebf8c487-0377-834e-fbb7-725cceae1fbb@leemhuis.info>
[not found] ` <CAN05THRJJj48ueb34t18Yj=JYuhiwZ8hTvOssX4D6XhNpjx-bg@mail.gmail.com>
[not found] ` <f7eb4a3e-9799-3fe4-d464-d84dd9e64510@leemhuis.info>
[not found] ` <CAJjP=Bus1_ce4vbHXpiou1WrSe8a61U1NzGm4XvN5fYCPGNikA@mail.gmail.com>
2022-03-02 6:58 ` Possible regression: unable to mount CIFS 1.0 shares from older machines since 76a3c92ec9e0668e4cd0e9ff1782eb68f61a179c Thorsten Leemhuis
2022-03-02 17:28 ` Davyd McColl
2022-03-03 0:50 ` Linus Torvalds
2022-03-03 1:27 ` Steve French
2022-03-04 6:43 ` Thorsten Leemhuis
2022-07-27 20:04 ` Clemens Leu [this message]
2022-07-28 2:27 ` Steve French
[not found] <D58238A4-F04E-458E-AB05-4A74235B2C65@getmailspring.com>
2022-01-10 12:15 ` Thorsten Leemhuis
2022-01-11 3:16 ` Steve French
2022-10-14 19:58 ` Carsten Langer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=fda96c5c-9007-4147-3be1-8c9deca0442c@gmail.com \
--to=clemens.leu@gmail.com \
--cc=davydm@gmail.com \
--cc=linux-cifs@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=regressions@leemhuis.info \
--cc=regressions@lists.linux.dev \
--cc=ronniesahlberg@gmail.com \
--cc=smfrench@gmail.com \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).