Bug 821895

Summary:	sys-kernel/gentoo-sources: Unable to mount cifs 1.0 shares with kernel 5.15.0
Product:	Gentoo Linux	Reporter:	Davyd McColl <davydm>
Component:	Current packages	Assignee:	Gentoo Kernel Bug Wranglers and Kernel Maintainers <kernel>
Status:	RESOLVED CANTFIX
Severity:	normal	CC:	robert
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	https://bugzilla.kernel.org/show_bug.cgi?id=215375
Whiteboard:
Package list:		Runtime testing required:	---
Attachments:	full kernel config for 5.14.15 full kernel config for 5.15.0 SMB1 NTLM backport for kernel 5.15.12

Description Davyd McColl 2021-11-05 08:24:36 UTC

After a recent update of gentoo-sources from 5.14.15 to 5.15.0, bringing in my existing .config and running genkernel to produce a new 5.15.0 kernel and rebooting to us that kernel, I'm unable to browse shares on an older media player using CIFS 1.0. Reverting to the 5.14.15 kernel via reboot resolves the issue.

Reproducible: Always

Steps to Reproduce:
I have an /etc/fstab entry like:
//mede8er/mede8er            /mnt/mede8er-smb  cifs    noauto,guest,users,uid=daf,gid=daf,iocharset=utf8,vers=1.0,nobrl 0 0
1. under 5.14.15, as a regular user, `mount /mnt/mede8er-smb` - mount succeeds
2. reboot to 5.15.0, as a regular user, `mount /mnt/mede8er-smb` - mount fails

I see the following in /var/log/syslog:
Nov  3 08:00:00 nea kernel: CIFS: VFS: Use of the less secure dialect vers=1.0 is not recommended unless required for access to very old servers
Nov  3 08:00:00 nea kernel: CIFS: Attempting to mount \\mede8er\mede8er
Nov  3 08:00:00 nea kernel: CIFS: VFS: \\mede8er failed to connect to IPC (rc=-6)
Nov  3 08:00:00 nea kernel: CIFS: VFS: cifs_mount failed w/return code = -6

When I compare kernel configuration for the two kernels, filtering for CIFS, the only difference I see is that the config option CONFIG_CIFS_WEAK_PW_HASH has been removed - I can't select it in `make nconfig` any more and it doesn't appear in the new .config

I'm not sure if it's properly related, but I came across this:
https://x-lore.kernel.org/linux-cifs/20210813195644.937810-3-lsahlber@redhat.com/
which seems to suggest that the logic should be rolled up and selected by CONFIG_CIFS_ALLOW_INSECURE_LEGACY=y (which is set in both kernels)

I'm not sure if this is something that I should be reporting elsewhere? Please advise.
Actual Results:  
Can't mount old CIFS 1.0 media player shares any more under kernel 5.15.0 (gentoo-sources)

Expected Results:  
I should still be able to mount the old CIFS 1.0 shares because I've enabled CONFIG_CIFS_ALLOW_INSECURE_LEGACY=y in my kernel config.

Comment 1 Davyd McColl 2021-11-05 08:26:05 UTC

Created attachment 748719 [details]
full kernel config for 5.14.15

Comment 2 Davyd McColl 2021-11-05 08:26:28 UTC

Created attachment 748722 [details]
full kernel config for 5.15.0

Comment 3 Davyd McColl 2021-11-05 08:27:51 UTC

I'm also not sure about setting the importance for this - it's a blocker for me to use 5.15.0, but 5.15.0 (gentoo-sources) is ~amd64 and I have my older 5.14.15 still installed

Comment 4 Mike Pagano gentoo-dev

2021-11-09 23:36:20 UTC

Does the output of this show anything in 5.15 ?

findmnt --verify --verbose

Comment 5 Davyd McColl 2021-11-10 06:14:13 UTC

`findmnt --verify --verbose` reports for this mount:

/mnt/mede8er-smb
   [ ] target exists
   [ ] FS options: guest,uid=daf,gid=daf,iocharset=utf8,vers=1.0,nobrl
   [ ] userspace options: noauto,users
   [ ] do not check //mede8er/mede8er source (pseudo/net)
   [ ] do not check //mede8er/mede8er FS type (pseudo/net)

attempting `mount /mnt/mede8er-smb` returns:

Retrying with upper case share name
mount error(6): No such device or address
Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) and kernel log messages (dmesg)


dmesg reports:

[  239.024504] Use of the less secure dialect vers=1.0 is not recommended unless required for access to very old servers

[  239.024505] CIFS: VFS: Use of the less secure dialect vers=1.0 is not recommended unless required for access to very old servers
[  239.024508] CIFS: Attempting to mount \\mede8er\mede8er
[  239.205576] CIFS: VFS: \\mede8er failed to connect to IPC (rc=-6)
[  239.211939] CIFS: VFS: cifs_mount failed w/return code = -6
[  239.211971] Use of the less secure dialect vers=1.0 is not recommended unless required for access to very old servers

[  239.211972] CIFS: VFS: Use of the less secure dialect vers=1.0 is not recommended unless required for access to very old servers
[  239.211987] CIFS: Attempting to mount \\MEDE8ER\MEDE8ER
[  239.237105] CIFS: VFS: \\MEDE8ER failed to connect to IPC (rc=-6)
[  239.243201] CIFS: VFS: cifs_mount failed w/return code = -6

Comment 6 Davyd McColl 2021-11-11 11:14:06 UTC

Update: issue remains in 5.15.1 (I'm not sure where to check for the changelog, so I thought I'd just test and I still can't connect to CIFS 1.0 shares with 5.15.1)

Comment 7 Mike Pagano gentoo-dev

2021-11-15 23:48:31 UTC

You have no sec=<something>. Is it trying to use ntlm ?

ntlm was removed in 5.15 [1]

[1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=76a3c92ec9e0668e4cd0e9ff1782eb68f61a179c

Comment 8 Davyd McColl 2021-11-16 10:39:05 UTC

As you've noted, I'm not setting `sec=` on the fstab line. According to `man mount.cifs` the default should be ntlmssp.

I tried setting `sec=none` - which worked fine under 5.14.15 - and then rebooted to 5.15.2, where the mount still fails, with the same errors being produced as before.

Comment 9 Davyd McColl 2021-11-21 17:19:16 UTC

update: still persists in 5.15.3

Comment 10 Robert Schultz 2022-01-04 15:44:39 UTC

Created attachment 761299 [details, diff]
SMB1 NTLM backport for kernel 5.15.12

I can't speak to this exact issue, but I needed NTLM support, so I backported the removed CIFS support into a patch that works great on 5.15.12. I've attached it to this issue, in case any future folks want this support added back into the kernel.

Comment 11 Mike Pagano gentoo-dev

2022-01-04 18:01:01 UTC

As upstream no longer supports this in 5.15, closing this bug.

Comment 12 Davyd McColl 2022-01-04 21:39:41 UTC

Thanks for the patch

Upstream, I raised https://bugzilla.kernel.org/show_bug.cgi?id=215375 and it appears as if someone _might_ care, so I'm waiting on a reply there - the commentary so far is that this isn't an upstream abandonment as there was confusion as to why cifs 1.0 shares stopped working after commit 18d04062f83b3eedb64e9f64ede26ee83ae7f152. I'm not sure if that should affect the status of this report.

Comment 13 Mike Pagano gentoo-dev

2022-01-04 23:25:22 UTC

(In reply to Davyd McColl from comment #12)
> Thanks for the patch
> 
> Upstream, I raised https://bugzilla.kernel.org/show_bug.cgi?id=215375 and it
> appears as if someone _might_ care, so I'm waiting on a reply there - the
> commentary so far is that this isn't an upstream abandonment as there was
> confusion as to why cifs 1.0 shares stopped working after commit
> 18d04062f83b3eedb64e9f64ede26ee83ae7f152. I'm not sure if that should affect
> the status of this report.

Excellent, we'll keep an eye on the upstream bug and look at potential backports of any changes.