[SCM] Samba Shared Repository - branch v4-6-test updated

Karolin Seeger kseeger at samba.org
Wed Feb 1 15:50:02 UTC 2017


The branch, v4-6-test has been updated
       via  de82686 docs: Improve description of "unix_primary_group" parameter in idmap_ad manpage
       via  5be0e74 vfs_fruit: checks wrong AAPL config state and so always uses readdirattr
       via  2f981c3 selftest/Samba3: use "server min protocol = SMB3_00" for "ktest"
       via  9dd155e s3:smbd: allow "server min protocol = SMB3_00" to go via "SMB 2.???" negprot
       via  25ff2b7 s3/rpc_server: move rpc_modules.c to its own subsystem
       via  edbffe9 selftest: add test for global "smb encrypt=off"
       via  227d16c selftest: disable SMB encryption in simpleserver environment
       via  d2cf308 docs: impact of a global "smb encrypt=off" on a share with "smb encrypt=required"
       via  1231b71 s3/smbd: ensure global "smb encrypt = off" is effective for share with "smb encrypt = desired"
       via  e138848 s3/smbd: ensure global "smb encrypt = off" is effective for SMB 3.1.1 clients
       via  4f1ac97 s3/smbd: ensure global "smb encrypt = off" is effective for SMB 1 clients
       via  a6fd161 s3/rpc_server: shared rpc modules loading
      from  1f2ebda VERSION: Bump version up to 4.6.0rc3...

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-6-test


- Log -----------------------------------------------------------------
commit de8268609960ef3e6191a912ba73fe5aa4d256cf
Author: John Mulligan <jmulligan at nasuni.com>
Date:   Fri Jan 13 07:33:01 2017 +0100

    docs: Improve description of "unix_primary_group" parameter in idmap_ad manpage
    
    Bug: https://bugzilla.samba.org/show_bug.cgi?id=12542
    
    Signed-off-by: John Mulligan <jmulligan at nasuni.com>
    Reviewed-by: Volker Lendecke <vl at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>
    
    Autobuild-User(master): Ralph Böhme <slow at samba.org>
    Autobuild-Date(master): Fri Jan 27 20:58:18 CET 2017 on sn-devel-144
    
    (cherry picked from commit f605332e1b87d87e0c454bcae2a374013d3ebf82)
    
    Autobuild-User(v4-6-test): Karolin Seeger <kseeger at samba.org>
    Autobuild-Date(v4-6-test): Wed Feb  1 16:49:18 CET 2017 on sn-devel-144

commit 5be0e742a9216e6e45ea8aa60315c09b5a0d497a
Author: Ralph Boehme <slow at samba.org>
Date:   Thu Jan 26 11:49:55 2017 +0100

    vfs_fruit: checks wrong AAPL config state and so always uses readdirattr
    
    readdirattr should only be enabled if the client enables it via AAPL
    negotitiation, not for all clients when vfs_fruit is loaded.
    
    Unfortunately the check in fruit_readdir_attr() is
    
      if (!config->use_aapl) {
        return SMB_VFS_NEXT_READDIR_ATTR(handle, fname, mem_ctx, pattr_data);
      }
    
    This uses the wrong config state "use_aapl" which is always true by
    default (config option "fruit:aapl").
    
    We must use "nego_aapl" instead which is only true if the client
    really negotiated this feature.
    
    Bug: https://bugzilla.samba.org/show_bug.cgi?id=12541
    
    Signed-off-by: Ralph Boehme <slow at samba.org>
    Reviewed-by: Jeremy Allison <jra at samba.org>
    
    Autobuild-User(master): Jeremy Allison <jra at samba.org>
    Autobuild-Date(master): Sat Jan 28 01:49:11 CET 2017 on sn-devel-144
    
    (cherry picked from commit 9a3b64a24cc21124485b423c9b70b67ff5a96f10)

commit 2f981c3d1b96a22136370edb4d1d6dfe747ebd3a
Author: Stefan Metzmacher <metze at samba.org>
Date:   Wed Jan 25 21:15:44 2017 +0100

    selftest/Samba3: use "server min protocol = SMB3_00" for "ktest"
    
    This verifies that clients can still connect with that setting.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=12540
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>
    
    Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
    Autobuild-Date(master): Fri Jan 27 12:03:39 CET 2017 on sn-devel-144
    
    (cherry picked from commit 348bcca76855798d60c04ddb30f1e13b2ac2d7cd)

commit 9dd155eb5752f4cd573620b787bf7a97cd10f774
Author: Stefan Metzmacher <metze at samba.org>
Date:   Wed Jan 18 08:37:30 2017 +0100

    s3:smbd: allow "server min protocol = SMB3_00" to go via "SMB 2.???" negprot
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=12540
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>
    (cherry picked from commit c207f2a989fc791b5f9bf9043d3c6ac31db5cdfd)

commit 25ff2b7c2e74cf8cfc7b9f25375ef73cc742b9cf
Author: Ralph Boehme <slow at samba.org>
Date:   Mon Jan 16 12:24:54 2017 +0100

    s3/rpc_server: move rpc_modules.c to its own subsystem
    
    The source file rpc_modules.c was used in two places which lead to the
    following build error when configuring with '--nonshared-binary=smbd/smbd':
    
      ERROR: source source3/rpc_server/rpc_modules.c is in more than one
      subsystem of target 'smbd/smbd': ['RPC_SERVICE', 'MDSSD']
    
    Bug: https://bugzilla.samba.org/show_bug.cgi?id=12524
    
    Signed-off-by: Ralph Boehme <slow at samba.org>
    Reviewed-by: Noel Power <nopower at suse.com>
    Reviewed-by: Andreas Schneider <asn at samba.org>
    
    Autobuild-User(master): Andreas Schneider <asn at cryptomilk.org>
    Autobuild-Date(master): Fri Jan 20 15:00:45 CET 2017 on sn-devel-144
    
    (cherry picked from commit be8e90f27a70f3ba8d708e984cf7b2a34e8c2628)

commit edbffe95eb23dd23f6d8be25628deb9e8a079d32
Author: Ralph Boehme <slow at samba.org>
Date:   Wed Jan 18 16:23:40 2017 +0100

    selftest: add test for global "smb encrypt=off"
    
    Test various combinations of having encryption globally turned off and
    enabled (desired/required) on a share, with SMB1 UNIX Extensions and SMB3.
    
    Bug: https://bugzilla.samba.org/show_bug.cgi?id=12520
    
    Signed-off-by: Ralph Boehme <slow at samba.org>
    Reviewed-by: Jeremy Allison <jra at samba.org>
    (cherry picked from commit 21d030e5bdf7dc6ef8d5f4e70bed7e70b731cd15)

commit 227d16c7415da5bf3422df6fa1c2435211971b8e
Author: Ralph Boehme <slow at samba.org>
Date:   Tue Jan 17 17:23:51 2017 +0100

    selftest: disable SMB encryption in simpleserver environment
    
    Encryption is currently not tested in this env so we can safely turn it
    off. The next commit will add a blackbox tests that test combinations of
    having encryption globally turned off and enabled (desired/required) on
    a share.
    
    This also adds a new share "enc_desired" with "smb encrypt = desired"
    which will be used by the test in the next commit.
    
    Bug: https://bugzilla.samba.org/show_bug.cgi?id=12520
    
    Signed-off-by: Ralph Boehme <slow at samba.org>
    Reviewed-by: Jeremy Allison <jra at samba.org>
    (cherry picked from commit 573e8e15b3ed27d6b593e635e9c24eea3fdf4fb9)

commit d2cf308f562ccc90e27437fb0b465020394195f9
Author: Ralph Boehme <slow at samba.org>
Date:   Mon Jan 16 15:45:32 2017 +0100

    docs: impact of a global "smb encrypt=off" on a share with "smb encrypt=required"
    
    Bug: https://bugzilla.samba.org/show_bug.cgi?id=12520
    
    Signed-off-by: Ralph Boehme <slow at samba.org>
    Reviewed-by: Jeremy Allison <jra at samba.org>
    (cherry picked from commit f8d937b331ac985264c76d76b447683fc494d38a)

commit 1231b710a820e5ef623bd6113ed819f453770463
Author: Ralph Boehme <slow at samba.org>
Date:   Mon Jan 16 12:56:10 2017 +0100

    s3/smbd: ensure global "smb encrypt = off" is effective for share with "smb encrypt = desired"
    
    If encryption is disabled globally, per definition we shouldn't allow
    enabling encryption on individual shares.
    
    The behaviour of specifying
    
    [Global]
      smb encrypt = off
    
    [share]
      smb encrypt = desired
    
    must be an unecrypted tree connect to the share "share".
    
    Bug: https://bugzilla.samba.org/show_bug.cgi?id=12520
    
    Signed-off-by: Ralph Boehme <slow at samba.org>
    Reviewed-by: Jeremy Allison <jra at samba.org>
    (cherry picked from commit b0b418c22558fa1df547df9bdac2642343ac39e1)

commit e13884845698e78e437e747fed494bb2eb07a428
Author: Ralph Boehme <slow at samba.org>
Date:   Thu Jan 5 12:14:35 2017 +0100

    s3/smbd: ensure global "smb encrypt = off" is effective for SMB 3.1.1 clients
    
    If encryption is disabled globally, per definition we shouldn't allow
    enabling encryption on individual shares.
    
    The behaviour of setting
    
    [Global]
      smb encrypt = off
    
    [share]
      smb encrypt = required
    
    must be to completely deny access to the share "share".
    
    This was working correctly for clients when using SMB 3 dialects <
    3.1.1, but not for 3.1.1 with a negprot encryption context.
    
    Bug: https://bugzilla.samba.org/show_bug.cgi?id=12520
    
    Signed-off-by: Ralph Boehme <slow at samba.org>
    Reviewed-by: Jeremy Allison <jra at samba.org>
    (cherry picked from commit 6ae63d42f5aacddf5b7b6dbdfbe620344989e4e5)

commit 4f1ac976beee17cbd9aef8168b58cba020968549
Author: Ralph Boehme <slow at samba.org>
Date:   Wed Jan 18 16:19:15 2017 +0100

    s3/smbd: ensure global "smb encrypt = off" is effective for SMB 1 clients
    
    If encryption is disabled globally, per definition we shouldn't allow
    enabling encryption on individual shares.
    
    The behaviour of setting
    
    [Global]
      smb encrypt = off
    
    [share_required]
      smb encrypt = required
    
    [share_desired]
      smb encrypt = desired
    
    must be to completely deny access to the share "share_required" and an
    unencrypted connection to "share_desired".
    
    Bug: https://bugzilla.samba.org/show_bug.cgi?id=12520
    
    Signed-off-by: Ralph Boehme <slow at samba.org>
    Reviewed-by: Jeremy Allison <jra at samba.org>
    (cherry picked from commit 43a90cee46bb7a70f7973c4fc51eee7634e43145)

commit a6fd161d5c295cf86f6ffe1d74c7892006275876
Author: Ralph Boehme <slow at samba.org>
Date:   Mon Jan 30 18:49:39 2017 +0100

    s3/rpc_server: shared rpc modules loading
    
    The previous commit 58889e04bd545d7420d1193e134351bd0ccb8430 for this
    bug was broken as it didn't move the goto into the "if (errno !=
    ENOENT)" condition.
    
    This updated fix folds the test "mod_init_fns == NULL" and the check for
    the errno into one if condition.
    
    Bug: https://bugzilla.samba.org/show_bug.cgi?id=12184
    
    Signed-off-by: Ralph Boehme <slow at samba.org>
    Reviewed-by: Jeremy Allison <jra at samba.org>
    (cherry picked from commit 9785fe5af6613a728a7d92c82bbc31cabbe3a0b9)

-----------------------------------------------------------------------

Summary of changes:
 docs-xml/manpages/idmap_ad.8.xml                   | 27 ++++++---
 docs-xml/smbdotconf/security/smbencrypt.xml        |  6 +-
 selftest/target/Samba3.pm                          |  8 +++
 source3/modules/vfs_fruit.c                        |  2 +-
 source3/rpc_server/rpc_service_setup.c             | 21 +++----
 source3/rpc_server/wscript_build                   | 11 +++-
 .../script/tests/test_smbclient_encryption_off.sh  | 65 ++++++++++++++++++++++
 source3/selftest/tests.py                          | 11 +++-
 source3/smbd/negprot.c                             | 23 +++++++-
 source3/smbd/service.c                             | 12 ++++
 source3/smbd/smb2_negprot.c                        |  2 +-
 source3/smbd/smb2_tcon.c                           |  3 +-
 12 files changed, 161 insertions(+), 30 deletions(-)
 create mode 100755 source3/script/tests/test_smbclient_encryption_off.sh


Changeset truncated at 500 lines:

diff --git a/docs-xml/manpages/idmap_ad.8.xml b/docs-xml/manpages/idmap_ad.8.xml
index 58e7f52..c667695 100644
--- a/docs-xml/manpages/idmap_ad.8.xml
+++ b/docs-xml/manpages/idmap_ad.8.xml
@@ -70,23 +70,34 @@
 			For SFU 3.0 or 3.5 please choose "sfu", for SFU 2.0
 			please choose "sfu20".
 
-			Please note that primary group membership is currently always calculated
-			via the "primaryGroupID" LDAP attribute.
+			Please note that the behavior of primary group membership is
+			controlled by the <emphasis>unix_primary_group</emphasis> option.
 		</para></listitem>
 		</varlistentry>
 		<varlistentry>
 		<term>unix_primary_group = yes/no</term>
 		<listitem><para>
-		  Defines whether to retrieve the user's primary group
-		  from the SFU attributes.
-		</para></listitem>
+		  Defines whether the user's primary group is fetched from the SFU
+		  attributes or the AD primary group. If set to
+		  <parameter>yes</parameter> the primary group membership is fetched
+		  from the LDAP attributes (gidNumber).
+		  If set to <parameter>no</parameter> the primary group membership is
+		  calculated via the "primaryGroupID" LDAP attribute.
+		</para>
+		<para>Default: no</para>
+		</listitem>
 		</varlistentry>
 		<varlistentry>
 		<term>unix_nss_info = yes/no</term>
 		<listitem><para>
-		  Defines whether to retrieve the login shell and
-		  home directory from the SFU attributes.
-		</para></listitem>
+		  If set to <parameter>yes</parameter> winbind will retrieve the login
+		  shell and home directory from the LDAP attributes. If set to
+		  <parameter>no</parameter> the or the AD LDAP entry lacks the SFU
+		  attributes the options <emphasis>template shell</emphasis> and
+		  <emphasis>template homedir</emphasis> are used.
+		</para>
+		<para>Default: no</para>
+		</listitem>
 		</varlistentry>
 	</variablelist>
 </refsect1>
diff --git a/docs-xml/smbdotconf/security/smbencrypt.xml b/docs-xml/smbdotconf/security/smbencrypt.xml
index 0f08966..32a22cb 100644
--- a/docs-xml/smbdotconf/security/smbencrypt.xml
+++ b/docs-xml/smbdotconf/security/smbencrypt.xml
@@ -180,7 +180,11 @@
 			<listitem>
 			<para>
 			Setting it to <emphasis>off</emphasis> globally will
-			completely disable the encryption feature.
+			completely disable the encryption feature for all
+			connections. Setting <parameter>smb encrypt =
+			required</parameter> for individual shares (while it's
+			globally off) will deny access to this shares for all
+			clients.
 			</para>
 			</listitem>
 
diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
index 9013652..f05eb16 100755
--- a/selftest/target/Samba3.pm
+++ b/selftest/target/Samba3.pm
@@ -579,6 +579,7 @@ sub setup_simpleserver($$)
 	ntlm auth = yes
 	vfs objects = xattr_tdb streams_depot time_audit full_audit
 	change notify = no
+	smb encrypt = off
 
 	full_audit:syslog = no
 	full_audit:success = none
@@ -596,6 +597,11 @@ sub setup_simpleserver($$)
 	store dos attributes = yes
 	hide files = /hidefile/
 	hide dot files = yes
+
+[enc_desired]
+	path = $prefix_abs/share
+	vfs objects =
+	smb encrypt = desired
 ";
 
 	my $vars = $self->provision($path,
@@ -791,6 +797,8 @@ sub setup_ktest($$$)
 	security = ads
         username map = $prefix/lib/username.map
         server signing = required
+	server min protocol = SMB3_00
+	client max protocol = SMB3
 ";
 
 	my $ret = $self->provision($prefix,
diff --git a/source3/modules/vfs_fruit.c b/source3/modules/vfs_fruit.c
index 605b3e0..0248f97 100644
--- a/source3/modules/vfs_fruit.c
+++ b/source3/modules/vfs_fruit.c
@@ -3539,7 +3539,7 @@ static NTSTATUS fruit_readdir_attr(struct vfs_handle_struct *handle,
 				struct fruit_config_data,
 				return NT_STATUS_UNSUCCESSFUL);
 
-	if (!config->use_aapl) {
+	if (!config->nego_aapl) {
 		return SMB_VFS_NEXT_READDIR_ATTR(handle, fname, mem_ctx, pattr_data);
 	}
 
diff --git a/source3/rpc_server/rpc_service_setup.c b/source3/rpc_server/rpc_service_setup.c
index 263fcaf..751a638 100644
--- a/source3/rpc_server/rpc_service_setup.c
+++ b/source3/rpc_server/rpc_service_setup.c
@@ -535,18 +535,15 @@ bool dcesrv_ep_setup(struct tevent_context *ev_ctx,
 
 	/* Initialize shared modules */
 	mod_init_fns = load_samba_modules(tmp_ctx, "rpc");
-	if (mod_init_fns == NULL) {
-		if (errno != ENOENT) {
-			/*
-			 * ENOENT means the directory doesn't exist
-			 * which can happen if all modules are
-			 * static. So ENOENT is ok, everything else is
-			 * not ok.
-			 */
-			DBG_ERR("Loading shared RPC modules failed [%s]\n",
-				strerror(errno));
-			ok = false;
-		}
+	if ((mod_init_fns == NULL) && (errno != ENOENT)) {
+		/*
+		 * ENOENT means the directory doesn't exist which can happen if
+		 * all modules are static. So ENOENT is ok, everything else is
+		 * not ok.
+		 */
+		DBG_ERR("Loading shared RPC modules failed [%s]\n",
+			strerror(errno));
+		ok = false;
 		goto done;
 	}
 
diff --git a/source3/rpc_server/wscript_build b/source3/rpc_server/wscript_build
index 1d0facb..ed378c5 100755
--- a/source3/rpc_server/wscript_build
+++ b/source3/rpc_server/wscript_build
@@ -39,6 +39,10 @@ bld.SAMBA3_SUBSYSTEM('RPC_SERVER',
                     NDR_NAMED_PIPE_AUTH
                     ''')
 
+bld.SAMBA3_SUBSYSTEM('RPC_MODULES',
+                    source='rpc_modules.c',
+                    deps='samba-util')
+
 ### RPC_SERVICES
 bld.SAMBA3_SUBSYSTEM('RPC_DSSETUP',
                     source='''dssetup/srv_dssetup_nt.c
@@ -150,11 +154,12 @@ bld.SAMBA3_SUBSYSTEM('RPC_SERVER_REGISTER',
                     deps='samba-util')
 
 bld.SAMBA3_SUBSYSTEM('RPC_SERVICE',
-                    source='rpc_service_setup.c rpc_modules.c',
+                    source='rpc_service_setup.c',
                     deps='''
                     rpc
                     RPC_SERVER
                     RPC_SERVER_REGISTER
+		    RPC_MODULES
                     RPC_SAMR
                     RPC_LSARPC
                     RPC_WINREG
@@ -192,6 +197,6 @@ bld.SAMBA3_SUBSYSTEM('FSSD',
                     deps='samba-util')
 
 bld.SAMBA3_SUBSYSTEM('MDSSD',
-                    source='mdssd.c rpc_modules.c',
-                    deps='RPC_SOCK_HELPER samba-util',
+                    source='mdssd.c',
+                    deps='RPC_SOCK_HELPER RPC_MODULES samba-util',
                     enabled=bld.env.with_spotlight)
diff --git a/source3/script/tests/test_smbclient_encryption_off.sh b/source3/script/tests/test_smbclient_encryption_off.sh
new file mode 100755
index 0000000..467a4ee
--- /dev/null
+++ b/source3/script/tests/test_smbclient_encryption_off.sh
@@ -0,0 +1,65 @@
+#!/bin/sh
+
+if [ $# -lt 4 ]; then
+cat <<EOF
+Usage: test_smbclient_encryption_off.sh USERNAME PASSWORD SERVER SMBCLIENT
+EOF
+exit 1;
+fi
+
+USERNAME="$1"
+PASSWORD="$2"
+SERVER="$3"
+SMBCLIENT="$VALGRIND $4"
+
+incdir=`dirname $0`/../../../testprogs/blackbox
+. $incdir/subunit.sh
+
+failed=0
+
+#
+# Let me introduce you to the shares used in this test:
+#
+# "tmp" has the default "smb encrypt" (which is "enabled")
+# "tmpenc" has "smb encrypt = required"
+# "enc_desired" has "smb encrypt = desired"
+#
+
+# Unencrypted connections should work of course, let's test em to be sure...
+
+# SMB1
+testit "smbclient //$SERVER/enc_desired" $SMBCLIENT -U $USERNAME%$PASSWORD //$SERVER/enc_desired -c quit || failed=`expr $failed + 1`
+testit "smbclient //$SERVER/tmp" $SMBCLIENT -U $USERNAME%$PASSWORD //$SERVER/tmp -c quit || failed=`expr $failed + 1`
+# SMB3_02
+testit "smbclient -m smb3_02 //$SERVER/enc_desired" $SMBCLIENT -m smb3_02 -U $USERNAME%$PASSWORD //$SERVER/enc_desired -c quit || failed=`expr $failed + 1`
+testit "smbclient -m smb3_02 //$SERVER/tmp" $SMBCLIENT -m smb3_02 -U $USERNAME%$PASSWORD //$SERVER/tmp -c quit || failed=`expr $failed + 1`
+# SMB3_11
+testit "smbclient -m smb3_11 //$SERVER/enc_desired" $SMBCLIENT -m smb3_11 -U $USERNAME%$PASSWORD //$SERVER/enc_desired -c quit || failed=`expr $failed + 1`
+testit "smbclient -m smb3_11 //$SERVER/tmp" $SMBCLIENT -m smb3_11 -U $USERNAME%$PASSWORD //$SERVER/tmp -c quit || failed=`expr $failed + 1`
+
+# These tests must fail, as encryption is globally off and in combination with "smb
+# encrypt=required" on the share "tmpenc" the server *must* reject the tcon.
+
+# SMB1
+testit_expect_failure "smbclient //$SERVER/tmpenc" $SMBCLIENT -U $USERNAME%$PASSWORD //$SERVER/tmpenc -c quit && failed=`expr $failed + 1`
+testit_expect_failure "smbclient -e //$SERVER/tmpenc" $SMBCLIENT -e -U $USERNAME%$PASSWORD //$SERVER/tmpenc -c quit && failed=`expr $failed + 1`
+# SMB3_02
+testit_expect_failure "smbclient -m smb3_02 //$SERVER/tmpenc" $SMBCLIENT -m smb3_02 -U $USERNAME%$PASSWORD //$SERVER/tmpenc -c quit && failed=`expr $failed + 1`
+testit_expect_failure "smbclient -e -m smb3_02 //$SERVER/tmpenc" $SMBCLIENT -e -m smb3_02 -U $USERNAME%$PASSWORD //$SERVER/tmpenc -c quit && failed=`expr $failed + 1`
+# SMB3_11
+testit_expect_failure "smbclient -m smb3_11 //$SERVER/tmpenc" $SMBCLIENT -m smb3_11 -U $USERNAME%$PASSWORD //$SERVER/tmpenc -c quit && failed=`expr $failed + 1`
+testit_expect_failure "smbclient -e -m smb3_11 //$SERVER/tmpenc" $SMBCLIENT -e -m smb3_11 -U $USERNAME%$PASSWORD //$SERVER/tmpenc -c quit && failed=`expr $failed + 1`
+
+# These tests must fail, as the client requires encryption and it's off on the server
+
+# SMB1
+testit_expect_failure "smbclient -e //$SERVER/enc_desired" $SMBCLIENT -e -U $USERNAME%$PASSWORD //$SERVER/enc_desired -c quit && failed=`expr $failed + 1`
+testit_expect_failure "smbclient -e //$SERVER/tmp" $SMBCLIENT -e -U $USERNAME%$PASSWORD //$SERVER/tmp -c quit && failed=`expr $failed + 1`
+# SMB3_02
+testit_expect_failure "smbclient -e -m smb3_02 //$SERVER/enc_desired" $SMBCLIENT -e -m smb3_02 -U $USERNAME%$PASSWORD //$SERVER/enc_desired -c quit && failed=`expr $failed + 1`
+testit_expect_failure "smbclient -e -m smb3_02 //$SERVER/tmp" $SMBCLIENT -e -m smb3_02 -U $USERNAME%$PASSWORD //$SERVER/tmp -c quit && failed=`expr $failed + 1`
+# SMB3_11
+testit_expect_failure "smbclient -e -m smb3_11 //$SERVER/enc_desired" $SMBCLIENT -e -m smb3_11 -U $USERNAME%$PASSWORD //$SERVER/enc_desired -c quit && failed=`expr $failed + 1`
+testit_expect_failure "smbclient -e -m smb3_11 //$SERVER/tmp" $SMBCLIENT -e -m smb3_11 -U $USERNAME%$PASSWORD //$SERVER/tmp -c quit && failed=`expr $failed + 1`
+
+testok $0 $failed
diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py
index 3aecc9c..4632c3c 100755
--- a/source3/selftest/tests.py
+++ b/source3/selftest/tests.py
@@ -447,8 +447,12 @@ for s in signseal_options:
 
     # We should try more combinations in future, but this is all
     # the pre-calculated credentials cache supports at the moment
+    #
+    # As the ktest env requires SMB3_00 we need to use "smb2" until
+    # dcerpc client code in smbtorture support autonegotiation
+    # of any smb dialect.
     e = ""
-    a = ""
+    a = "smb2"
     binding_string = "ncacn_np:$SERVER[%s%s%s]" % (a, s, e)
     options = binding_string + " -k yes --krb5-ccache=$PREFIX/ktest/krb5_ccache-2"
     plansmbtorture4testsuite(test, "ktest", options, 'krb5 with old ccache ncacn_np with [%s%s%s] ' % (a, s, e))
@@ -488,6 +492,11 @@ plantestsuite("samba3.blackbox.rpcclient.pw-nt-hash", "simpleserver",
                "$USERNAME", "$PASSWORD", "$SERVER",
                os.path.join(bindir(), "rpcclient")])
 
+plantestsuite("samba3.blackbox.smbclient.encryption_off", "simpleserver",
+              [os.path.join(samba3srcdir, "script/tests/test_smbclient_encryption_off.sh"),
+               "$USERNAME", "$PASSWORD", "$SERVER",
+               smbclient3])
+
 options_list = ["", "-e"]
 for options in options_list:
     plantestsuite("samba3.blackbox.smbclient_krb5 old ccache %s" % options, "ktest:local",
diff --git a/source3/smbd/negprot.c b/source3/smbd/negprot.c
index bd09b1d..cdde334 100644
--- a/source3/smbd/negprot.c
+++ b/source3/smbd/negprot.c
@@ -544,6 +544,8 @@ void reply_negprot(struct smb_request *req)
 	struct smbXsrv_connection *xconn = req->xconn;
 	struct smbd_server_connection *sconn = req->sconn;
 	bool signing_required = true;
+	int max_proto;
+	int min_proto;
 
 	START_PROFILE(SMBnegprot);
 
@@ -688,11 +690,28 @@ void reply_negprot(struct smb_request *req)
 			  FLAG_MSG_GENERAL|FLAG_MSG_SMBD
 			  |FLAG_MSG_PRINT_GENERAL);
 
+	/*
+	 * Anything higher than PROTOCOL_SMB2_10 still
+	 * needs to go via "SMB 2.???", which is marked
+	 * as PROTOCOL_SMB2_10.
+	 *
+	 * The real negotiation happens via reply_smb20ff()
+	 * using SMB2 Negotiation.
+	 */
+	max_proto = lp_server_max_protocol();
+	if (max_proto > PROTOCOL_SMB2_10) {
+		max_proto = PROTOCOL_SMB2_10;
+	}
+	min_proto = lp_server_min_protocol();
+	if (min_proto > PROTOCOL_SMB2_10) {
+		min_proto = PROTOCOL_SMB2_10;
+	}
+
 	/* Check for protocols, most desirable first */
 	for (protocol = 0; supported_protocols[protocol].proto_name; protocol++) {
 		i = 0;
-		if ((supported_protocols[protocol].protocol_level <= lp_server_max_protocol()) &&
-				(supported_protocols[protocol].protocol_level >= lp_server_min_protocol()))
+		if ((supported_protocols[protocol].protocol_level <= max_proto) &&
+		    (supported_protocols[protocol].protocol_level >= min_proto))
 			while (i < num_cliprotos) {
 				if (strequal(cliprotos[i],supported_protocols[protocol].proto_name)) {
 					choice = i;
diff --git a/source3/smbd/service.c b/source3/smbd/service.c
index 3308e9d..ce4b8da 100644
--- a/source3/smbd/service.c
+++ b/source3/smbd/service.c
@@ -623,6 +623,18 @@ static NTSTATUS make_connection_snum(struct smbXsrv_connection *xconn,
 	conn->short_case_preserve = lp_short_preserve_case(snum);
 
 	conn->encrypt_level = lp_smb_encrypt(snum);
+	if (conn->encrypt_level > SMB_SIGNING_OFF) {
+		if (lp_smb_encrypt(-1) == SMB_SIGNING_OFF) {
+			if (conn->encrypt_level == SMB_SIGNING_REQUIRED) {
+				DBG_ERR("Service [%s] requires encryption, but "
+					"it is disabled globally!\n",
+					lp_servicename(talloc_tos(), snum));
+				status = NT_STATUS_ACCESS_DENIED;
+				goto err_root_exit;
+			}
+			conn->encrypt_level = SMB_SIGNING_OFF;
+		}
+	}
 
 	conn->veto_list = NULL;
 	conn->hide_list = NULL;
diff --git a/source3/smbd/smb2_negprot.c b/source3/smbd/smb2_negprot.c
index 6cfa64f..d9ccdbe 100644
--- a/source3/smbd/smb2_negprot.c
+++ b/source3/smbd/smb2_negprot.c
@@ -441,7 +441,7 @@ NTSTATUS smbd_smb2_request_process_negprot(struct smbd_smb2_request *req)
 		req->preauth = &req->xconn->smb2.preauth;
 	}
 
-	if (in_cipher != NULL) {
+	if ((capabilities & SMB2_CAP_ENCRYPTION) && (in_cipher != NULL)) {
 		size_t needed = 2;
 		uint16_t cipher_count;
 		const uint8_t *p;
diff --git a/source3/smbd/smb2_tcon.c b/source3/smbd/smb2_tcon.c
index 61e2a36..5330fc3 100644
--- a/source3/smbd/smb2_tcon.c
+++ b/source3/smbd/smb2_tcon.c
@@ -268,7 +268,8 @@ static NTSTATUS smbd_smb2_tree_connect(struct smbd_smb2_request *req,
 	}
 
 	if ((lp_smb_encrypt(snum) >= SMB_SIGNING_DESIRED) &&
-	    (conn->smb2.client.capabilities & SMB2_CAP_ENCRYPTION)) {
+	    (conn->smb2.server.cipher != 0))
+	{
 		encryption_desired = true;
 	}
 


-- 
Samba Shared Repository



More information about the samba-cvs mailing list