The branch, v4-2-test has been updated
via 44fddac auth/credentials: if credentials have principal set, they
are not anonymous anymore
via c0fb5fc ctdb-daemon: Return correct sequence number for
CONTROL_GET_DB_SEQNUM
via ebde3fe s3-smbd: reset protocol in smbXsrv_connection_init_tables
failure paths.
via a759cd6 s3:libsmb: Fix a bug in conversion of ea list to ea array.
via f33d7fa smbd:trans2: treat new SMB_SIGNING_DESIRED in case
via 8be6d09 docs:smb.conf: explain effect of new setting 'desired' of
smb encrypt
via 9817f8c smbd:smb2: use encryption_desired in send_break
via 90ee73b smbd:smb2: only enable encryption in tcon if desired
via 8e06f18 smbd:smb2: only enable encryption in session if desired
via 6cb67e5 smbd:smb2: separate between encryption required and enc
desired
via 6429747 smbXsrv: add bools encryption_desired to session and tcon
via 872668a Introduce setting "desired" for 'smb encrypt' and
'client/server signing'
via b1cd2fe smbd: Make SMB3 clients use encryption with "smb encrypt =
auto"
from 274513b VERSION: Bump version up to 4.2.4...
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-2-test
- Log -----------------------------------------------------------------
commit 44fddac658ae06005cd15f507bfac63593a6bea7
Author: Alexander Bokovoy <[email protected]>
Date: Thu May 7 14:12:03 2015 +0000
auth/credentials: if credentials have principal set, they are not anonymous
anymore
When dealing with Kerberos, we cannot consider credentials anonymous
if credentials were obtained properly.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11265
Signed-off-by: Alexander Bokovoy <[email protected]>
Reviewed-by: Stefan (metze) Metzmacher <[email protected]>
Reviewed-by: Guenther Deschner <[email protected]>
Autobuild-User(master): Alexander Bokovoy <[email protected]>
Autobuild-Date(master): Wed Jul 15 16:32:55 CEST 2015 on sn-devel-104
(cherry picked from commit a0d2dd0e01618346b4ad8ea9da3f7ce4eb0364b0)
Autobuild-User(v4-2-test): Karolin Seeger <[email protected]>
Autobuild-Date(v4-2-test): Thu Jul 16 14:11:52 CEST 2015 on sn-devel-104
commit c0fb5fce16fbd19366a9c06b67c3bff534a400b2
Author: Amitay Isaacs <[email protected]>
Date: Tue Jul 14 16:54:59 2015 +1000
ctdb-daemon: Return correct sequence number for CONTROL_GET_DB_SEQNUM
Due to the missing cast of uint64_t, CONTROL_GET_DB_SEQNUM always returned
seqnum <= 256.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11398
Signed-off-by: Amitay Isaacs <[email protected]>
Reviewed-by: Martin Schwenke <[email protected]>
Reviewed-by: Volker Lendecke <[email protected]>
Autobuild-User(master): Amitay Isaacs <[email protected]>
Autobuild-Date(master): Tue Jul 14 13:03:25 CEST 2015 on sn-devel-104
(cherry picked from commit 1023db2543f7785e4527a4565db91edcde4ca7f1)
commit ebde3fe887f9b679f9b3b7fea12864f4cd496caf
Author: Günther Deschner <[email protected]>
Date: Wed Jun 10 17:07:15 2015 +0200
s3-smbd: reset protocol in smbXsrv_connection_init_tables failure paths.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11373
Guenther
Pair-Programmed-With: Stefan Metzmacher <[email protected]>
Pair-Programmed-With: Michael Adam <[email protected]>
Signed-off-by: Guenther Deschner <[email protected]>
Signed-off-by: Stefan Metzmacher <[email protected]>
Signed-off-by: Michael Adam <[email protected]>
Reviewed-by: Andreas Schneider <[email protected]>
commit a759cd62d34326e0268bf3a712c9330c4d767498
Author: Anubhav Rakshit <[email protected]>
Date: Fri Jun 26 12:24:23 2015 +0530
s3:libsmb: Fix a bug in conversion of ea list to ea array.
Bug 11361 - Reading of EA's (Extended Attributes) fails using SMB2 and above
protocols
Tested against Win2k12r2 server.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11361
Signed-off-by: Anubhav Rakshit <[email protected]>
Reviewed-by: Andreas Schneider <[email protected]>
Reviewed-by: Michael Adam <[email protected]>
(cherry picked from commit 5af2e3eed2ac309e2491fc54e03e7b04c8b118fb)
commit f33d7fa2eea91ec73780bf748ed59b42cd034358
Author: Michael Adam <[email protected]>
Date: Tue Jul 7 17:15:00 2015 +0200
smbd:trans2: treat new SMB_SIGNING_DESIRED in case
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11372
Signed-off-by: Michael Adam <[email protected]>
Reviewed-by: Guenther Deschner <[email protected]>
(cherry picked from commit 76f8d0fbada15c9466f66a2d9961bebd1425d141)
commit 8be6d0972e83cbdb0206b667739fead8bd7eaccc
Author: Michael Adam <[email protected]>
Date: Tue Jun 30 17:46:36 2015 +0200
docs:smb.conf: explain effect of new setting 'desired' of smb encrypt
Thereby clarify some details.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11372
Signed-off-by: Michael Adam <[email protected]>
Reviewed-by: Guenther Deschner <[email protected]>
(cherry picked from commit 365d9d8bdfe9759ef9662d0080cf9c9a0767dbf2)
commit 9817f8c4b3e8e3d846b61e439a61f5ca2aaa3c3c
Author: Michael Adam <[email protected]>
Date: Wed Jul 1 17:41:38 2015 +0200
smbd:smb2: use encryption_desired in send_break
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11372
Signed-off-by: Michael Adam <[email protected]>
Reviewed-by: Guenther Deschner <[email protected]>
(cherry picked from commit 14357700fd69291995ce6adebb13e7340a63c209)
commit 90ee73b4406173c4f8ca1c9aeffc7ed693ca4b91
Author: Michael Adam <[email protected]>
Date: Wed Jul 1 18:07:52 2015 +0200
smbd:smb2: only enable encryption in tcon if desired
Don't enforce it but only announce DATA_ENCRYPT,
making use of encryption_desired in tcon.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11372
Signed-off-by: Michael Adam <[email protected]>
Reviewed-by: Guenther Deschner <[email protected]>
(cherry picked from commit 41cb881e775ea7eb0c59d9e0cafb6ab5531918d9)
commit 8e06f1811032f330ef13b1a02aaf1c2d4a4d9f38
Author: Michael Adam <[email protected]>
Date: Wed Jul 1 18:07:26 2015 +0200
smbd:smb2: only enable encryption in session if desired
Don't enforce it but only announce ENCRYPT_DATA, using the
encryption_desired flag in session setup.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11372
Signed-off-by: Michael Adam <[email protected]>
Reviewed-by: Guenther Deschner <[email protected]>
(cherry picked from commit fc228025d78f165815d3fa1670d51f0c27ed2091)
commit 6cb67e5aa66898b1d4bab189dd66d8e009d73f97
Author: Michael Adam <[email protected]>
Date: Wed Jul 1 17:42:58 2015 +0200
smbd:smb2: separate between encryption required and enc desired
this means we:
- accept unencrypted requests if encryption only desired
and not required,
- but we always send encrypted responses in the desired
case, not only when the request was encrypted.
For this purpose, the do_encryption in the request
structure is separated into was_encrypted and do_encryption.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11372
Signed-off-by: Michael Adam <[email protected]>
Reviewed-by: Guenther Deschner <[email protected]>
(cherry picked from commit 3bb299944391633c45d87d5e8ad48c2c14428592)
commit 64297477a63cbeb7d971f0a5c0a578cc325beff6
Author: Michael Adam <[email protected]>
Date: Wed Jul 1 17:34:45 2015 +0200
smbXsrv: add bools encryption_desired to session and tcon
This is to indicate that we should sen the ENCRYPT_DATA
flag on session or tcon replies.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11372
Signed-off-by: Michael Adam <[email protected]>
Reviewed-by: Guenther Deschner <[email protected]>
(cherry picked from commit a3ea6dbef53e049701326497e684e1563344e6d8)
commit 872668aa5a8c24d0b38c2c375475c6027ec42aa2
Author: Michael Adam <[email protected]>
Date: Tue Jun 30 14:16:19 2015 +0200
Introduce setting "desired" for 'smb encrypt' and 'client/server signing'
This should trigger the behaviour where the server requires
signing when the client supports it, but does not reject
clients that don't support it.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11372
Signed-off-by: Michael Adam <[email protected]>
Reviewed-by: Guenther Deschner <[email protected]>
(cherry picked from commit 204cbe3645c59b43175beeadad792b4a00e80da3)
commit b1cd2febd806cf4df1b04795a20c16b978e5f9db
Author: Volker Lendecke <[email protected]>
Date: Wed Feb 25 16:59:26 2015 +0100
smbd: Make SMB3 clients use encryption with "smb encrypt = auto"
Signed-off-by: Volker Lendecke <[email protected]>
Reviewed-by: Stefan Metzmacher <[email protected]>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11372
Autobuild-User(master): Volker Lendecke <[email protected]>
Autobuild-Date(master): Tue Mar 3 10:40:42 CET 2015 on sn-devel-104
(cherry picked from commit b3385f74db54bd8a07a0be5515151b633c067da4)
-----------------------------------------------------------------------
Summary of changes:
auth/credentials/credentials.c | 5 +++
ctdb/server/ctdb_persistent.c | 5 +--
docs-xml/smbdotconf/security/smbencrypt.xml | 66 ++++++++++++++++++++---------
lib/param/loadparm.c | 1 +
lib/param/param_table.c | 1 +
libcli/smb/smbXcli_base.c | 6 +++
libcli/smb/smb_constants.h | 1 +
source3/librpc/idl/smbXsrv.idl | 2 +
source3/libsmb/cli_smb2_fnum.c | 2 +-
source3/smbd/globals.h | 3 ++
source3/smbd/process.c | 7 ++-
source3/smbd/smb2_server.c | 22 +++++++---
source3/smbd/smb2_sesssetup.c | 8 +++-
source3/smbd/smb2_tcon.c | 10 ++++-
source3/smbd/trans2.c | 1 +
source4/smb_server/smb2/negprot.c | 1 +
16 files changed, 108 insertions(+), 33 deletions(-)
Changeset truncated at 500 lines:
diff --git a/auth/credentials/credentials.c b/auth/credentials/credentials.c
index 78b5955..e988d2d 100644
--- a/auth/credentials/credentials.c
+++ b/auth/credentials/credentials.c
@@ -921,6 +921,11 @@ _PUBLIC_ bool cli_credentials_is_anonymous(struct
cli_credentials *cred)
cred->machine_account_pending_lp_ctx);
}
+ /* if principal is set, it's not anonymous */
+ if ((cred->principal != NULL) && cred->principal_obtained >=
cred->username_obtained) {
+ return false;
+ }
+
username = cli_credentials_get_username(cred);
/* Yes, it is deliberate that we die if we have a NULL pointer
diff --git a/ctdb/server/ctdb_persistent.c b/ctdb/server/ctdb_persistent.c
index e28622f..5c54b9e 100644
--- a/ctdb/server/ctdb_persistent.c
+++ b/ctdb/server/ctdb_persistent.c
@@ -369,14 +369,11 @@ int32_t ctdb_control_get_db_seqnum(struct ctdb_context
*ctdb,
}
outdata->dsize = sizeof(uint64_t);
- outdata->dptr = (uint8_t *)talloc_zero(outdata, uint64_t);
+ outdata->dptr = talloc_memdup(outdata, &seqnum, sizeof(uint64_t));
if (outdata->dptr == NULL) {
ret = -1;
- goto done;
}
- *(outdata->dptr) = seqnum;
-
done:
return ret;
}
diff --git a/docs-xml/smbdotconf/security/smbencrypt.xml
b/docs-xml/smbdotconf/security/smbencrypt.xml
index 14b32c2..284fe9e 100644
--- a/docs-xml/smbdotconf/security/smbencrypt.xml
+++ b/docs-xml/smbdotconf/security/smbencrypt.xml
@@ -31,11 +31,15 @@
<para>
This parameter can be set globally and on a per-share bases.
Possible values are
- <emphasis>off</emphasis> or <emphasis>disabled</emphasis>,
- <emphasis>auto</emphasis> or <emphasis>enabled</emphasis>, and
- <emphasis>mandatory</emphasis> or <emphasis>required</emphasis>.
+ <emphasis>off</emphasis> (or <emphasis>disabled</emphasis>),
+ <emphasis>enabled</emphasis> (or <emphasis>auto</emphasis>, or
+ <emphasis>if_required</emphasis>),
+ <emphasis>desired</emphasis>,
+ and
+ <emphasis>required</emphasis>
+ (or <emphasis>mandatory</emphasis>).
A special value is <emphasis>default</emphasis> which is
- the implicit default setting.
+ the implicit default setting of <emphasis>enabled</emphasis>.
</para>
<variablelist>
@@ -104,7 +108,7 @@
<listitem>
<para>
The capability to perform SMB encryption can be
- negotiated during prorocol negotiation.
+ negotiated during protocol negotiation.
</para>
</listitem>
@@ -146,8 +150,9 @@
<itemizedlist>
<listitem>
<para>
- Leaving it as default or explicitly setting
- <emphasis>default</emphasis> globally will enable
+ Leaving it as default, explicitly setting
+ <emphasis>default</emphasis>, or setting it to
+ <emphasis>enabled</emphasis> globally will enable
negotiation of encryption but will not turn on
data encryption globally or per share.
</para>
@@ -155,16 +160,20 @@
<listitem>
<para>
- Setting it to <emphasis>enabled</emphasis> globally will
- enable negotiation and turn on data encryption globally.
+ Setting it to <emphasis>desired</emphasis> globally
+ will enable negotiation and will turn on data encryption
+ on sessions and share connections for those clients
+ that support it.
</para>
</listitem>
<listitem>
<para>
Setting it to <emphasis>required</emphasis> globally
- will enable negotiation and enforce data encryption
- globally.
+ will enable negotiation and turn on data encryption
+ on sessions and share connections. Clients that do
+ not support encryption will be denied access to the
+ server.
</para>
</listitem>
@@ -177,9 +186,10 @@
<listitem>
<para>
- Setting it to <emphasis>enabled</emphasis> on a share
- will turn on data encryption for this share if
- negotiation has been enabled globally.
+ Setting it to <emphasis>desired</emphasis> on a share
+ will turn on data encryption for this share for clients
+ that support encryption if negotiation has been
+ enabled globally.
</para>
</listitem>
@@ -187,16 +197,34 @@
<para>
Setting it to <emphasis>required</emphasis> on a share
will enforce data encryption for this share if
- negotiation has been enabled globally. Note that this
- allows enforcing to be controlled in Samba more
- fine-grainedly than in Windows. This is a small
- deviation from the MS-SMB2 protocol document.
+ negotiation has been enabled globally. I.e. clients that
+ do not support encryption will be denied access to the
+ share.
+ </para>
+ <para>
+ Note that this allows per-share enforcing to be
+ controlled in Samba differently from Windows:
+ In Windows, <emphasis>RejectUnencryptedAccess</emphasis>
+ is a global setting, and if it is set, all shares with
+ data encryption turned on
+ are automatically enforcing encryption. In order to
+ achieve the same effect in Samba, one
+ has to globally set <emphasis>smb encrypt</emphasis> to
+ <emphasis>enabled</emphasis>, and then set all shares
+ that should be encrypted to
+ <emphasis>required</emphasis>.
+ Additionally, it is possible in Samba to have some
+ shares with encryption <emphasis>required</emphasis>
+ and some other shares with encryption only
+ <emphasis>desired</emphasis>, which is not possible in
+ Windows.
</para>
</listitem>
<listitem>
<para>
- Setting it to <emphasis>off</emphasis> for a share has
+ Setting it to <emphasis>off</emphasis> or
+ <emphasis>enabled</emphasis> for a share has
no effect.
</para>
</listitem>
diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
index dff1ca9..ae60cbf 100644
--- a/lib/param/loadparm.c
+++ b/lib/param/loadparm.c
@@ -3189,6 +3189,7 @@ bool lpcfg_server_signing_allowed(struct loadparm_context
*lp_ctx, bool *mandato
case SMB_SIGNING_REQUIRED:
*mandatory = true;
break;
+ case SMB_SIGNING_DESIRED:
case SMB_SIGNING_IF_REQUIRED:
break;
case SMB_SIGNING_DEFAULT:
diff --git a/lib/param/param_table.c b/lib/param/param_table.c
index 1b9656b..530d858 100644
--- a/lib/param/param_table.c
+++ b/lib/param/param_table.c
@@ -113,6 +113,7 @@ static const struct enum_list enum_smb_signing_vals[] = {
{SMB_SIGNING_IF_REQUIRED, "On"},
{SMB_SIGNING_IF_REQUIRED, "enabled"},
{SMB_SIGNING_IF_REQUIRED, "auto"},
+ {SMB_SIGNING_DESIRED, "desired"},
{SMB_SIGNING_REQUIRED, "required"},
{SMB_SIGNING_REQUIRED, "mandatory"},
{SMB_SIGNING_REQUIRED, "force"},
diff --git a/libcli/smb/smbXcli_base.c b/libcli/smb/smbXcli_base.c
index c27b317..803b6ee 100644
--- a/libcli/smb/smbXcli_base.c
+++ b/libcli/smb/smbXcli_base.c
@@ -357,6 +357,12 @@ struct smbXcli_conn *smbXcli_conn_create(TALLOC_CTX
*mem_ctx,
conn->desire_signing = false;
conn->mandatory_signing = false;
break;
+ case SMB_SIGNING_DESIRED:
+ /* if the server desires it */
+ conn->allow_signing = true;
+ conn->desire_signing = true;
+ conn->mandatory_signing = false;
+ break;
case SMB_SIGNING_REQUIRED:
/* always */
conn->allow_signing = true;
diff --git a/libcli/smb/smb_constants.h b/libcli/smb/smb_constants.h
index f841ca9..9b57078 100644
--- a/libcli/smb/smb_constants.h
+++ b/libcli/smb/smb_constants.h
@@ -96,6 +96,7 @@ enum smb_signing_setting {
SMB_SIGNING_DEFAULT = -1,
SMB_SIGNING_OFF = 0,
SMB_SIGNING_IF_REQUIRED = 1,
+ SMB_SIGNING_DESIRED = 2,
SMB_SIGNING_REQUIRED = 3,
};
diff --git a/source3/librpc/idl/smbXsrv.idl b/source3/librpc/idl/smbXsrv.idl
index 0035442..e32496a 100644
--- a/source3/librpc/idl/smbXsrv.idl
+++ b/source3/librpc/idl/smbXsrv.idl
@@ -190,6 +190,7 @@ interface smbXsrv
[ignore] gensec_security *gensec;
[ignore] user_struct *compat;
[ignore] smbXsrv_tcon_table *tcon_table;
+ boolean8 encryption_desired;
} smbXsrv_session;
typedef union {
@@ -284,6 +285,7 @@ interface smbXsrv
NTSTATUS status;
NTTIME idle_time;
[ignore] connection_struct *compat;
+ boolean8 encryption_desired;
} smbXsrv_tcon;
typedef union {
diff --git a/source3/libsmb/cli_smb2_fnum.c b/source3/libsmb/cli_smb2_fnum.c
index de4bd6f..95153ec 100644
--- a/source3/libsmb/cli_smb2_fnum.c
+++ b/source3/libsmb/cli_smb2_fnum.c
@@ -2193,7 +2193,7 @@ NTSTATUS cli_smb2_get_ea_list_path(struct cli_state *cli,
}
ea_count = 0;
for (eal = ea_list; eal; eal = eal->next) {
- (*pea_array)[ea_count++] = ea_list->ea;
+ (*pea_array)[ea_count++] = eal->ea;
}
*pnum_eas = ea_count;
}
diff --git a/source3/smbd/globals.h b/source3/smbd/globals.h
index 2aed98e..3194b45 100644
--- a/source3/smbd/globals.h
+++ b/source3/smbd/globals.h
@@ -646,6 +646,9 @@ struct smbd_smb2_request {
int current_idx;
bool do_signing;
+ /* Was the request encrypted? */
+ bool was_encrypted;
+ /* Should we encrypt? */
bool do_encryption;
struct tevent_timer *async_te;
bool compound_related;
diff --git a/source3/smbd/process.c b/source3/smbd/process.c
index 74e7afc..d8091f3 100644
--- a/source3/smbd/process.c
+++ b/source3/smbd/process.c
@@ -3465,36 +3465,41 @@ NTSTATUS smbXsrv_connection_init_tables(struct
smbXsrv_connection *conn,
{
NTSTATUS status;
- set_Protocol(protocol);
conn->protocol = protocol;
if (protocol >= PROTOCOL_SMB2_02) {
status = smb2srv_session_table_init(conn);
if (!NT_STATUS_IS_OK(status)) {
+ conn->protocol = PROTOCOL_NONE;
return status;
}
status = smb2srv_open_table_init(conn);
if (!NT_STATUS_IS_OK(status)) {
+ conn->protocol = PROTOCOL_NONE;
return status;
}
} else {
status = smb1srv_session_table_init(conn);
if (!NT_STATUS_IS_OK(status)) {
+ conn->protocol = PROTOCOL_NONE;
return status;
}
status = smb1srv_tcon_table_init(conn);
if (!NT_STATUS_IS_OK(status)) {
+ conn->protocol = PROTOCOL_NONE;
return status;
}
status = smb1srv_open_table_init(conn);
if (!NT_STATUS_IS_OK(status)) {
+ conn->protocol = PROTOCOL_NONE;
return status;
}
}
+ set_Protocol(protocol);
return NT_STATUS_OK;
}
diff --git a/source3/smbd/smb2_server.c b/source3/smbd/smb2_server.c
index 2739734..e723f6d 100644
--- a/source3/smbd/smb2_server.c
+++ b/source3/smbd/smb2_server.c
@@ -1939,6 +1939,7 @@ NTSTATUS smbd_smb2_request_dispatch(struct
smbd_smb2_request *req)
NTSTATUS return_value;
struct smbXsrv_session *x = NULL;
bool signing_required = false;
+ bool encryption_desired = false;
bool encryption_required = false;
inhdr = SMBD_SMB2_IN_HDR_PTR(req);
@@ -1984,11 +1985,13 @@ NTSTATUS smbd_smb2_request_dispatch(struct
smbd_smb2_request *req)
x = req->session;
if (x != NULL) {
signing_required = x->global->signing_required;
+ encryption_desired = x->encryption_desired;
encryption_required = x->global->encryption_required;
}
req->do_signing = false;
req->do_encryption = false;
+ req->was_encrypted = false;
if (intf_v->iov_len == SMB2_TF_HDR_SIZE) {
const uint8_t *intf = SMBD_SMB2_IN_TF_PTR(req);
uint64_t tf_session_id = BVAL(intf, SMB2_TF_SESSION_ID);
@@ -2010,10 +2013,10 @@ NTSTATUS smbd_smb2_request_dispatch(struct
smbd_smb2_request *req)
NT_STATUS_ACCESS_DENIED);
}
- req->do_encryption = true;
+ req->was_encrypted = true;
}
- if (encryption_required && !req->do_encryption) {
+ if (encryption_required && !req->was_encrypted) {
return smbd_smb2_request_error(req,
NT_STATUS_ACCESS_DENIED);
}
@@ -2045,7 +2048,7 @@ NTSTATUS smbd_smb2_request_dispatch(struct
smbd_smb2_request *req)
req->compat_chain_fsp = NULL;
}
- if (req->do_encryption) {
+ if (req->was_encrypted) {
signing_required = false;
} else if (signing_required || (flags & SMB2_HDR_FLAG_SIGNED)) {
DATA_BLOB signing_key = data_blob_null;
@@ -2131,15 +2134,22 @@ NTSTATUS smbd_smb2_request_dispatch(struct
smbd_smb2_request *req)
if (!NT_STATUS_IS_OK(status)) {
return smbd_smb2_request_error(req, status);
}
+ if (req->tcon->encryption_desired) {
+ encryption_desired = true;
+ }
if (req->tcon->global->encryption_required) {
encryption_required = true;
}
- if (encryption_required && !req->do_encryption) {
+ if (encryption_required && !req->was_encrypted) {
return smbd_smb2_request_error(req,
NT_STATUS_ACCESS_DENIED);
}
}
+ if (req->was_encrypted || encryption_desired) {
+ req->do_encryption = true;
+ }
+
if (call->fileid_ofs != 0) {
size_t needed = call->fileid_ofs + 16;
const uint8_t *body = SMBD_SMB2_IN_BODY_PTR(req);
@@ -2770,8 +2780,8 @@ static NTSTATUS smbd_smb2_send_break(struct
smbXsrv_connection *xconn,
if (session != NULL) {
session_wire_id = session->global->session_wire_id;
- do_encryption = session->global->encryption_required;
- if (tcon->global->encryption_required) {
+ do_encryption = session->encryption_desired;
+ if (tcon->encryption_desired) {
do_encryption = true;
}
}
diff --git a/source3/smbd/smb2_sesssetup.c b/source3/smbd/smb2_sesssetup.c
index 85f8a9a..e255e46 100644
--- a/source3/smbd/smb2_sesssetup.c
+++ b/source3/smbd/smb2_sesssetup.c
@@ -190,7 +190,13 @@ static NTSTATUS smbd_smb2_auth_generic_return(struct
smbXsrv_session *session,
x->global->signing_required = true;
}
+ if ((lp_smb_encrypt(-1) >= SMB_SIGNING_DESIRED) &&
+ (xconn->smb2.client.capabilities & SMB2_CAP_ENCRYPTION)) {
+ x->encryption_desired = true;
+ }
+
if (lp_smb_encrypt(-1) == SMB_SIGNING_REQUIRED) {
+ x->encryption_desired = true;
x->global->encryption_required = true;
}
@@ -217,7 +223,7 @@ static NTSTATUS smbd_smb2_auth_generic_return(struct
smbXsrv_session *session,
}
}
- if (x->global->encryption_required) {
+ if (x->encryption_desired) {
*out_session_flags |= SMB2_SESSION_FLAG_ENCRYPT_DATA;
}
diff --git a/source3/smbd/smb2_tcon.c b/source3/smbd/smb2_tcon.c
index 8a6d339..e3680a0 100644
--- a/source3/smbd/smb2_tcon.c
+++ b/source3/smbd/smb2_tcon.c
@@ -184,6 +184,7 @@ static NTSTATUS smbd_smb2_tree_connect(struct
smbd_smb2_request *req,
connection_struct *compat_conn = NULL;
struct user_struct *compat_vuser = req->session->compat;
NTSTATUS status;
+ bool encryption_desired = req->session->encryption_desired;
bool encryption_required = req->session->global->encryption_required;
bool guest_session = false;
@@ -235,7 +236,13 @@ static NTSTATUS smbd_smb2_tree_connect(struct
smbd_smb2_request *req,
return NT_STATUS_BAD_NETWORK_NAME;
}
+ if ((lp_smb_encrypt(snum) >= SMB_SIGNING_DESIRED) &&
+ (conn->smb2.client.capabilities & SMB2_CAP_ENCRYPTION)) {
+ encryption_desired = true;
+ }
+
if (lp_smb_encrypt(snum) == SMB_SIGNING_REQUIRED) {
+ encryption_desired = true;
encryption_required = true;
}
@@ -264,6 +271,7 @@ static NTSTATUS smbd_smb2_tree_connect(struct
smbd_smb2_request *req,
return status;
}
+ tcon->encryption_desired = encryption_desired;
tcon->global->encryption_required = encryption_required;
compat_conn = make_connection_smb2(req,
@@ -334,7 +342,7 @@ static NTSTATUS smbd_smb2_tree_connect(struct
smbd_smb2_request *req,
*out_share_flags |= SMB2_SHAREFLAG_ACCESS_BASED_DIRECTORY_ENUM;
}
- if (encryption_required) {
+ if (encryption_desired) {
*out_share_flags |= SMB2_SHAREFLAG_ENCRYPT_DATA;
}
diff --git a/source3/smbd/trans2.c b/source3/smbd/trans2.c
index 40983cc..a937023 100644
--- a/source3/smbd/trans2.c
+++ b/source3/smbd/trans2.c
@@ -3608,6 +3608,7 @@ cBytesSector=%u, cUnitTotal=%u, cUnitAvail=%d\n",
(unsigned int)bsize, (unsigned
case SMB_SIGNING_OFF:
encrypt_caps = 0;
break;
+ case SMB_SIGNING_DESIRED:
case SMB_SIGNING_IF_REQUIRED:
case SMB_SIGNING_DEFAULT:
encrypt_caps =
CIFS_UNIX_TRANSPORT_ENCRYPTION_CAP;
diff --git a/source4/smb_server/smb2/negprot.c
b/source4/smb_server/smb2/negprot.c
index 81f2547..b48b170 100644
--- a/source4/smb_server/smb2/negprot.c
+++ b/source4/smb_server/smb2/negprot.c
@@ -150,6 +150,7 @@ static NTSTATUS smb2srv_negprot_backend(struct
smb2srv_request *req, struct smb2
case SMB_SIGNING_OFF:
io->out.security_mode = 0;
break;
+ case SMB_SIGNING_DESIRED:
case SMB_SIGNING_IF_REQUIRED:
io->out.security_mode = SMB2_NEGOTIATE_SIGNING_ENABLED;
break;
--
Samba Shared Repository
