1

I have edited /proc/fs/cifs/SecurityFlags to allow my cifs mounts to mount correctly. (I had to use value 0x81.)

To edit SecurityFlags I type modprobe cifs which then lets me see the /proc/fs/cifs directory (I cant see it before I type this command).

After I reboot, the value in SecurityFlags has reset back to default, which is 0x7.

How can set this permanently so it will hold the 0x81 value after reboot?

Eliah Kagan
  • 117,780
Paul Rosas
  • 11
  • It is set as an option when compiling the kernel (see https://www.kernel.org/doc/readme/Documentation-filesystems-cifs-README) and modified by mount options (see https://www.samba.org/samba/docs/man/manpages-3/mount.cifs.8.html), specifically sec= . Are you getting an error message ? can you post your mount command or fstab enrty – Panther Oct 09 '15 at 23:21

3 Answers3

1

The original poster, Paul Rosas, was able to solve the problem by adding a command to rc.local, and reported the solution in this comment and that subsequent comment.

The solution appears to have been as follows:

  1. Open /etc/rc.d/rc.local in a text editor.

    [Note that this file is not always present or used by default on newer versions of Ubuntu.]

  2. Add these two lines to the file, so that each time Ubuntu starts, the cifs module is loaded (if it wasn't already) and the text 0x81 is written to `SecurityFlags:

    modprobe cifs
echo 0x81 > /proc/fs/cifs/SecurityFlags

  3. Save the file and quit the text editor.

I say it "appears" this way because information about whitespace, including the newline between what I believe to have been two separate commands, is not visible in the comment, and because I believe the full path /proc/fs/cifs/SecurityFlags rather than just SecurityFlags was used (or that a cd command was added before it), since otherwise the solution wouldn't have worked.

Eliah Kagan
  • 117,780
1

For a more permanent solution a suggest creating an udev rule to set the value of SecurityFlags. This will set the value everytime the cifs module is loaded. You define your rules in /etc/udev/rules.d.

50-cifs-securityflags.rules:

# Set SecurityFlags to 0x81.
ACTION=="add", SUBSYSTEM=="module", KERNEL=="cifs", RUN+="/bin/sh -c 'echo 0x81 > /proc/fs/cifs/SecurityFlags'"

and then reload udev with udevadm control --reload-rules && udevadm trigger

1

It is set as an option when the kernel is compiled

/proc is a virtual file system, see http://www.tldp.org/LDP/Linux-Filesystem-Hierarchy/html/proc.html

/proc is very special in that it is also a virtual filesystem. It's sometimes referred to as a process information pseudo-file system. It doesn't contain 'real' files but runtime system information (e.g. system memory, devices mounted, hardware configuration, etc). For this reason it can be regarded as a control and information centre for the kernel. In fact, quite a lot of system utilities are simply calls to files in this directory. For example, 'lsmod' is the same as 'cat /proc/modules' while 'lspci' is a synonym for 'cat /proc/pci'. By altering files located in this directory you can even read/change kernel parameters (sysctl) while the system is running.

See https://www.kernel.org/doc/readme/Documentation-filesystems-cifs-README

SecurityFlags Flags which control security negotiation and also packet signing. Authentication (may/must) flags (e.g. for NTLM and/or NTLMv2) may be combined with the signing flags. Specifying two different password hashing mechanisms (as "must use") on the other hand does not make much sense. Default flags are 0x07007 (NTLM, NTLMv2 and packet signing allowed). The maximum allowable flags if you want to allow mounts to servers using weaker password hashes is 0x37037 (lanman, plaintext, ntlm, ntlmv2, signing allowed). Some SecurityFlags require the corresponding menuconfig options to be enabled (lanman and plaintext require CONFIG_CIFS_WEAK_PW_HASH for example). Enabling plaintext authentication currently requires also enabling lanman authentication in the security flags because the cifs module only supports sending laintext passwords using the older lanman dialect form of the session setup SMB. (e.g. for authentication using plain text passwords, set the SecurityFlags to 0x30030):

        may use packet signing              0x00001
        must use packet signing             0x01001
        may use NTLM (most common password hash)    0x00002
        must use NTLM                   0x02002
        may use NTLMv2                  0x00004
        must use NTLMv2                 0x04004
        may use Kerberos security           0x00008
        must use Kerberos               0x08008
        may use lanman (weak) password hash         0x00010
        must use lanman password hash           0x10010
        may use plaintext passwords             0x00020
        must use plaintext passwords            0x20020
        (reserved for future packet encryption)     0x00040

You can overide this with mount options

See https://www.samba.org/samba/docs/man/manpages-3/mount.cifs.8.html

sec= Security mode. Allowed values are:

none attempt to connection as a null user (no name)

krb5 Use Kerberos version 5 authentication

krb5i Use Kerberos authentication and packet signing

ntlm Use NTLM password hashing (default)

ntlmi Use NTLM password hashing with signing (if /proc/fs/cifs/PacketSigningEnabled on or if server requires signing also can be the default)

ntlmv2 Use NTLMv2 password hashing

ntlmv2i Use NTLMv2 password hashing with packet signing

[NB This [sec parameter] is under development and expected to be available in cifs kernel module 1.40 and later]

If you need help, post your mount options or entry in fstab and error message you get when you try to mount.

Panther
  • 102,067
  • Well the issue here is that there is a GUI interface that users use to mount shares on the fly. If the SecurityFlags value is not set to 0x81 then thier mounts will fail. – Paul Rosas Oct 12 '15 at 19:16
  • So while I can set this flag after the system is booted and then users in the GUI can mount shares, once I reboot the system all the mounts fail, and also users can't add additional mounts until I reset the flag. Since we arent using fstab I can't just mount shares using fstab and adding the sec=ntmlsspi flag. Also, they are mounting from a filer as well as windows shares so the 0x81 flag sets some very specific options which allows both systems that dont have exactly the same security mount properly.

    Could I possibly use some sort of init script to set this flag at boot?

     – Paul Rosas Oct 12 '15 at 19:20
  • "Since we arent using fstab" - The solution to the problem is to use fstab with the proper options as fstab is the configuration file used to set options. – Panther Oct 12 '15 at 19:34
  • I've been able to get the flag to stick now by adding a line to /etc/rc.d/rc.local ... looks like my problem is solved! – Paul Rosas Oct 12 '15 at 19:37
  • I added..

    modprobe cifs echo 0x81 > SecurityFlags

    to rc.local.

     – Paul Rosas Oct 12 '15 at 19:38