Bug 207675 - mount.cifs always fails with NT_STATUS_INVALID_WORKSTATION using ntlmssp when userWorkstation attribute is set
Summary: mount.cifs always fails with NT_STATUS_INVALID_WORKSTATION using ntlmssp when...
Status: NEW
Alias: None
Product: File System
Classification: Unclassified
Component: CIFS (show other bugs)
Hardware: All Linux
: P1 normal
Assignee: fs_cifs
Depends on:
Reported: 2020-05-10 15:58 UTC by Huemi
Modified: 2020-12-21 13:10 UTC (History)
1 user (show)

See Also:
Kernel Version: 5.4.x and others
Tree: Mainline
Regression: No

Patch to send the workstation name even with ntlmssp (2.21 KB, patch)
2020-05-10 15:58 UTC, Huemi
Details | Diff

Description Huemi 2020-05-10 15:58:15 UTC
Created attachment 289049 [details]
Patch to send the workstation name even with ntlmssp

Tested on Ubuntu 20.04, but mainline kernel seems to have the identical source code.

Having the userWorkstations attribute set to the client host name in Active Directory, mounting a directory from an allowed client via mount.cifs from a Samba file server fails with NT_STATUS_INVALID_WORKSTATION while using smbclient succeeds.

Looking at a debug 10 trace it is obvious that when smbclient makes the connection the server has a correct workstation name (probably from smb.conf) while mount.cifs sends an empty workstation name causing the connection to fail as "" is not an allowed workstation in the userWorkstations attribute list.

You might find an old bug recommending the option "port=139", but this did not work.

Looking at fs/cifs/sess.c from vanilla version 5.4.40 you can see in the build_ntlmssp_auth_blob function at line 489-492 that the created workstationName is always empty.

As there is already netbiosname option in mount.cifs and the workstation_RFC1001_name is always populated even without appending it, the easiest way would be to use it for this case too.

Attached you can find an ugly patch which allowed me on a testing system to successfully mount a directory via mount.cifs from the Samba server while it would always fail with NT_STATUS_INVALID_WORKSTATION otherwise.

I'm pretty sure that it doesn't meet your quality criteria, so someone else with more insight on cifs and the kernel might want to rewrite it.

Note You need to log in before you can comment on or make changes to this bug.