The branch, v4-4-test has been updated via 946a4de vfs_fruit: checks wrong AAPL config state and so always uses readdirattr via 0c0b893 selftest/Samba3: use "server min protocol = SMB3_00" for "ktest" via 36e2d39 s3:smbd: allow "server min protocol = SMB3_00" to go via "SMB 2.???" negprot via 6bf5ed9 selftest: add test for global "smb encrypt=off" via caab54e selftest: disable SMB encryption in simpleserver environment via 22d5d32 docs: impact of a global "smb encrypt=off" on a share with "smb encrypt=required" via ce51a27 s3/smbd: ensure global "smb encrypt = off" is effective for share with "smb encrypt = desired" via 3805e2f s3/smbd: ensure global "smb encrypt = off" is effective for SMB 3.1.1 clients via 080ce6e s3/smbd: ensure global "smb encrypt = off" is effective for SMB 1 clients from efd9c8a Merge tag 'samba-4.4.9' into v4-4-test
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-4-test - Log ----------------------------------------------------------------- commit 946a4dec22c41ded23d80bb541fd88e1a7a94984 Author: Ralph Boehme <s...@samba.org> Date: Thu Jan 26 11:49:55 2017 +0100 vfs_fruit: checks wrong AAPL config state and so always uses readdirattr readdirattr should only be enabled if the client enables it via AAPL negotitiation, not for all clients when vfs_fruit is loaded. Unfortunately the check in fruit_readdir_attr() is if (!config->use_aapl) { return SMB_VFS_NEXT_READDIR_ATTR(handle, fname, mem_ctx, pattr_data); } This uses the wrong config state "use_aapl" which is always true by default (config option "fruit:aapl"). We must use "nego_aapl" instead which is only true if the client really negotiated this feature. Bug: https://bugzilla.samba.org/show_bug.cgi?id=12541 Signed-off-by: Ralph Boehme <s...@samba.org> Reviewed-by: Jeremy Allison <j...@samba.org> Autobuild-User(master): Jeremy Allison <j...@samba.org> Autobuild-Date(master): Sat Jan 28 01:49:11 CET 2017 on sn-devel-144 (cherry picked from commit 9a3b64a24cc21124485b423c9b70b67ff5a96f10) Autobuild-User(v4-4-test): Karolin Seeger <ksee...@samba.org> Autobuild-Date(v4-4-test): Wed Feb 1 16:27:14 CET 2017 on sn-devel-144 commit 0c0b8937b2b304731e9ac71f7ccf017bec85a590 Author: Stefan Metzmacher <me...@samba.org> Date: Wed Jan 25 21:15:44 2017 +0100 selftest/Samba3: use "server min protocol = SMB3_00" for "ktest" This verifies that clients can still connect with that setting. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12540 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> Autobuild-User(master): Stefan Metzmacher <me...@samba.org> Autobuild-Date(master): Fri Jan 27 12:03:39 CET 2017 on sn-devel-144 (cherry picked from commit 348bcca76855798d60c04ddb30f1e13b2ac2d7cd) commit 36e2d3905d895abb75a46836f58f23fffb9aac50 Author: Stefan Metzmacher <me...@samba.org> Date: Wed Jan 18 08:37:30 2017 +0100 s3:smbd: allow "server min protocol = SMB3_00" to go via "SMB 2.???" negprot BUG: https://bugzilla.samba.org/show_bug.cgi?id=12540 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> (cherry picked from commit c207f2a989fc791b5f9bf9043d3c6ac31db5cdfd) commit 6bf5ed9e39981d26ef22ecdb63ca9289f990903a Author: Ralph Boehme <s...@samba.org> Date: Wed Jan 18 16:23:40 2017 +0100 selftest: add test for global "smb encrypt=off" Test various combinations of having encryption globally turned off and enabled (desired/required) on a share, with SMB1 UNIX Extensions and SMB3. Bug: https://bugzilla.samba.org/show_bug.cgi?id=12520 Signed-off-by: Ralph Boehme <s...@samba.org> Reviewed-by: Jeremy Allison <j...@samba.org> (cherry picked from commit 21d030e5bdf7dc6ef8d5f4e70bed7e70b731cd15) commit caab54e5c42a60a9ef395c0721271e706e7864b6 Author: Ralph Boehme <s...@samba.org> Date: Tue Jan 17 17:23:51 2017 +0100 selftest: disable SMB encryption in simpleserver environment Encryption is currently not tested in this env so we can safely turn it off. The next commit will add a blackbox tests that test combinations of having encryption globally turned off and enabled (desired/required) on a share. This also adds a new share "enc_desired" with "smb encrypt = desired" which will be used by the test in the next commit. Bug: https://bugzilla.samba.org/show_bug.cgi?id=12520 Signed-off-by: Ralph Boehme <s...@samba.org> Reviewed-by: Jeremy Allison <j...@samba.org> (cherry picked from commit 573e8e15b3ed27d6b593e635e9c24eea3fdf4fb9) commit 22d5d3241de4559c4101381f9f1345612aab25d8 Author: Ralph Boehme <s...@samba.org> Date: Mon Jan 16 15:45:32 2017 +0100 docs: impact of a global "smb encrypt=off" on a share with "smb encrypt=required" Bug: https://bugzilla.samba.org/show_bug.cgi?id=12520 Signed-off-by: Ralph Boehme <s...@samba.org> Reviewed-by: Jeremy Allison <j...@samba.org> (cherry picked from commit f8d937b331ac985264c76d76b447683fc494d38a) commit ce51a27da3b14bfdbd5e7ff1ddc6cee224cf3b02 Author: Ralph Boehme <s...@samba.org> Date: Mon Jan 16 12:56:10 2017 +0100 s3/smbd: ensure global "smb encrypt = off" is effective for share with "smb encrypt = desired" If encryption is disabled globally, per definition we shouldn't allow enabling encryption on individual shares. The behaviour of specifying [Global] smb encrypt = off [share] smb encrypt = desired must be an unecrypted tree connect to the share "share". Bug: https://bugzilla.samba.org/show_bug.cgi?id=12520 Signed-off-by: Ralph Boehme <s...@samba.org> Reviewed-by: Jeremy Allison <j...@samba.org> (cherry picked from commit b0b418c22558fa1df547df9bdac2642343ac39e1) commit 3805e2ff50c2cc5981ee291f4e6cc8ddc6469ba2 Author: Ralph Boehme <s...@samba.org> Date: Thu Jan 5 12:14:35 2017 +0100 s3/smbd: ensure global "smb encrypt = off" is effective for SMB 3.1.1 clients If encryption is disabled globally, per definition we shouldn't allow enabling encryption on individual shares. The behaviour of setting [Global] smb encrypt = off [share] smb encrypt = required must be to completely deny access to the share "share". This was working correctly for clients when using SMB 3 dialects < 3.1.1, but not for 3.1.1 with a negprot encryption context. Bug: https://bugzilla.samba.org/show_bug.cgi?id=12520 Signed-off-by: Ralph Boehme <s...@samba.org> Reviewed-by: Jeremy Allison <j...@samba.org> (cherry picked from commit 6ae63d42f5aacddf5b7b6dbdfbe620344989e4e5) commit 080ce6e3fc243c98b386dfe7d5ff7e9b12814fc5 Author: Ralph Boehme <s...@samba.org> Date: Wed Jan 18 16:19:15 2017 +0100 s3/smbd: ensure global "smb encrypt = off" is effective for SMB 1 clients If encryption is disabled globally, per definition we shouldn't allow enabling encryption on individual shares. The behaviour of setting [Global] smb encrypt = off [share_required] smb encrypt = required [share_desired] smb encrypt = desired must be to completely deny access to the share "share_required" and an unencrypted connection to "share_desired". Bug: https://bugzilla.samba.org/show_bug.cgi?id=12520 Signed-off-by: Ralph Boehme <s...@samba.org> Reviewed-by: Jeremy Allison <j...@samba.org> (cherry picked from commit 43a90cee46bb7a70f7973c4fc51eee7634e43145) ----------------------------------------------------------------------- Summary of changes: docs-xml/smbdotconf/security/smbencrypt.xml | 6 +- selftest/target/Samba3.pm | 8 +++ source3/modules/vfs_fruit.c | 2 +- .../script/tests/test_smbclient_encryption_off.sh | 65 ++++++++++++++++++++++ source3/selftest/tests.py | 11 +++- source3/smbd/negprot.c | 23 +++++++- source3/smbd/service.c | 12 ++++ source3/smbd/smb2_negprot.c | 2 +- source3/smbd/smb2_tcon.c | 3 +- 9 files changed, 125 insertions(+), 7 deletions(-) create mode 100755 source3/script/tests/test_smbclient_encryption_off.sh Changeset truncated at 500 lines: diff --git a/docs-xml/smbdotconf/security/smbencrypt.xml b/docs-xml/smbdotconf/security/smbencrypt.xml index 0f08966..32a22cb 100644 --- a/docs-xml/smbdotconf/security/smbencrypt.xml +++ b/docs-xml/smbdotconf/security/smbencrypt.xml @@ -180,7 +180,11 @@ <listitem> <para> Setting it to <emphasis>off</emphasis> globally will - completely disable the encryption feature. + completely disable the encryption feature for all + connections. Setting <parameter>smb encrypt = + required</parameter> for individual shares (while it's + globally off) will deny access to this shares for all + clients. </para> </listitem> diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm index 5e62cf1..4596a0a 100755 --- a/selftest/target/Samba3.pm +++ b/selftest/target/Samba3.pm @@ -547,6 +547,7 @@ sub setup_simpleserver($$) lanman auth = yes vfs objects = xattr_tdb streams_depot change notify = no + smb encrypt = off [vfs_aio_fork] path = $prefix_abs/share @@ -560,6 +561,11 @@ sub setup_simpleserver($$) store dos attributes = yes hide files = /hidefile/ hide dot files = yes + +[enc_desired] + path = $prefix_abs/share + vfs objects = + smb encrypt = desired "; my $vars = $self->provision($path, @@ -742,6 +748,8 @@ sub setup_ktest($$$) security = ads username map = $prefix/lib/username.map server signing = required + server min protocol = SMB3_00 + client max protocol = SMB3 "; my $ret = $self->provision($prefix, diff --git a/source3/modules/vfs_fruit.c b/source3/modules/vfs_fruit.c index 89e9412..ecd150e 100644 --- a/source3/modules/vfs_fruit.c +++ b/source3/modules/vfs_fruit.c @@ -3496,7 +3496,7 @@ static NTSTATUS fruit_readdir_attr(struct vfs_handle_struct *handle, struct fruit_config_data, return NT_STATUS_UNSUCCESSFUL); - if (!config->use_aapl) { + if (!config->nego_aapl) { return SMB_VFS_NEXT_READDIR_ATTR(handle, fname, mem_ctx, pattr_data); } diff --git a/source3/script/tests/test_smbclient_encryption_off.sh b/source3/script/tests/test_smbclient_encryption_off.sh new file mode 100755 index 0000000..467a4ee --- /dev/null +++ b/source3/script/tests/test_smbclient_encryption_off.sh @@ -0,0 +1,65 @@ +#!/bin/sh + +if [ $# -lt 4 ]; then +cat <<EOF +Usage: test_smbclient_encryption_off.sh USERNAME PASSWORD SERVER SMBCLIENT +EOF +exit 1; +fi + +USERNAME="$1" +PASSWORD="$2" +SERVER="$3" +SMBCLIENT="$VALGRIND $4" + +incdir=`dirname $0`/../../../testprogs/blackbox +. $incdir/subunit.sh + +failed=0 + +# +# Let me introduce you to the shares used in this test: +# +# "tmp" has the default "smb encrypt" (which is "enabled") +# "tmpenc" has "smb encrypt = required" +# "enc_desired" has "smb encrypt = desired" +# + +# Unencrypted connections should work of course, let's test em to be sure... + +# SMB1 +testit "smbclient //$SERVER/enc_desired" $SMBCLIENT -U $USERNAME%$PASSWORD //$SERVER/enc_desired -c quit || failed=`expr $failed + 1` +testit "smbclient //$SERVER/tmp" $SMBCLIENT -U $USERNAME%$PASSWORD //$SERVER/tmp -c quit || failed=`expr $failed + 1` +# SMB3_02 +testit "smbclient -m smb3_02 //$SERVER/enc_desired" $SMBCLIENT -m smb3_02 -U $USERNAME%$PASSWORD //$SERVER/enc_desired -c quit || failed=`expr $failed + 1` +testit "smbclient -m smb3_02 //$SERVER/tmp" $SMBCLIENT -m smb3_02 -U $USERNAME%$PASSWORD //$SERVER/tmp -c quit || failed=`expr $failed + 1` +# SMB3_11 +testit "smbclient -m smb3_11 //$SERVER/enc_desired" $SMBCLIENT -m smb3_11 -U $USERNAME%$PASSWORD //$SERVER/enc_desired -c quit || failed=`expr $failed + 1` +testit "smbclient -m smb3_11 //$SERVER/tmp" $SMBCLIENT -m smb3_11 -U $USERNAME%$PASSWORD //$SERVER/tmp -c quit || failed=`expr $failed + 1` + +# These tests must fail, as encryption is globally off and in combination with "smb +# encrypt=required" on the share "tmpenc" the server *must* reject the tcon. + +# SMB1 +testit_expect_failure "smbclient //$SERVER/tmpenc" $SMBCLIENT -U $USERNAME%$PASSWORD //$SERVER/tmpenc -c quit && failed=`expr $failed + 1` +testit_expect_failure "smbclient -e //$SERVER/tmpenc" $SMBCLIENT -e -U $USERNAME%$PASSWORD //$SERVER/tmpenc -c quit && failed=`expr $failed + 1` +# SMB3_02 +testit_expect_failure "smbclient -m smb3_02 //$SERVER/tmpenc" $SMBCLIENT -m smb3_02 -U $USERNAME%$PASSWORD //$SERVER/tmpenc -c quit && failed=`expr $failed + 1` +testit_expect_failure "smbclient -e -m smb3_02 //$SERVER/tmpenc" $SMBCLIENT -e -m smb3_02 -U $USERNAME%$PASSWORD //$SERVER/tmpenc -c quit && failed=`expr $failed + 1` +# SMB3_11 +testit_expect_failure "smbclient -m smb3_11 //$SERVER/tmpenc" $SMBCLIENT -m smb3_11 -U $USERNAME%$PASSWORD //$SERVER/tmpenc -c quit && failed=`expr $failed + 1` +testit_expect_failure "smbclient -e -m smb3_11 //$SERVER/tmpenc" $SMBCLIENT -e -m smb3_11 -U $USERNAME%$PASSWORD //$SERVER/tmpenc -c quit && failed=`expr $failed + 1` + +# These tests must fail, as the client requires encryption and it's off on the server + +# SMB1 +testit_expect_failure "smbclient -e //$SERVER/enc_desired" $SMBCLIENT -e -U $USERNAME%$PASSWORD //$SERVER/enc_desired -c quit && failed=`expr $failed + 1` +testit_expect_failure "smbclient -e //$SERVER/tmp" $SMBCLIENT -e -U $USERNAME%$PASSWORD //$SERVER/tmp -c quit && failed=`expr $failed + 1` +# SMB3_02 +testit_expect_failure "smbclient -e -m smb3_02 //$SERVER/enc_desired" $SMBCLIENT -e -m smb3_02 -U $USERNAME%$PASSWORD //$SERVER/enc_desired -c quit && failed=`expr $failed + 1` +testit_expect_failure "smbclient -e -m smb3_02 //$SERVER/tmp" $SMBCLIENT -e -m smb3_02 -U $USERNAME%$PASSWORD //$SERVER/tmp -c quit && failed=`expr $failed + 1` +# SMB3_11 +testit_expect_failure "smbclient -e -m smb3_11 //$SERVER/enc_desired" $SMBCLIENT -e -m smb3_11 -U $USERNAME%$PASSWORD //$SERVER/enc_desired -c quit && failed=`expr $failed + 1` +testit_expect_failure "smbclient -e -m smb3_11 //$SERVER/tmp" $SMBCLIENT -e -m smb3_11 -U $USERNAME%$PASSWORD //$SERVER/tmp -c quit && failed=`expr $failed + 1` + +testok $0 $failed diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py index e389fae..ae0d955 100755 --- a/source3/selftest/tests.py +++ b/source3/selftest/tests.py @@ -431,8 +431,12 @@ for s in signseal_options: # We should try more combinations in future, but this is all # the pre-calculated credentials cache supports at the moment + # + # As the ktest env requires SMB3_00 we need to use "smb2" until + # dcerpc client code in smbtorture support autonegotiation + # of any smb dialect. e = "" - a = "" + a = "smb2" binding_string = "ncacn_np:$SERVER[%s%s%s]" % (a, s, e) options = binding_string + " -k yes --krb5-ccache=$PREFIX/ktest/krb5_ccache-2" plansmbtorture4testsuite(test, "ktest", options, 'krb5 with old ccache ncacn_np with [%s%s%s] ' % (a, s, e)) @@ -472,6 +476,11 @@ plantestsuite("samba3.blackbox.rpcclient.pw-nt-hash", "simpleserver", "$USERNAME", "$PASSWORD", "$SERVER", os.path.join(bindir(), "rpcclient")]) +plantestsuite("samba3.blackbox.smbclient.encryption_off", "simpleserver", + [os.path.join(samba3srcdir, "script/tests/test_smbclient_encryption_off.sh"), + "$USERNAME", "$PASSWORD", "$SERVER", + smbclient3]) + options_list = ["", "-e"] for options in options_list: plantestsuite("samba3.blackbox.smbclient_krb5 old ccache %s" % options, "ktest:local", diff --git a/source3/smbd/negprot.c b/source3/smbd/negprot.c index d2e5e2e..793306a 100644 --- a/source3/smbd/negprot.c +++ b/source3/smbd/negprot.c @@ -544,6 +544,8 @@ void reply_negprot(struct smb_request *req) struct smbXsrv_connection *xconn = req->xconn; struct smbd_server_connection *sconn = req->sconn; bool signing_required = true; + int max_proto; + int min_proto; START_PROFILE(SMBnegprot); @@ -688,11 +690,28 @@ void reply_negprot(struct smb_request *req) FLAG_MSG_GENERAL|FLAG_MSG_SMBD |FLAG_MSG_PRINT_GENERAL); + /* + * Anything higher than PROTOCOL_SMB2_10 still + * needs to go via "SMB 2.???", which is marked + * as PROTOCOL_SMB2_10. + * + * The real negotiation happens via reply_smb20ff() + * using SMB2 Negotiation. + */ + max_proto = lp_server_max_protocol(); + if (max_proto > PROTOCOL_SMB2_10) { + max_proto = PROTOCOL_SMB2_10; + } + min_proto = lp_server_min_protocol(); + if (min_proto > PROTOCOL_SMB2_10) { + min_proto = PROTOCOL_SMB2_10; + } + /* Check for protocols, most desirable first */ for (protocol = 0; supported_protocols[protocol].proto_name; protocol++) { i = 0; - if ((supported_protocols[protocol].protocol_level <= lp_server_max_protocol()) && - (supported_protocols[protocol].protocol_level >= lp_server_min_protocol())) + if ((supported_protocols[protocol].protocol_level <= max_proto) && + (supported_protocols[protocol].protocol_level >= min_proto)) while (i < num_cliprotos) { if (strequal(cliprotos[i],supported_protocols[protocol].proto_name)) { choice = i; diff --git a/source3/smbd/service.c b/source3/smbd/service.c index 0c70250..8c6d140 100644 --- a/source3/smbd/service.c +++ b/source3/smbd/service.c @@ -584,6 +584,18 @@ static NTSTATUS make_connection_snum(struct smbXsrv_connection *xconn, conn->short_case_preserve = lp_short_preserve_case(snum); conn->encrypt_level = lp_smb_encrypt(snum); + if (conn->encrypt_level > SMB_SIGNING_OFF) { + if (lp_smb_encrypt(-1) == SMB_SIGNING_OFF) { + if (conn->encrypt_level == SMB_SIGNING_REQUIRED) { + DBG_ERR("Service [%s] requires encryption, but " + "it is disabled globally!\n", + lp_servicename(talloc_tos(), snum)); + status = NT_STATUS_ACCESS_DENIED; + goto err_root_exit; + } + conn->encrypt_level = SMB_SIGNING_OFF; + } + } conn->veto_list = NULL; conn->hide_list = NULL; diff --git a/source3/smbd/smb2_negprot.c b/source3/smbd/smb2_negprot.c index 9c03b2c..007be6b 100644 --- a/source3/smbd/smb2_negprot.c +++ b/source3/smbd/smb2_negprot.c @@ -429,7 +429,7 @@ NTSTATUS smbd_smb2_request_process_negprot(struct smbd_smb2_request *req) req->preauth = &req->xconn->smb2.preauth; } - if (in_cipher != NULL) { + if ((capabilities & SMB2_CAP_ENCRYPTION) && (in_cipher != NULL)) { size_t needed = 2; uint16_t cipher_count; const uint8_t *p; diff --git a/source3/smbd/smb2_tcon.c b/source3/smbd/smb2_tcon.c index 61e2a36..5330fc3 100644 --- a/source3/smbd/smb2_tcon.c +++ b/source3/smbd/smb2_tcon.c @@ -268,7 +268,8 @@ static NTSTATUS smbd_smb2_tree_connect(struct smbd_smb2_request *req, } if ((lp_smb_encrypt(snum) >= SMB_SIGNING_DESIRED) && - (conn->smb2.client.capabilities & SMB2_CAP_ENCRYPTION)) { + (conn->smb2.server.cipher != 0)) + { encryption_desired = true; } -- Samba Shared Repository