The branch, master has been updated
via 9a3b64a vfs_fruit: checks wrong AAPL config state and so always
uses readdirattr
via 21d030e selftest: add test for global "smb encrypt=off"
via 573e8e1 selftest: disable SMB encryption in simpleserver environment
via f8d937b docs: impact of a global "smb encrypt=off" on a share with
"smb encrypt=required"
via b0b418c s3/smbd: ensure global "smb encrypt = off" is effective for
share with "smb encrypt = desired"
via 6ae63d4 s3/smbd: ensure global "smb encrypt = off" is effective for
SMB 3.1.1 clients
via 43a90ce s3/smbd: ensure global "smb encrypt = off" is effective for
SMB 1 clients
from f605332 docs: Improve description of "unix_primary_group" parameter
in idmap_ad manpage
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 9a3b64a24cc21124485b423c9b70b67ff5a96f10
Author: Ralph Boehme <[email protected]>
Date: Thu Jan 26 11:49:55 2017 +0100
vfs_fruit: checks wrong AAPL config state and so always uses readdirattr
readdirattr should only be enabled if the client enables it via AAPL
negotitiation, not for all clients when vfs_fruit is loaded.
Unfortunately the check in fruit_readdir_attr() is
if (!config->use_aapl) {
return SMB_VFS_NEXT_READDIR_ATTR(handle, fname, mem_ctx, pattr_data);
}
This uses the wrong config state "use_aapl" which is always true by
default (config option "fruit:aapl").
We must use "nego_aapl" instead which is only true if the client
really negotiated this feature.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=12541
Signed-off-by: Ralph Boehme <[email protected]>
Reviewed-by: Jeremy Allison <[email protected]>
Autobuild-User(master): Jeremy Allison <[email protected]>
Autobuild-Date(master): Sat Jan 28 01:49:11 CET 2017 on sn-devel-144
commit 21d030e5bdf7dc6ef8d5f4e70bed7e70b731cd15
Author: Ralph Boehme <[email protected]>
Date: Wed Jan 18 16:23:40 2017 +0100
selftest: add test for global "smb encrypt=off"
Test various combinations of having encryption globally turned off and
enabled (desired/required) on a share, with SMB1 UNIX Extensions and SMB3.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=12520
Signed-off-by: Ralph Boehme <[email protected]>
Reviewed-by: Jeremy Allison <[email protected]>
commit 573e8e15b3ed27d6b593e635e9c24eea3fdf4fb9
Author: Ralph Boehme <[email protected]>
Date: Tue Jan 17 17:23:51 2017 +0100
selftest: disable SMB encryption in simpleserver environment
Encryption is currently not tested in this env so we can safely turn it
off. The next commit will add a blackbox tests that test combinations of
having encryption globally turned off and enabled (desired/required) on
a share.
This also adds a new share "enc_desired" with "smb encrypt = desired"
which will be used by the test in the next commit.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=12520
Signed-off-by: Ralph Boehme <[email protected]>
Reviewed-by: Jeremy Allison <[email protected]>
commit f8d937b331ac985264c76d76b447683fc494d38a
Author: Ralph Boehme <[email protected]>
Date: Mon Jan 16 15:45:32 2017 +0100
docs: impact of a global "smb encrypt=off" on a share with "smb
encrypt=required"
Bug: https://bugzilla.samba.org/show_bug.cgi?id=12520
Signed-off-by: Ralph Boehme <[email protected]>
Reviewed-by: Jeremy Allison <[email protected]>
commit b0b418c22558fa1df547df9bdac2642343ac39e1
Author: Ralph Boehme <[email protected]>
Date: Mon Jan 16 12:56:10 2017 +0100
s3/smbd: ensure global "smb encrypt = off" is effective for share with "smb
encrypt = desired"
If encryption is disabled globally, per definition we shouldn't allow
enabling encryption on individual shares.
The behaviour of specifying
[Global]
smb encrypt = off
[share]
smb encrypt = desired
must be an unecrypted tree connect to the share "share".
Bug: https://bugzilla.samba.org/show_bug.cgi?id=12520
Signed-off-by: Ralph Boehme <[email protected]>
Reviewed-by: Jeremy Allison <[email protected]>
commit 6ae63d42f5aacddf5b7b6dbdfbe620344989e4e5
Author: Ralph Boehme <[email protected]>
Date: Thu Jan 5 12:14:35 2017 +0100
s3/smbd: ensure global "smb encrypt = off" is effective for SMB 3.1.1
clients
If encryption is disabled globally, per definition we shouldn't allow
enabling encryption on individual shares.
The behaviour of setting
[Global]
smb encrypt = off
[share]
smb encrypt = required
must be to completely deny access to the share "share".
This was working correctly for clients when using SMB 3 dialects <
3.1.1, but not for 3.1.1 with a negprot encryption context.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=12520
Signed-off-by: Ralph Boehme <[email protected]>
Reviewed-by: Jeremy Allison <[email protected]>
commit 43a90cee46bb7a70f7973c4fc51eee7634e43145
Author: Ralph Boehme <[email protected]>
Date: Wed Jan 18 16:19:15 2017 +0100
s3/smbd: ensure global "smb encrypt = off" is effective for SMB 1 clients
If encryption is disabled globally, per definition we shouldn't allow
enabling encryption on individual shares.
The behaviour of setting
[Global]
smb encrypt = off
[share_required]
smb encrypt = required
[share_desired]
smb encrypt = desired
must be to completely deny access to the share "share_required" and an
unencrypted connection to "share_desired".
Bug: https://bugzilla.samba.org/show_bug.cgi?id=12520
Signed-off-by: Ralph Boehme <[email protected]>
Reviewed-by: Jeremy Allison <[email protected]>
-----------------------------------------------------------------------
Summary of changes:
docs-xml/smbdotconf/security/smbencrypt.xml | 6 +-
selftest/target/Samba3.pm | 6 ++
source3/modules/vfs_fruit.c | 2 +-
.../script/tests/test_smbclient_encryption_off.sh | 65 ++++++++++++++++++++++
source3/selftest/tests.py | 5 ++
source3/smbd/service.c | 12 ++++
source3/smbd/smb2_negprot.c | 2 +-
source3/smbd/smb2_tcon.c | 3 +-
8 files changed, 97 insertions(+), 4 deletions(-)
create mode 100755 source3/script/tests/test_smbclient_encryption_off.sh
Changeset truncated at 500 lines:
diff --git a/docs-xml/smbdotconf/security/smbencrypt.xml
b/docs-xml/smbdotconf/security/smbencrypt.xml
index 0f08966..32a22cb 100644
--- a/docs-xml/smbdotconf/security/smbencrypt.xml
+++ b/docs-xml/smbdotconf/security/smbencrypt.xml
@@ -180,7 +180,11 @@
<listitem>
<para>
Setting it to <emphasis>off</emphasis> globally will
- completely disable the encryption feature.
+ completely disable the encryption feature for all
+ connections. Setting <parameter>smb encrypt =
+ required</parameter> for individual shares (while it's
+ globally off) will deny access to this shares for all
+ clients.
</para>
</listitem>
diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
index 32f0c6f..0ec2917 100755
--- a/selftest/target/Samba3.pm
+++ b/selftest/target/Samba3.pm
@@ -579,6 +579,7 @@ sub setup_simpleserver($$)
ntlm auth = yes
vfs objects = xattr_tdb streams_depot time_audit full_audit
change notify = no
+ smb encrypt = off
full_audit:syslog = no
full_audit:success = none
@@ -596,6 +597,11 @@ sub setup_simpleserver($$)
store dos attributes = yes
hide files = /hidefile/
hide dot files = yes
+
+[enc_desired]
+ path = $prefix_abs/share
+ vfs objects =
+ smb encrypt = desired
";
my $vars = $self->provision($path,
diff --git a/source3/modules/vfs_fruit.c b/source3/modules/vfs_fruit.c
index 9e8a78c..3599dcb 100644
--- a/source3/modules/vfs_fruit.c
+++ b/source3/modules/vfs_fruit.c
@@ -3539,7 +3539,7 @@ static NTSTATUS fruit_readdir_attr(struct
vfs_handle_struct *handle,
struct fruit_config_data,
return NT_STATUS_UNSUCCESSFUL);
- if (!config->use_aapl) {
+ if (!config->nego_aapl) {
return SMB_VFS_NEXT_READDIR_ATTR(handle, fname, mem_ctx,
pattr_data);
}
diff --git a/source3/script/tests/test_smbclient_encryption_off.sh
b/source3/script/tests/test_smbclient_encryption_off.sh
new file mode 100755
index 0000000..467a4ee
--- /dev/null
+++ b/source3/script/tests/test_smbclient_encryption_off.sh
@@ -0,0 +1,65 @@
+#!/bin/sh
+
+if [ $# -lt 4 ]; then
+cat <<EOF
+Usage: test_smbclient_encryption_off.sh USERNAME PASSWORD SERVER SMBCLIENT
+EOF
+exit 1;
+fi
+
+USERNAME="$1"
+PASSWORD="$2"
+SERVER="$3"
+SMBCLIENT="$VALGRIND $4"
+
+incdir=`dirname $0`/../../../testprogs/blackbox
+. $incdir/subunit.sh
+
+failed=0
+
+#
+# Let me introduce you to the shares used in this test:
+#
+# "tmp" has the default "smb encrypt" (which is "enabled")
+# "tmpenc" has "smb encrypt = required"
+# "enc_desired" has "smb encrypt = desired"
+#
+
+# Unencrypted connections should work of course, let's test em to be sure...
+
+# SMB1
+testit "smbclient //$SERVER/enc_desired" $SMBCLIENT -U $USERNAME%$PASSWORD
//$SERVER/enc_desired -c quit || failed=`expr $failed + 1`
+testit "smbclient //$SERVER/tmp" $SMBCLIENT -U $USERNAME%$PASSWORD
//$SERVER/tmp -c quit || failed=`expr $failed + 1`
+# SMB3_02
+testit "smbclient -m smb3_02 //$SERVER/enc_desired" $SMBCLIENT -m smb3_02 -U
$USERNAME%$PASSWORD //$SERVER/enc_desired -c quit || failed=`expr $failed + 1`
+testit "smbclient -m smb3_02 //$SERVER/tmp" $SMBCLIENT -m smb3_02 -U
$USERNAME%$PASSWORD //$SERVER/tmp -c quit || failed=`expr $failed + 1`
+# SMB3_11
+testit "smbclient -m smb3_11 //$SERVER/enc_desired" $SMBCLIENT -m smb3_11 -U
$USERNAME%$PASSWORD //$SERVER/enc_desired -c quit || failed=`expr $failed + 1`
+testit "smbclient -m smb3_11 //$SERVER/tmp" $SMBCLIENT -m smb3_11 -U
$USERNAME%$PASSWORD //$SERVER/tmp -c quit || failed=`expr $failed + 1`
+
+# These tests must fail, as encryption is globally off and in combination with
"smb
+# encrypt=required" on the share "tmpenc" the server *must* reject the tcon.
+
+# SMB1
+testit_expect_failure "smbclient //$SERVER/tmpenc" $SMBCLIENT -U
$USERNAME%$PASSWORD //$SERVER/tmpenc -c quit && failed=`expr $failed + 1`
+testit_expect_failure "smbclient -e //$SERVER/tmpenc" $SMBCLIENT -e -U
$USERNAME%$PASSWORD //$SERVER/tmpenc -c quit && failed=`expr $failed + 1`
+# SMB3_02
+testit_expect_failure "smbclient -m smb3_02 //$SERVER/tmpenc" $SMBCLIENT -m
smb3_02 -U $USERNAME%$PASSWORD //$SERVER/tmpenc -c quit && failed=`expr $failed
+ 1`
+testit_expect_failure "smbclient -e -m smb3_02 //$SERVER/tmpenc" $SMBCLIENT -e
-m smb3_02 -U $USERNAME%$PASSWORD //$SERVER/tmpenc -c quit && failed=`expr
$failed + 1`
+# SMB3_11
+testit_expect_failure "smbclient -m smb3_11 //$SERVER/tmpenc" $SMBCLIENT -m
smb3_11 -U $USERNAME%$PASSWORD //$SERVER/tmpenc -c quit && failed=`expr $failed
+ 1`
+testit_expect_failure "smbclient -e -m smb3_11 //$SERVER/tmpenc" $SMBCLIENT -e
-m smb3_11 -U $USERNAME%$PASSWORD //$SERVER/tmpenc -c quit && failed=`expr
$failed + 1`
+
+# These tests must fail, as the client requires encryption and it's off on the
server
+
+# SMB1
+testit_expect_failure "smbclient -e //$SERVER/enc_desired" $SMBCLIENT -e -U
$USERNAME%$PASSWORD //$SERVER/enc_desired -c quit && failed=`expr $failed + 1`
+testit_expect_failure "smbclient -e //$SERVER/tmp" $SMBCLIENT -e -U
$USERNAME%$PASSWORD //$SERVER/tmp -c quit && failed=`expr $failed + 1`
+# SMB3_02
+testit_expect_failure "smbclient -e -m smb3_02 //$SERVER/enc_desired"
$SMBCLIENT -e -m smb3_02 -U $USERNAME%$PASSWORD //$SERVER/enc_desired -c quit
&& failed=`expr $failed + 1`
+testit_expect_failure "smbclient -e -m smb3_02 //$SERVER/tmp" $SMBCLIENT -e -m
smb3_02 -U $USERNAME%$PASSWORD //$SERVER/tmp -c quit && failed=`expr $failed +
1`
+# SMB3_11
+testit_expect_failure "smbclient -e -m smb3_11 //$SERVER/enc_desired"
$SMBCLIENT -e -m smb3_11 -U $USERNAME%$PASSWORD //$SERVER/enc_desired -c quit
&& failed=`expr $failed + 1`
+testit_expect_failure "smbclient -e -m smb3_11 //$SERVER/tmp" $SMBCLIENT -e -m
smb3_11 -U $USERNAME%$PASSWORD //$SERVER/tmp -c quit && failed=`expr $failed +
1`
+
+testok $0 $failed
diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py
index 4231e1d..3a6186c 100755
--- a/source3/selftest/tests.py
+++ b/source3/selftest/tests.py
@@ -499,6 +499,11 @@ plantestsuite("samba3.blackbox.rpcclient.pw-nt-hash",
"simpleserver",
"$USERNAME", "$PASSWORD", "$SERVER",
os.path.join(bindir(), "rpcclient")])
+plantestsuite("samba3.blackbox.smbclient.encryption_off", "simpleserver",
+ [os.path.join(samba3srcdir,
"script/tests/test_smbclient_encryption_off.sh"),
+ "$USERNAME", "$PASSWORD", "$SERVER",
+ smbclient3])
+
options_list = ["", "-e"]
for options in options_list:
plantestsuite("samba3.blackbox.smbclient_krb5 old ccache %s" % options,
"ktest:local",
diff --git a/source3/smbd/service.c b/source3/smbd/service.c
index 3308e9d..ce4b8da 100644
--- a/source3/smbd/service.c
+++ b/source3/smbd/service.c
@@ -623,6 +623,18 @@ static NTSTATUS make_connection_snum(struct
smbXsrv_connection *xconn,
conn->short_case_preserve = lp_short_preserve_case(snum);
conn->encrypt_level = lp_smb_encrypt(snum);
+ if (conn->encrypt_level > SMB_SIGNING_OFF) {
+ if (lp_smb_encrypt(-1) == SMB_SIGNING_OFF) {
+ if (conn->encrypt_level == SMB_SIGNING_REQUIRED) {
+ DBG_ERR("Service [%s] requires encryption, but "
+ "it is disabled globally!\n",
+ lp_servicename(talloc_tos(), snum));
+ status = NT_STATUS_ACCESS_DENIED;
+ goto err_root_exit;
+ }
+ conn->encrypt_level = SMB_SIGNING_OFF;
+ }
+ }
conn->veto_list = NULL;
conn->hide_list = NULL;
diff --git a/source3/smbd/smb2_negprot.c b/source3/smbd/smb2_negprot.c
index 6cfa64f..d9ccdbe 100644
--- a/source3/smbd/smb2_negprot.c
+++ b/source3/smbd/smb2_negprot.c
@@ -441,7 +441,7 @@ NTSTATUS smbd_smb2_request_process_negprot(struct
smbd_smb2_request *req)
req->preauth = &req->xconn->smb2.preauth;
}
- if (in_cipher != NULL) {
+ if ((capabilities & SMB2_CAP_ENCRYPTION) && (in_cipher != NULL)) {
size_t needed = 2;
uint16_t cipher_count;
const uint8_t *p;
diff --git a/source3/smbd/smb2_tcon.c b/source3/smbd/smb2_tcon.c
index 61e2a36..5330fc3 100644
--- a/source3/smbd/smb2_tcon.c
+++ b/source3/smbd/smb2_tcon.c
@@ -268,7 +268,8 @@ static NTSTATUS smbd_smb2_tree_connect(struct
smbd_smb2_request *req,
}
if ((lp_smb_encrypt(snum) >= SMB_SIGNING_DESIRED) &&
- (conn->smb2.client.capabilities & SMB2_CAP_ENCRYPTION)) {
+ (conn->smb2.server.cipher != 0))
+ {
encryption_desired = true;
}
--
Samba Shared Repository
