The branch, master has been updated
via 873d3cc s3:smb2_tcon: require a signed request when authentication
is used for SMB >= 3.11
from 7266c68 ctdb: Change use of 'which' to 'type' in scripts.
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 873d3ccd483166c4e6e51d2fc86d900373bd8871
Author: Stefan Metzmacher <[email protected]>
Date: Thu May 28 15:35:25 2015 +0200
s3:smb2_tcon: require a signed request when authentication is used for SMB
>= 3.11
Disconnect the client if the request is not signed.
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Michael Adam <[email protected]>
Autobuild-User(master): Jeremy Allison <[email protected]>
Autobuild-Date(master): Sat Jun 6 03:19:33 CEST 2015 on sn-devel-104
-----------------------------------------------------------------------
Summary of changes:
source3/smbd/smb2_tcon.c | 49 +++++++++++++++++++++++++++++++++++++++---------
1 file changed, 40 insertions(+), 9 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source3/smbd/smb2_tcon.c b/source3/smbd/smb2_tcon.c
index 3750bc1..eb66ea0 100644
--- a/source3/smbd/smb2_tcon.c
+++ b/source3/smbd/smb2_tcon.c
@@ -36,7 +36,8 @@ static NTSTATUS smbd_smb2_tree_connect_recv(struct tevent_req
*req,
uint32_t *out_share_flags,
uint32_t *out_capabilities,
uint32_t *out_maximal_access,
- uint32_t *out_tree_id);
+ uint32_t *out_tree_id,
+ bool *disconnect);
static void smbd_smb2_request_tcon_done(struct tevent_req *subreq);
@@ -113,6 +114,7 @@ static void smbd_smb2_request_tcon_done(struct tevent_req
*subreq)
uint32_t out_capabilities = 0;
uint32_t out_maximal_access = 0;
uint32_t out_tree_id = 0;
+ bool disconnect = false;
NTSTATUS status;
NTSTATUS error;
@@ -121,9 +123,15 @@ static void smbd_smb2_request_tcon_done(struct tevent_req
*subreq)
&out_share_flags,
&out_capabilities,
&out_maximal_access,
- &out_tree_id);
+ &out_tree_id,
+ &disconnect);
TALLOC_FREE(subreq);
if (!NT_STATUS_IS_OK(status)) {
+ if (disconnect) {
+ smbd_server_connection_terminate(req->xconn,
+ nt_errstr(status));
+ return;
+ }
error = smbd_smb2_request_error(req, status);
if (!NT_STATUS_IS_OK(error)) {
smbd_server_connection_terminate(req->xconn,
@@ -173,7 +181,8 @@ static NTSTATUS smbd_smb2_tree_connect(struct
smbd_smb2_request *req,
uint32_t *out_share_flags,
uint32_t *out_capabilities,
uint32_t *out_maximal_access,
- uint32_t *out_tree_id)
+ uint32_t *out_tree_id,
+ bool *disconnect)
{
struct smbXsrv_connection *conn = req->xconn;
const char *share = in_path;
@@ -186,6 +195,9 @@ static NTSTATUS smbd_smb2_tree_connect(struct
smbd_smb2_request *req,
NTSTATUS status;
bool encryption_required = req->session->global->encryption_required;
bool guest_session = false;
+ bool require_signed_tcon = false;
+
+ *disconnect = false;
if (strncmp(share, "\\\\", 2) == 0) {
const char *p = strchr(share+2, '\\');
@@ -197,6 +209,25 @@ static NTSTATUS smbd_smb2_tree_connect(struct
smbd_smb2_request *req,
DEBUG(10,("smbd_smb2_tree_connect: path[%s] share[%s]\n",
in_path, share));
+ if (security_session_user_level(compat_vuser->session_info, NULL) <
SECURITY_USER) {
+ guest_session = true;
+ }
+
+ if (conn->protocol >= PROTOCOL_SMB3_11 && !guest_session) {
+ require_signed_tcon = true;
+ }
+
+ if (require_signed_tcon && !req->do_encryption && !req->do_signing) {
+ DEBUG(1, ("smbd_smb2_tree_connect: reject request to share "
+ "[%s] as '%s\\%s' without encryption or signing. "
+ "Disconnecting.\n",
+ share,
+
req->session->global->auth_session_info->info->domain_name,
+
req->session->global->auth_session_info->info->account_name));
+ *disconnect = true;
+ return NT_STATUS_ACCESS_DENIED;
+ }
+
service = talloc_strdup(talloc_tos(), share);
if(!service) {
return NT_STATUS_NO_MEMORY;
@@ -244,10 +275,6 @@ static NTSTATUS smbd_smb2_tree_connect(struct
smbd_smb2_request *req,
encryption_required = true;
}
- if (security_session_user_level(compat_vuser->session_info, NULL) <
SECURITY_USER) {
- guest_session = true;
- }
-
if (guest_session && encryption_required) {
DEBUG(1,("reject guest as encryption is required for service
%s\n",
service));
@@ -356,6 +383,7 @@ struct smbd_smb2_tree_connect_state {
uint32_t out_capabilities;
uint32_t out_maximal_access;
uint32_t out_tree_id;
+ bool disconnect;
};
static struct tevent_req *smbd_smb2_tree_connect_send(TALLOC_CTX *mem_ctx,
@@ -380,7 +408,8 @@ static struct tevent_req
*smbd_smb2_tree_connect_send(TALLOC_CTX *mem_ctx,
&state->out_share_flags,
&state->out_capabilities,
&state->out_maximal_access,
- &state->out_tree_id);
+ &state->out_tree_id,
+ &state->disconnect);
if (tevent_req_nterror(req, status)) {
return tevent_req_post(req, ev);
}
@@ -394,7 +423,8 @@ static NTSTATUS smbd_smb2_tree_connect_recv(struct
tevent_req *req,
uint32_t *out_share_flags,
uint32_t *out_capabilities,
uint32_t *out_maximal_access,
- uint32_t *out_tree_id)
+ uint32_t *out_tree_id,
+ bool *disconnect)
{
struct smbd_smb2_tree_connect_state *state =
tevent_req_data(req,
@@ -411,6 +441,7 @@ static NTSTATUS smbd_smb2_tree_connect_recv(struct
tevent_req *req,
*out_capabilities = state->out_capabilities;
*out_maximal_access = state->out_maximal_access;
*out_tree_id = state->out_tree_id;
+ *disconnect = state->disconnect;
tevent_req_received(req);
return NT_STATUS_OK;
--
Samba Shared Repository
