]> git.karo-electronics.de Git - karo-tx-linux.git/commitdiff
[CIFS] move sectype to the cifs_ses instead of TCP_Server_Info
authorJeff Layton <jlayton@redhat.com>
Thu, 13 Jun 2013 00:52:14 +0000 (19:52 -0500)
committerSteve French <smfrench@gmail.com>
Thu, 13 Jun 2013 00:52:14 +0000 (19:52 -0500)
Now that we track what sort of NEGOTIATE response was received, stop
mandating that every session on a socket use the same type of auth.

Push that decision out into the session setup code, and make the sectype
a per-session property. This should allow us to mix multiple sectypes on
a socket as long as they are compatible with the NEGOTIATE response.

With this too, we can now eliminate the ses->secFlg field since that
info is redundant and harder to work with than a securityEnum.

Signed-off-by: Jeff Layton <jlayton@redhat.com>
Acked-by: Pavel Shilovsky <piastry@etersoft.ru>
Signed-off-by: Steve French <smfrench@gmail.com>
fs/cifs/cifsencrypt.c
fs/cifs/cifsglob.h
fs/cifs/cifsproto.h
fs/cifs/cifssmb.c
fs/cifs/connect.c
fs/cifs/sess.c
fs/cifs/smb2pdu.c

index a85a83d1d00fe3008213830b0059b47da81b19a6..30bea6bd30233b97aad81207a2ae81b4e71db6d2 100644 (file)
@@ -535,7 +535,7 @@ CalcNTLMv2_response(const struct cifs_ses *ses, char *ntlmv2_hash)
                return rc;
        }
 
-       if (ses->server->secType == RawNTLMSSP)
+       if (ses->server->negflavor == CIFS_NEGFLAVOR_EXTENDED)
                memcpy(ses->auth_key.response + offset,
                        ses->ntlmssp->cryptkey, CIFS_SERVER_CHALLENGE_SIZE);
        else
@@ -567,7 +567,7 @@ setup_ntlmv2_rsp(struct cifs_ses *ses, const struct nls_table *nls_cp)
        char ntlmv2_hash[16];
        unsigned char *tiblob = NULL; /* target info blob */
 
-       if (ses->server->secType == RawNTLMSSP) {
+       if (ses->server->negflavor == CIFS_NEGFLAVOR_EXTENDED) {
                if (!ses->domainName) {
                        rc = find_domain_name(ses, nls_cp);
                        if (rc) {
index 49020ae460cff5e0e1dd5c9e34bfc5d1d1b5c4ff..ad3408042ff06e028402ba24eab0fb8e68950b89 100644 (file)
@@ -401,7 +401,6 @@ struct smb_vol {
        kgid_t backupgid;
        umode_t file_mode;
        umode_t dir_mode;
-       unsigned secFlg;
        enum securityEnum sectype; /* sectype requested via mnt opts */
        bool sign; /* was signing requested via mnt opts? */
        bool retry:1;
@@ -519,7 +518,6 @@ struct TCP_Server_Info {
        bool echoes:1; /* enable echoes */
 #endif
        u16 dialect; /* dialect index that server chose */
-       enum securityEnum secType;
        bool oplocks:1; /* enable oplocks */
        unsigned int maxReq;    /* Clients should submit no more */
        /* than maxReq distinct unanswered SMBs to the server when using  */
index ede010fd046af07dcc0138a6a280c7019894e876..a82b3c09888ba8a07c7b51c7517a7a4e0b2c5d86 100644 (file)
@@ -118,6 +118,8 @@ extern void header_assemble(struct smb_hdr *, char /* command */ ,
 extern int small_smb_init_no_tc(const int smb_cmd, const int wct,
                                struct cifs_ses *ses,
                                void **request_buf);
+extern enum securityEnum select_sectype(struct TCP_Server_Info *server,
+                               enum securityEnum requested);
 extern int CIFS_SessSetup(const unsigned int xid, struct cifs_ses *ses,
                          const struct nls_table *nls_cp);
 extern struct timespec cifs_NTtimeToUnix(__le64 utc_nanoseconds_since_1601);
index dd7e2f61f6078620776d8c942e4929061ae82d27..a35aad2060c514114d4ed920e662e97ca01bf294 100644 (file)
@@ -368,11 +368,12 @@ vt2_err:
 }
 
 static int
-decode_ext_sec_blob(struct TCP_Server_Info *server, NEGOTIATE_RSP *pSMBr)
+decode_ext_sec_blob(struct cifs_ses *ses, NEGOTIATE_RSP *pSMBr)
 {
        int     rc = 0;
        u16     count;
        char    *guid = pSMBr->u.extended_response.GUID;
+       struct TCP_Server_Info *server = ses->server;
 
        count = get_bcc(&pSMBr->hdr);
        if (count < SMB1_CLIENT_GUID_SIZE)
@@ -391,27 +392,13 @@ decode_ext_sec_blob(struct TCP_Server_Info *server, NEGOTIATE_RSP *pSMBr)
        }
 
        if (count == SMB1_CLIENT_GUID_SIZE) {
-               server->secType = RawNTLMSSP;
+               server->sec_ntlmssp = true;
        } else {
                count -= SMB1_CLIENT_GUID_SIZE;
                rc = decode_negTokenInit(
                        pSMBr->u.extended_response.SecurityBlob, count, server);
                if (rc != 1)
                        return -EINVAL;
-
-               /* Make sure server supports what we want to use */
-               switch(server->secType) {
-               case Kerberos:
-                       if (!server->sec_kerberos && !server->sec_mskerberos)
-                               return -EOPNOTSUPP;
-                       break;
-               case RawNTLMSSP:
-                       if (!server->sec_ntlmssp)
-                               return -EOPNOTSUPP;
-                       break;
-               default:
-                       return -EOPNOTSUPP;
-               }
        }
 
        return 0;
@@ -462,8 +449,7 @@ cifs_enable_signing(struct TCP_Server_Info *server, bool mnt_sign_required)
 
 #ifdef CONFIG_CIFS_WEAK_PW_HASH
 static int
-decode_lanman_negprot_rsp(struct TCP_Server_Info *server, NEGOTIATE_RSP *pSMBr,
-                         unsigned int secFlags)
+decode_lanman_negprot_rsp(struct TCP_Server_Info *server, NEGOTIATE_RSP *pSMBr)
 {
        __s16 tmp;
        struct lanman_neg_rsp *rsp = (struct lanman_neg_rsp *)pSMBr;
@@ -471,12 +457,6 @@ decode_lanman_negprot_rsp(struct TCP_Server_Info *server, NEGOTIATE_RSP *pSMBr,
        if (server->dialect != LANMAN_PROT && server->dialect != LANMAN2_PROT)
                return -EOPNOTSUPP;
 
-       if ((secFlags & CIFSSEC_MAY_LANMAN) || (secFlags & CIFSSEC_MAY_PLNTXT))
-               server->secType = LANMAN;
-       else {
-               cifs_dbg(VFS, "mount failed weak security disabled in /proc/fs/cifs/SecurityFlags\n");
-               return -EOPNOTSUPP;
-       }
        server->sec_mode = le16_to_cpu(rsp->SecurityMode);
        server->maxReq = min_t(unsigned int,
                               le16_to_cpu(rsp->MaxMpxCount),
@@ -542,8 +522,7 @@ decode_lanman_negprot_rsp(struct TCP_Server_Info *server, NEGOTIATE_RSP *pSMBr,
 }
 #else
 static inline int
-decode_lanman_negprot_rsp(struct TCP_Server_Info *server, NEGOTIATE_RSP *pSMBr,
-                         unsigned int secFlags)
+decode_lanman_negprot_rsp(struct TCP_Server_Info *server, NEGOTIATE_RSP *pSMBr)
 {
        cifs_dbg(VFS, "mount failed, cifs module not built with CIFS_WEAK_PW_HASH support\n");
        return -EOPNOTSUPP;
@@ -551,17 +530,20 @@ decode_lanman_negprot_rsp(struct TCP_Server_Info *server, NEGOTIATE_RSP *pSMBr,
 #endif
 
 static bool
-should_set_ext_sec_flag(unsigned int secFlags)
+should_set_ext_sec_flag(enum securityEnum sectype)
 {
-       if ((secFlags & CIFSSEC_MUST_KRB5) == CIFSSEC_MUST_KRB5)
-               return true;
-       else if ((secFlags & CIFSSEC_AUTH_MASK) == CIFSSEC_MAY_KRB5)
-               return true;
-       else if ((secFlags & CIFSSEC_MUST_NTLMSSP) == CIFSSEC_MUST_NTLMSSP)
-               return true;
-       else if ((secFlags & CIFSSEC_AUTH_MASK) == CIFSSEC_MAY_NTLMSSP)
+       switch (sectype) {
+       case RawNTLMSSP:
+       case Kerberos:
                return true;
-       return false;
+       case Unspecified:
+               if (global_secflags &
+                   (CIFSSEC_MAY_KRB5 | CIFSSEC_MAY_NTLMSSP))
+                       return true;
+               /* Fallthrough */
+       default:
+               return false;
+       }
 }
 
 int
@@ -574,7 +556,6 @@ CIFSSMBNegotiate(const unsigned int xid, struct cifs_ses *ses)
        int i;
        struct TCP_Server_Info *server = ses->server;
        u16 count;
-       unsigned int secFlags;
 
        if (!server) {
                WARN(1, "%s: server is NULL!\n", __func__);
@@ -586,18 +567,10 @@ CIFSSMBNegotiate(const unsigned int xid, struct cifs_ses *ses)
        if (rc)
                return rc;
 
-       /* if any of auth flags (ie not sign or seal) are overriden use them */
-       if (ses->overrideSecFlg & (~(CIFSSEC_MUST_SIGN | CIFSSEC_MUST_SEAL)))
-               secFlags = ses->overrideSecFlg;  /* BB FIXME fix sign flags? */
-       else /* if override flags set only sign/seal OR them with global auth */
-               secFlags = global_secflags | ses->overrideSecFlg;
-
-       cifs_dbg(FYI, "secFlags 0x%x\n", secFlags);
-
        pSMB->hdr.Mid = get_next_mid(server);
        pSMB->hdr.Flags2 |= (SMBFLG2_UNICODE | SMBFLG2_ERR_STATUS);
 
-       if (should_set_ext_sec_flag(secFlags)) {
+       if (should_set_ext_sec_flag(ses->sectype)) {
                cifs_dbg(FYI, "Requesting extended security.");
                pSMB->hdr.Flags2 |= SMBFLG2_EXT_SEC;
        }
@@ -627,7 +600,7 @@ CIFSSMBNegotiate(const unsigned int xid, struct cifs_ses *ses)
                goto neg_err_exit;
        } else if (pSMBr->hdr.WordCount == 13) {
                server->negflavor = CIFS_NEGFLAVOR_LANMAN;
-               rc = decode_lanman_negprot_rsp(server, pSMBr, secFlags);
+               rc = decode_lanman_negprot_rsp(server, pSMBr);
                goto signing_check;
        } else if (pSMBr->hdr.WordCount != 17) {
                /* unknown wct */
@@ -640,31 +613,6 @@ CIFSSMBNegotiate(const unsigned int xid, struct cifs_ses *ses)
        if ((server->sec_mode & SECMODE_USER) == 0)
                cifs_dbg(FYI, "share mode security\n");
 
-       if ((server->sec_mode & SECMODE_PW_ENCRYPT) == 0)
-#ifdef CONFIG_CIFS_WEAK_PW_HASH
-               if ((secFlags & CIFSSEC_MAY_PLNTXT) == 0)
-#endif /* CIFS_WEAK_PW_HASH */
-                       cifs_dbg(VFS, "Server requests plain text password but client support disabled\n");
-
-       if ((secFlags & CIFSSEC_MUST_NTLMV2) == CIFSSEC_MUST_NTLMV2)
-               server->secType = NTLMv2;
-       else if (secFlags & CIFSSEC_MAY_NTLM)
-               server->secType = NTLM;
-       else if (secFlags & CIFSSEC_MAY_NTLMV2)
-               server->secType = NTLMv2;
-       else if (secFlags & CIFSSEC_MAY_KRB5)
-               server->secType = Kerberos;
-       else if (secFlags & CIFSSEC_MAY_NTLMSSP)
-               server->secType = RawNTLMSSP;
-       else if (secFlags & CIFSSEC_MAY_LANMAN)
-               server->secType = LANMAN;
-       else {
-               rc = -EOPNOTSUPP;
-               cifs_dbg(VFS, "Invalid security type\n");
-               goto neg_err_exit;
-       }
-       /* else ... any others ...? */
-
        /* one byte, so no need to convert this or EncryptionKeyLen from
           little endian */
        server->maxReq = min_t(unsigned int, le16_to_cpu(pSMBr->MaxMpxCount),
@@ -686,7 +634,7 @@ CIFSSMBNegotiate(const unsigned int xid, struct cifs_ses *ses)
                        server->capabilities & CAP_EXTENDED_SECURITY) &&
                                (pSMBr->EncryptionKeyLength == 0)) {
                server->negflavor = CIFS_NEGFLAVOR_EXTENDED;
-               rc = decode_ext_sec_blob(server, pSMBr);
+               rc = decode_ext_sec_blob(ses, pSMBr);
        } else if (server->sec_mode & SECMODE_PW_ENCRYPT) {
                rc = -EIO; /* no crypt key only if plain text pwd */
        } else {
index acbb255352af78e46ea974e6355b398a779a7500..c4c6aa99ee1cbaafe52e44a2a6aae7cb4f0f1ba5 100644 (file)
@@ -1033,56 +1033,40 @@ static int cifs_parse_security_flavors(char *value,
        vol->sign = false;
 
        switch (match_token(value, cifs_secflavor_tokens, args)) {
+       case Opt_sec_krb5p:
+               cifs_dbg(VFS, "sec=krb5p is not supported!\n");
+               return 1;
+       case Opt_sec_krb5i:
+               vol->sign = true;
+               /* Fallthrough */
        case Opt_sec_krb5:
                vol->sectype = Kerberos;
-               vol->secFlg |= CIFSSEC_MAY_KRB5 | CIFSSEC_MAY_SIGN;
                break;
-       case Opt_sec_krb5i:
-               vol->sectype = Kerberos;
+       case Opt_sec_ntlmsspi:
                vol->sign = true;
-               vol->secFlg |= CIFSSEC_MAY_KRB5 | CIFSSEC_MUST_SIGN;
-               break;
-       case Opt_sec_krb5p:
-               /* vol->secFlg |= CIFSSEC_MUST_SEAL | CIFSSEC_MAY_KRB5; */
-               cifs_dbg(VFS, "Krb5 cifs privacy not supported\n");
-               break;
+               /* Fallthrough */
        case Opt_sec_ntlmssp:
                vol->sectype = RawNTLMSSP;
-               vol->secFlg |= CIFSSEC_MAY_NTLMSSP;
                break;
-       case Opt_sec_ntlmsspi:
-               vol->sectype = RawNTLMSSP;
+       case Opt_sec_ntlmi:
                vol->sign = true;
-               vol->secFlg |= CIFSSEC_MAY_NTLMSSP | CIFSSEC_MUST_SIGN;
-               break;
+               /* Fallthrough */
        case Opt_ntlm:
-               /* ntlm is default so can be turned off too */
                vol->sectype = NTLM;
-               vol->secFlg |= CIFSSEC_MAY_NTLM;
                break;
-       case Opt_sec_ntlmi:
-               vol->sectype = NTLM;
+       case Opt_sec_ntlmv2i:
                vol->sign = true;
-               vol->secFlg |= CIFSSEC_MAY_NTLM | CIFSSEC_MUST_SIGN;
-               break;
+               /* Fallthrough */
        case Opt_sec_ntlmv2:
                vol->sectype = NTLMv2;
-               vol->secFlg |= CIFSSEC_MAY_NTLMV2;
-               break;
-       case Opt_sec_ntlmv2i:
-               vol->sectype = NTLMv2;
-               vol->sign = true;
-               vol->secFlg |= CIFSSEC_MAY_NTLMV2 | CIFSSEC_MUST_SIGN;
                break;
 #ifdef CONFIG_CIFS_WEAK_PW_HASH
        case Opt_sec_lanman:
                vol->sectype = LANMAN;
-               vol->secFlg |= CIFSSEC_MAY_LANMAN;
                break;
 #endif
        case Opt_sec_none:
                vol->nullauth = 1;
-               vol->secFlg |= CIFSSEC_MAY_NTLM;
                break;
        default:
                cifs_dbg(VFS, "bad security option: %s\n", value);
@@ -1445,7 +1429,6 @@ cifs_parse_mount_options(const char *mountdata, const char *devname,
                        vol->local_lease = 1;
                        break;
                case Opt_sign:
-                       vol->secFlg |= CIFSSEC_MUST_SIGN;
                        vol->sign = true;
                        break;
                case Opt_seal:
@@ -2003,40 +1986,19 @@ match_address(struct TCP_Server_Info *server, struct sockaddr *addr,
 static bool
 match_security(struct TCP_Server_Info *server, struct smb_vol *vol)
 {
-       unsigned int secFlags;
-
-       if (vol->secFlg & (~(CIFSSEC_MUST_SIGN | CIFSSEC_MUST_SEAL)))
-               secFlags = vol->secFlg;
-       else
-               secFlags = global_secflags | vol->secFlg;
-
-       switch (server->secType) {
-       case LANMAN:
-               if (!(secFlags & (CIFSSEC_MAY_LANMAN|CIFSSEC_MAY_PLNTXT)))
-                       return false;
-               break;
-       case NTLMv2:
-               if (!(secFlags & CIFSSEC_MAY_NTLMV2))
-                       return false;
-               break;
-       case NTLM:
-               if (!(secFlags & CIFSSEC_MAY_NTLM))
-                       return false;
-               break;
-       case Kerberos:
-               if (!(secFlags & CIFSSEC_MAY_KRB5))
-                       return false;
-               break;
-       case RawNTLMSSP:
-               if (!(secFlags & CIFSSEC_MAY_NTLMSSP))
-                       return false;
-               break;
-       default:
-               /* shouldn't happen */
+       /*
+        * The select_sectype function should either return the vol->sectype
+        * that was specified, or "Unspecified" if that sectype was not
+        * compatible with the given NEGOTIATE request.
+        */
+       if (select_sectype(server, vol->sectype) == Unspecified)
                return false;
-       }
 
-       /* now check if signing mode is acceptable */
+       /*
+        * Now check if signing mode is acceptable. No need to check
+        * global_secflags at this point since if MUST_SIGN is set then
+        * the server->sign had better be too.
+        */
        if (vol->sign && !server->sign)
                return false;
 
@@ -2239,7 +2201,11 @@ out_err:
 
 static int match_session(struct cifs_ses *ses, struct smb_vol *vol)
 {
-       switch (ses->server->secType) {
+       if (vol->sectype != Unspecified &&
+           vol->sectype != ses->sectype)
+               return 0;
+
+       switch (ses->sectype) {
        case Kerberos:
                if (!uid_eq(vol->cred_uid, ses->cred_uid))
                        return 0;
@@ -2516,7 +2482,6 @@ cifs_get_smb_ses(struct TCP_Server_Info *server, struct smb_vol *volume_info)
        ses->cred_uid = volume_info->cred_uid;
        ses->linux_uid = volume_info->linux_uid;
 
-       ses->overrideSecFlg = volume_info->secFlg;
        ses->sectype = volume_info->sectype;
        ses->sign = volume_info->sign;
 
@@ -3681,7 +3646,7 @@ CIFSTCon(const unsigned int xid, struct cifs_ses *ses,
                   NTLMv2 password here) */
 #ifdef CONFIG_CIFS_WEAK_PW_HASH
                if ((global_secflags & CIFSSEC_MAY_LANMAN) &&
-                   (ses->server->secType == LANMAN))
+                   (ses->sectype == LANMAN))
                        calc_lanman_hash(tcon->password, ses->server->cryptkey,
                                         ses->server->sec_mode &
                                            SECMODE_PW_ENCRYPT ? true : false,
@@ -3893,27 +3858,11 @@ cifs_setup_session(const unsigned int xid, struct cifs_ses *ses,
 static int
 cifs_set_vol_auth(struct smb_vol *vol, struct cifs_ses *ses)
 {
-       switch (ses->server->secType) {
-       case Kerberos:
-               vol->secFlg = CIFSSEC_MUST_KRB5;
+       vol->sectype = ses->sectype;
+
+       /* krb5 is special, since we don't need username or pw */
+       if (vol->sectype == Kerberos)
                return 0;
-       case NTLMv2:
-               vol->secFlg = CIFSSEC_MUST_NTLMV2;
-               break;
-       case NTLM:
-               vol->secFlg = CIFSSEC_MUST_NTLM;
-               break;
-       case RawNTLMSSP:
-               vol->secFlg = CIFSSEC_MUST_NTLMSSP;
-               break;
-       case LANMAN:
-               vol->secFlg = CIFSSEC_MUST_LANMAN;
-               break;
-       default:
-               /* should never happen */
-               vol->secFlg = 0;
-               break;
-       }
 
        return cifs_set_cifscreds(vol, ses);
 }
index 82b784a62c16424cddecf2374fc4560e0507e739..79358e341fd2ea63cff42e6d608c58f65b5f9804 100644 (file)
@@ -550,6 +550,56 @@ setup_ntlmv2_ret:
        return rc;
 }
 
+enum securityEnum
+select_sectype(struct TCP_Server_Info *server, enum securityEnum requested)
+{
+       switch (server->negflavor) {
+       case CIFS_NEGFLAVOR_EXTENDED:
+               switch (requested) {
+               case Kerberos:
+               case RawNTLMSSP:
+                       return requested;
+               case Unspecified:
+                       if (server->sec_ntlmssp &&
+                           (global_secflags & CIFSSEC_MAY_NTLMSSP))
+                               return RawNTLMSSP;
+                       if ((server->sec_kerberos || server->sec_mskerberos) &&
+                           (global_secflags & CIFSSEC_MAY_KRB5))
+                               return Kerberos;
+                       /* Fallthrough */
+               default:
+                       return Unspecified;
+               }
+       case CIFS_NEGFLAVOR_UNENCAP:
+               switch (requested) {
+               case NTLM:
+               case NTLMv2:
+                       return requested;
+               case Unspecified:
+                       if (global_secflags & CIFSSEC_MAY_NTLMV2)
+                               return NTLMv2;
+                       if (global_secflags & CIFSSEC_MAY_NTLM)
+                               return NTLM;
+                       /* Fallthrough */
+               default:
+                       return Unspecified;
+               }
+       case CIFS_NEGFLAVOR_LANMAN:
+               switch (requested) {
+               case LANMAN:
+                       return requested;
+               case Unspecified:
+                       if (global_secflags & CIFSSEC_MAY_LANMAN)
+                               return LANMAN;
+                       /* Fallthrough */
+               default:
+                       return Unspecified;
+               }
+       default:
+               return Unspecified;
+       }
+}
+
 int
 CIFS_SessSetup(const unsigned int xid, struct cifs_ses *ses,
               const struct nls_table *nls_cp)
@@ -576,8 +626,13 @@ CIFS_SessSetup(const unsigned int xid, struct cifs_ses *ses,
                return -EINVAL;
        }
 
-       type = ses->server->secType;
+       type = select_sectype(ses->server, ses->sectype);
        cifs_dbg(FYI, "sess setup type %d\n", type);
+       if (type == Unspecified) {
+               cifs_dbg(VFS, "Unable to select appropriate authentication method!");
+               return -EINVAL;
+       }
+
        if (type == RawNTLMSSP) {
                /* if memory allocation is successful, caller of this function
                 * frees it.
index ad8ef10de0bdda16fb2b544007521e831e5e577e..fd2ea4271282804ce2a1bd84d681d74e565b023a 100644 (file)
@@ -328,7 +328,6 @@ SMB2_negotiate(const unsigned int xid, struct cifs_ses *ses)
        int rc = 0;
        int resp_buftype;
        struct TCP_Server_Info *server = ses->server;
-       unsigned int sec_flags;
        int blob_offset, blob_length;
        char *security_blob;
        int flags = CIFS_NEG_OP;
@@ -344,14 +343,6 @@ SMB2_negotiate(const unsigned int xid, struct cifs_ses *ses)
        if (rc)
                return rc;
 
-       /* if any of auth flags (ie not sign or seal) are overriden use them */
-       if (ses->overrideSecFlg & (~(CIFSSEC_MUST_SIGN | CIFSSEC_MUST_SEAL)))
-               sec_flags = ses->overrideSecFlg;  /* BB FIXME fix sign flags?*/
-       else /* if override flags set only sign/seal OR them with global auth */
-               sec_flags = global_secflags | ses->overrideSecFlg;
-
-       cifs_dbg(FYI, "sec_flags 0x%x\n", sec_flags);
-
        req->hdr.SessionId = 0;
 
        req->Dialects[0] = cpu_to_le16(ses->server->vals->protocol_id);
@@ -453,7 +444,6 @@ SMB2_sess_setup(const unsigned int xid, struct cifs_ses *ses,
        int resp_buftype;
        __le32 phase = NtLmNegotiate; /* NTLMSSP, if needed, is multistage */
        struct TCP_Server_Info *server = ses->server;
-       unsigned int sec_flags;
        u16 blob_length = 0;
        char *security_blob;
        char *ntlmssp_blob = NULL;
@@ -474,7 +464,8 @@ SMB2_sess_setup(const unsigned int xid, struct cifs_ses *ses,
        if (!ses->ntlmssp)
                return -ENOMEM;
 
-       ses->server->secType = RawNTLMSSP;
+       /* FIXME: allow for other auth types besides NTLMSSP (e.g. krb5) */
+       ses->sectype = RawNTLMSSP;
 
 ssetup_ntlmssp_authenticate:
        if (phase == NtLmChallenge)
@@ -484,14 +475,6 @@ ssetup_ntlmssp_authenticate:
        if (rc)
                return rc;
 
-       /* if any of auth flags (ie not sign or seal) are overriden use them */
-       if (ses->overrideSecFlg & (~(CIFSSEC_MUST_SIGN | CIFSSEC_MUST_SEAL)))
-               sec_flags = ses->overrideSecFlg;  /* BB FIXME fix sign flags?*/
-       else /* if override flags set only sign/seal OR them with global auth */
-               sec_flags = global_secflags | ses->overrideSecFlg;
-
-       cifs_dbg(FYI, "sec_flags 0x%x\n", sec_flags);
-
        req->hdr.SessionId = 0; /* First session, not a reauthenticate */
        req->VcNumber = 0; /* MBZ */
        /* to enable echos and oplocks */