[cifs-protocol] [REG:115100613235242] Send oplock breaks unencrypted, as lease breaks are sent plain?
Edgar Olougouna
edgaro at microsoft.com
Tue Oct 6 20:33:57 UTC 2015
t.cmd attached for Windows 8 +
From: Edgar Olougouna
Sent: Tuesday, October 6, 2015 3:32 PM
To: 'Volker.Lendecke at SerNet.DE' <Volker.Lendecke at SerNet.DE>
Cc: MSSolve Case Email <casemail at microsoft.com>; cifs-protocol at lists.samba.org
Subject: RE: [REG:115100613235242] [cifs-protocol] Send oplock breaks unencrypted, as lease breaks are sent plain?
What I am presuming is that the encrypted lease break notification packet is being silently dropped. [MS-SMB2] "3.3.4.7 Object Store Indicates a Lease Break" says "The message SHOULD NOT be signed." If all Windows versions have a consistent behavior, we could add another statement it SHOULD NOT be encrypted. Lease keys are not tied to a particular session from the client. So technically there no specific encryption key for that message.
Please collect etw with (t.cmd) and network trace so I can have further look. With ETW captured with t.cmd I can use private symbols and hopefully see more details.
RE: "When taking fresh traces, do you have a hint for me how I can instrument the client what it does or does not see?"
----------------------
For your own troubleshooting, starting form Windows 8, there is inbox built-in provider manifests that Message Analyzer can leverage to see smb ETWs.
. Open an elevated command prompt (run as administrator)
netsh trace start capture=yes tracefile=c:\NetTrace.etl provider="Microsoft-Windows-SMBClient" keywords=0xffffffffffffffff level=0xff
netsh trace stop
Open the etl file with Message Analyzer.
Microsoft Message Analyzer http://www.microsoft.com/en-us/download/details.aspx?id=44226
Add a filter based on the SMB2 OPLOCK_BREAK (SMB2.Header.Command == 0x12), and Click Remove to look at all ETW events before that the Lease break notification. You may see WSK receive or SMB receive etws. Inspect log events and see if it helps.
RE: "Also, do you have a hint how I can make a Windows box acting as a server for encrypted SMB3 not offer leases but only oplocks, make a matching client not request leases?"
----------------------
DisableLeasing registry key can be used to turn off/on leasing (but that is not recommended on production platforms given the performance impact).
HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\DisableLeasing
Here is the article on disabling leasing:
https://support.microsoft.com/en-us/kb/2957623<https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fsupport.microsoft.com%2fen-us%2fkb%2f2957623&data=01%7c01%7cnmanis%40microsoft.com%7c46d3a9f52ede42f2310508d2caa9af3f%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=rElVz1y%2bm9mggDdDU5qqah8diXAR18r0t4UcUY6fxuU%3d>
1. Disable the leasing on the file server. To do this, run the following command:
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters /v DisableLeasing /t REG_DWORD /d 1 /f
2.Restart the file server, or restart the server service. To restart the service, run the following commands:
NET STOP SERVER
NET START SERVER
== Instructions for t.cmd ETW ==
Save the script with "cmd" suffix. And collect the traces on the Windows as follows.
. Open an elevated command prompt (run as administrator)
. Start SMB ETW capture on client or server:
Windows client: t.cmd clion
Windows server: t.cmd srvon
. start network captures (Netmon or Message Analyzer capture)
. reproduce the issue
. Stop SMB etw capture:
Windows client: t.cmd clioff
Windows server: t.cmd srvoff
(this will create an output t.cab file)
. stop and save network captures
Upload the traces (network traces, t.cab) to the workspace.
=== Using message analyzer to collect SMB ETW ===
Just a reference, I presume you are already familiar with MA.
Microsoft Message Analyzer Operating Guide
https://technet.microsoft.com/en-us/library/jj649776.aspx
Message Analyzer > New Session > Live Trace, Trace Scenario > drop-down "Select a trace scenario" and pick "MB2 Client Full Details"
[cid:image001.jpg at 01D1004C.685AA320]
Click configure
Level: verbose
Keywords(Any): select every possible option
Keywords(All): 0x0
[cid:image002.png at 01D1004C.685AA320]
Start the trace.
Thanks,
Edgar
-----Original Message-----
From: Volker Lendecke [mailto:Volker.Lendecke at SerNet.DE]
Sent: Tuesday, October 6, 2015 1:19 PM
To: Edgar Olougouna <edgaro at microsoft.com<mailto:edgaro at microsoft.com>>
Cc: MSSolve Case Email <casemail at microsoft.com<mailto:casemail at microsoft.com>>; cifs-protocol at lists.samba.org<mailto:cifs-protocol at lists.samba.org>
Subject: Re: [REG:115100613235242] [cifs-protocol] Send oplock breaks unencrypted, as lease breaks are sent plain?
On Tue, Oct 06, 2015 at 04:32:25PM +0000, Edgar Olougouna wrote:
> Please find the following details in this blog. If the specific test
> case is not covered in the blog, please send me a network trace and
> the Windows version.
I'll provide the network traces tomorrow.
The required behaviour seems to be covered well in the blog, thanks for that.
However, then Windows 8 (I'll provide tomorrow if 8 or 8.1) is buggy. Samba does not get an oplock break reply if we send the break indication encrypted. If we send the very same oplock break indication unencrypted, everything works fine.
When taking fresh traces, do you have a hint for me how I can instrument the client what it does or does not see?
Also, do you have a hint how I can make a Windows box acting as a server for encrypted SMB3 not offer leases but only oplocks, make a matching client not request leases?
Volker
> Encryption in SMB 3.0: A protocol perspective
> https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2fblogs.
> msdn.com%2fb%2fopenspecification%2farchive%2f2012%2f10%2f05%2fencrypti
> on-in-smb-3-0-a-protocol-perspective.aspx&data=01%7c01%7cedgaro%40micr
> osoft.com%7cbd77e39421bc4d55302f08d2ce7aa473%7c72f988bf86f141af91ab2d7
> cd011db47%7c1&sdata=hW9ce3LRKc3oy%2bMPtwE0pOr0J0W%2bhsNDlopl6VnxIXA%3d
>
> Oplock and Lease Breaks
>
> Oplock break notifications/acknowledgments/responses must be encrypted when encryption is active. For an Oplock, the FileID is used to derive the SessionId which is set in the notification/acknowledgement/response. See more details in MS-SMB2.
> Lease break notifications - sent by the server - do not have a SessionId, and as a result, are neither signed nor encrypted. Lease keys are not tied to a particular session from the client.
> However, Lease break acknowledgements sent by the client - and their responses sent by the server - must be encrypted when encryption is active. The client is responsible for selecting a session associated with one of the existing opens associated with that Lease Key. The response is sent on the session that receives the acknowledgment.
>
> Encryption clauses
>
> The sender encrypts the message if any of the following conditions is satisfied:
> . If the sender is sending a response to an encrypted request.
> . If Session.EncryptData is TRUE and the request or response being sent is not NEGOTIATE.
> . If Session.EncryptData is FALSE, the request or response being sent is not NEGOTIATE or SESSION_SETUP or TREE_CONNECT, and <TreeConnect|Share>.EncryptData is TRUE.
>
> Note: TreeConnect.EncryptData is on the client side. Share.EncryptData is on the server side.
>
> Review of encryption clauses
>
> . All clauses exclude any operation which does use a SessionId. A SessionId is needed to find the Session object and derive the encryption and decryption keys from its session key. For example, if the client sends a non-encrypted ECHO, Windows 8 server will respond with a non-encrypted response.
> . Clause "response to an encrypted request": if the sender encrypts the request, the receiver will respond in the same way by encrypting the response. There is however a prerequisite that encryption is active, i.e. encryption keys have been generated. For example, if the client encrypts an ECHO, Windows 8 server responds in-kind by encrypting the response.
> . Clause "Session.EncryptData is TRUE": SMB 3 session setup encryption goes as follows:
> -- Initial session setup messages are un-encrypted as there is no session object (key etc).
> -- Session binding requests must be signed, but not encrypted. Note: Windows-based server does not encrypt session setup responses for session binding, regardless whether the client encrypts the session binding request. On the other side, Windows client does not encrypt session binding requests when Session.EncryptData is TRUE.
> -- Spontaneous re-authentication of a valid session must be encrypted, otherwise the server returns STATUS_ACCESS_DENIED.
> -- Re-authentication of an expired session is encrypted as well.
> -- For re-authentication at reconnection after a broken connection, if the client lost all of its connections to the server, then the client would reconnect and create a new session (initial session setup). If the client lost some of its connections but not all, then the client would reconnect and bind to the existing session (session setup binding).
> . Clause "Session.EncryptData is FALSE and <TreeConnect|Share>.EncryptData is TRUE":
> If the client performs TREE_DISCONNECT before a LOGOFF, the logoff will not be encrypted.
>
> Thanks,
> Edgar
>
> -----Original Message-----
> From: Edgar Olougouna
> Sent: Tuesday, October 6, 2015 11:17 AM
> To: Volker.Lendecke at SerNet.DE<mailto:Volker.Lendecke at SerNet.DE>
> Cc: MSSolve Case Email <casemail at microsoft.com<mailto:casemail at microsoft.com>>;
> cifs-protocol at lists.samba.org<mailto:cifs-protocol at lists.samba.org>
> Subject: RE: [REG:115100613235242] [cifs-protocol] Send oplock breaks unencrypted, as lease breaks are sent plain?
>
> Volker can you please share the network trace? Is this Windows 8.1 or Windows 8?
> Thanks,
> Edgar
>
> -----Original Message-----
> From: Edgar Olougouna
> Sent: Tuesday, October 6, 2015 11:07 AM
> To: Volker.Lendecke at SerNet.DE<mailto:Volker.Lendecke at SerNet.DE>
> Cc: MSSolve Case Email <casemail at microsoft.com<mailto:casemail at microsoft.com>>;
> cifs-protocol at lists.samba.org<mailto:cifs-protocol at lists.samba.org>
> Subject: [REG:115100613235242] [cifs-protocol] Send oplock breaks unencrypted, as lease breaks are sent plain?
>
> [Case number in subject]
> [bcc dochelp, cc casemail]
>
> Volker,
> Glad to hear from you. We've created the case number 115100613235242 for this inquiry.
> I will look into this and follow-up soon.
>
> Thanks,
> Edgar
>
> -----Original Message-----
> From: Volker Lendecke [mailto:Volker.Lendecke at SerNet.DE]
> Sent: Tuesday, October 6, 2015 10:51 AM
> To: Interoperability Documentation Help <dochelp at microsoft.com<mailto:dochelp at microsoft.com>>
> Cc: cifs-protocol at lists.samba.org<mailto:cifs-protocol at lists.samba.org>
> Subject: Re: [cifs-protocol] Send oplock breaks unencrypted, as lease breaks are sent plain?
>
> On Tue, Oct 06, 2015 at 04:35:36PM +0200, Volker Lendecke wrote:
> > Hi!
> >
> > Testing leases and oplocks against Windows 8 over encrypted smb3 I
> > see that I get lease breaks in plain text, unencrypted, but oplock
> > breaks are sent encrypted by Windows 8. Samba does the same, however
> > a Windows 8 client seems very unhappy with our unencrypted oplock
> > breaks,
> ^^^^^^^^^^^ obvious typo: We send oplock breaks encrypted, is what Win8 does but which seems wrong.
>
> Volker
>
>
> > it just seems not to respect them. If we modify Samba to send oplock
> > breaks unencrypted, Windows 8 client is happily downgrading the
> > oplock, everything is fine.
> >
> > Where in the documentation can I find what is correct? And, where is
> > the bug? Client or server?
> >
> > If required, I can provide network traces.
> >
> > With best regards,
> >
> > Volker Lendecke
> >
> > --
> > SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
> > phone: +49-551-370000-0, fax: +49-551-370000-9 AG Göttingen, HRB
> > 2816,
> > GF: Dr. Johannes Loxen
> > https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2fwww.
> > sernet.de&data=01%7c01%7cedgaro%40microsoft.com%7cbd77e39421bc4d5530
> > 2f08d2ce7aa473%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=GlaLY7C1
> > TH%2b%2fmgbMVzeZn7gk9np2j4GkvXu0OWHuOm8%3d, mailto:kontakt at sernet.de
> >
> > _______________________________________________
> > cifs-protocol mailing list
> > cifs-protocol at lists.samba.org<mailto:cifs-protocol at lists.samba.org>
> > https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2flis
> > ts.samba.org%2fmailman%2flistinfo%2fcifs-protocol&data=01%7c01%7cedg
> > aro%40microsoft.com%7cbd77e39421bc4d55302f08d2ce7aa473%7c72f988bf86f
> > 141af91ab2d7cd011db47%7c1&sdata=BKg%2b1jDIxFaLp5t5qcqfLHNV1Hhxl1Ga63
> > VHmHURdVg%3d
>
> --
> SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
> phone: +49-551-370000-0, fax: +49-551-370000-9 AG Göttingen, HRB 2816,
> GF: Dr. Johannes Loxen
> https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2fwww.se
> rnet.de&data=01%7c01%7cedgaro%40microsoft.com%7cbd77e39421bc4d55302f08
> d2ce7aa473%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=GlaLY7C1TH%2b%
> 2fmgbMVzeZn7gk9np2j4GkvXu0OWHuOm8%3d, mailto:kontakt at sernet.de
>
--
SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-370000-0, fax: +49-551-370000-9 AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2fwww.sernet.de&data=01%7c01%7cedgaro%40microsoft.com%7cbd77e39421bc4d55302f08d2ce7aa473%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=GlaLY7C1TH%2b%2fmgbMVzeZn7gk9np2j4GkvXu0OWHuOm8%3d, mailto:kontakt at sernet.de
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.samba.org/pipermail/cifs-protocol/attachments/20151006/8e0f5367/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 19158 bytes
Desc: image001.jpg
URL: <http://lists.samba.org/pipermail/cifs-protocol/attachments/20151006/8e0f5367/image001-0001.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.png
Type: image/png
Size: 7658 bytes
Desc: image002.png
URL: <http://lists.samba.org/pipermail/cifs-protocol/attachments/20151006/8e0f5367/image002-0001.png>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: t.cmd_win8.txt
URL: <http://lists.samba.org/pipermail/cifs-protocol/attachments/20151006/8e0f5367/t.cmd_win8-0001.txt>
More information about the cifs-protocol
mailing list