git.ipfire.org Git - thirdparty/kernel/linux.git/commit

author	Paulo Alcantara <pc@manguebit.org>
	Thu, 26 Feb 2026 00:34:55 +0000 (21:34 -0300)
committer	Steve French <stfrench@microsoft.com>
	Fri, 27 Feb 2026 00:17:20 +0000 (18:17 -0600)
commit	d9d1e319b39ea685ede59319002d567c159d23c3
tree	672710d3fde6d70cca58197bbcd5755be1af8049	tree \| snapshot
parent	4fc3a433c13944ee5766ec5b9bf6f1eb4d29b880	commit \| diff

smb: client: fix broken multichannel with krb5+signing

When mounting a share with 'multichannel,max_channels=n,sec=krb5i',
the client was duplicating signing key for all secondary channels,
thus making the server fail all commands sent from secondary channels
due to bad signatures.

Every channel has its own signing key, so when establishing a new
channel with krb5 auth, make sure to use the new session key as the
derived key to generate channel's signing key in SMB2_auth_kerberos().

Repro:

$ mount.cifs //srv/share /mnt -o multichannel,max_channels=4,sec=krb5i
$ sleep 5
$ umount /mnt
$ dmesg
  ...
  CIFS: VFS: sign fail cmd 0x5 message id 0x2
  CIFS: VFS: \\srv SMB signature verification returned error = -13
  CIFS: VFS: sign fail cmd 0x5 message id 0x2
  CIFS: VFS: \\srv SMB signature verification returned error = -13
  CIFS: VFS: sign fail cmd 0x4 message id 0x2
  CIFS: VFS: \\srv SMB signature verification returned error = -13

Reported-by: Xiaoli Feng <xifeng@redhat.com>
Reviewed-by: Enzo Matsumiya <ematsumiya@suse.de>
Signed-off-by: Paulo Alcantara (Red Hat) <pc@manguebit.org>
Cc: David Howells <dhowells@redhat.com>
Cc: linux-cifs@vger.kernel.org
Cc: stable@vger.kernel.org
Signed-off-by: Steve French <stfrench@microsoft.com>