[SCM] Samba Shared Repository - branch v4-5-test updated
Karolin Seeger
kseeger at samba.org
Mon Feb 6 11:59:02 UTC 2017
The branch, v4-5-test has been updated
via f4219b7 ctdb-tests: Use replace headers instead of system headers
via 78e4f07 ctdb-tests: Do not build mutex test if robust mutexes are not supported
via 5f84242 s3: VFS: vfs_streams_xattr.c: Make streams_xattr_open() store the same path as streams_xattr_recheck().
via 5410367 smbd: Fix "map acl inherit" = yes
via 44244bf s3: vfs: dirsort doesn't handle opendir of "." correctly.
via d5f233e vfs_fruit: checks wrong AAPL config state and so always uses readdirattr
via 778d14c selftest/Samba3: use "server min protocol = SMB3_00" for "ktest"
via 2e7c776 s3:smbd: allow "server min protocol = SMB3_00" to go via "SMB 2.???" negprot
via 1eb3f3d s3/rpc_server: move rpc_modules.c to its own subsystem
via ab6d010 selftest: add test for global "smb encrypt=off"
via 26ff06c selftest: disable SMB encryption in simpleserver environment
via 170cc06 docs: impact of a global "smb encrypt=off" on a share with "smb encrypt=required"
via ef266af s3/smbd: ensure global "smb encrypt = off" is effective for share with "smb encrypt = desired"
via c2abca6 s3/smbd: ensure global "smb encrypt = off" is effective for SMB 3.1.1 clients
via 98060ed s3/smbd: ensure global "smb encrypt = off" is effective for SMB 1 clients
via d9bad78 s3/rpc_server: shared rpc modules loading
from d760f75 s4:repl_meta_data: normalize rdn attribute name via the schema
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-5-test
- Log -----------------------------------------------------------------
commit f4219b76fbfe719b3ad98dd1cb82c4abc89dfa79
Author: Amitay Isaacs <amitay at gmail.com>
Date: Tue Jan 31 16:49:14 2017 +1100
ctdb-tests: Use replace headers instead of system headers
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12469
This ensures that PTHREAD_MUTEX_ROBUST, pthread_mutexattr_setrobust()
and pthread_mutex_consistent() are always defined.
Signed-off-by: Amitay Isaacs <amitay at gmail.com>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(master): Tue Jan 31 11:57:01 CET 2017 on sn-devel-144
(cherry picked from commit 39ac4ae65eb3b8d4d3574987eab47eb7a290f2e4)
Autobuild-User(v4-5-test): Karolin Seeger <kseeger at samba.org>
Autobuild-Date(v4-5-test): Mon Feb 6 12:58:08 CET 2017 on sn-devel-144
commit 78e4f07aec944bde577735d231c6ede73ab63307
Author: Amitay Isaacs <amitay at gmail.com>
Date: Tue Jan 31 14:50:53 2017 +1100
ctdb-tests: Do not build mutex test if robust mutexes are not supported
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12469
Signed-off-by: Amitay Isaacs <amitay at gmail.com>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit 08b4a5f9f1575c882ab7174eb3249b574df6976f)
commit 5f84242406fe3b3676c5288dd04dc91c6073cc09
Author: Jeremy Allison <jra at samba.org>
Date: Wed Feb 1 11:36:25 2017 -0800
s3: VFS: vfs_streams_xattr.c: Make streams_xattr_open() store the same path as streams_xattr_recheck().
If the open is changing directories, fsp->fsp_name->base_name
will be the full path from the share root, whilst
smb_fname will be relative to the $cwd.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12546
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Böhme <slow at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Thu Feb 2 01:55:42 CET 2017 on sn-devel-144
(cherry picked from commit a24ba3e4083200ec9885363efc5769f43183fb6b)
commit 5410367fe6579f248da2619129a3f2698ab4595f
Author: Volker Lendecke <vl at samba.org>
Date: Wed Feb 1 14:41:43 2017 +0000
smbd: Fix "map acl inherit" = yes
Brown-Paper-Bag bug in f85c2a6852a. The assignment contains a self-reference
in get_pai_flags which I missed.
Fix an uninitialized read.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=12551
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Autobuild-User(master): Volker Lendecke <vl at samba.org>
Autobuild-Date(master): Wed Feb 1 22:06:50 CET 2017 on sn-devel-144
(cherry picked from commit 129bc58eee4b1868b1aaec6194808752520517b4)
commit 44244bfc5399c2b13dc8ac3c15f7fc2007dc6529
Author: Jeremy Allison <jra at samba.org>
Date: Thu Jan 5 12:38:07 2017 -0800
s3: vfs: dirsort doesn't handle opendir of "." correctly.
Needs to store $cwd path for correct sorting.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12499
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Uri Simchoni <uri at samba.org>
(cherry picked from commit e2f34116ab6328e2b872999dc7c4bcda69c03ab2)
commit d5f233e9f47701d177320d5a59d9abe17c978972
Author: Ralph Boehme <slow at samba.org>
Date: Thu Jan 26 11:49:55 2017 +0100
vfs_fruit: checks wrong AAPL config state and so always uses readdirattr
readdirattr should only be enabled if the client enables it via AAPL
negotitiation, not for all clients when vfs_fruit is loaded.
Unfortunately the check in fruit_readdir_attr() is
if (!config->use_aapl) {
return SMB_VFS_NEXT_READDIR_ATTR(handle, fname, mem_ctx, pattr_data);
}
This uses the wrong config state "use_aapl" which is always true by
default (config option "fruit:aapl").
We must use "nego_aapl" instead which is only true if the client
really negotiated this feature.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=12541
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Sat Jan 28 01:49:11 CET 2017 on sn-devel-144
(cherry picked from commit 9a3b64a24cc21124485b423c9b70b67ff5a96f10)
commit 778d14cdbfd18a7600b1e7798adf3ede93d04ea3
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Jan 25 21:15:44 2017 +0100
selftest/Samba3: use "server min protocol = SMB3_00" for "ktest"
This verifies that clients can still connect with that setting.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12540
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(master): Fri Jan 27 12:03:39 CET 2017 on sn-devel-144
(cherry picked from commit 348bcca76855798d60c04ddb30f1e13b2ac2d7cd)
commit 2e7c77626587d7e8cd0eaed4504edb8b1c02ab37
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Jan 18 08:37:30 2017 +0100
s3:smbd: allow "server min protocol = SMB3_00" to go via "SMB 2.???" negprot
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12540
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit c207f2a989fc791b5f9bf9043d3c6ac31db5cdfd)
commit 1eb3f3d5ced4083cc9ac1f11a387763affdf7140
Author: Ralph Boehme <slow at samba.org>
Date: Mon Jan 16 12:24:54 2017 +0100
s3/rpc_server: move rpc_modules.c to its own subsystem
The source file rpc_modules.c was used in two places which lead to the
following build error when configuring with '--nonshared-binary=smbd/smbd':
ERROR: source source3/rpc_server/rpc_modules.c is in more than one
subsystem of target 'smbd/smbd': ['RPC_SERVICE', 'MDSSD']
Bug: https://bugzilla.samba.org/show_bug.cgi?id=12524
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Noel Power <nopower at suse.com>
Reviewed-by: Andreas Schneider <asn at samba.org>
Autobuild-User(master): Andreas Schneider <asn at cryptomilk.org>
Autobuild-Date(master): Fri Jan 20 15:00:45 CET 2017 on sn-devel-144
(cherry picked from commit be8e90f27a70f3ba8d708e984cf7b2a34e8c2628)
commit ab6d0100046dcd19af6c0dcac62e34b98bb606ca
Author: Ralph Boehme <slow at samba.org>
Date: Wed Jan 18 16:23:40 2017 +0100
selftest: add test for global "smb encrypt=off"
Test various combinations of having encryption globally turned off and
enabled (desired/required) on a share, with SMB1 UNIX Extensions and SMB3.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=12520
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 21d030e5bdf7dc6ef8d5f4e70bed7e70b731cd15)
commit 26ff06cd50db1ecebd92ae1175f760bc65d8a171
Author: Ralph Boehme <slow at samba.org>
Date: Tue Jan 17 17:23:51 2017 +0100
selftest: disable SMB encryption in simpleserver environment
Encryption is currently not tested in this env so we can safely turn it
off. The next commit will add a blackbox tests that test combinations of
having encryption globally turned off and enabled (desired/required) on
a share.
This also adds a new share "enc_desired" with "smb encrypt = desired"
which will be used by the test in the next commit.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=12520
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 573e8e15b3ed27d6b593e635e9c24eea3fdf4fb9)
commit 170cc06ddbadfb5c98883360a00b7cd3ebc0a413
Author: Ralph Boehme <slow at samba.org>
Date: Mon Jan 16 15:45:32 2017 +0100
docs: impact of a global "smb encrypt=off" on a share with "smb encrypt=required"
Bug: https://bugzilla.samba.org/show_bug.cgi?id=12520
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit f8d937b331ac985264c76d76b447683fc494d38a)
commit ef266af12723c64dd55c4f542d5a7c6163036414
Author: Ralph Boehme <slow at samba.org>
Date: Mon Jan 16 12:56:10 2017 +0100
s3/smbd: ensure global "smb encrypt = off" is effective for share with "smb encrypt = desired"
If encryption is disabled globally, per definition we shouldn't allow
enabling encryption on individual shares.
The behaviour of specifying
[Global]
smb encrypt = off
[share]
smb encrypt = desired
must be an unecrypted tree connect to the share "share".
Bug: https://bugzilla.samba.org/show_bug.cgi?id=12520
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit b0b418c22558fa1df547df9bdac2642343ac39e1)
commit c2abca62e44bda69795f8082047a105d0bbd53ec
Author: Ralph Boehme <slow at samba.org>
Date: Thu Jan 5 12:14:35 2017 +0100
s3/smbd: ensure global "smb encrypt = off" is effective for SMB 3.1.1 clients
If encryption is disabled globally, per definition we shouldn't allow
enabling encryption on individual shares.
The behaviour of setting
[Global]
smb encrypt = off
[share]
smb encrypt = required
must be to completely deny access to the share "share".
This was working correctly for clients when using SMB 3 dialects <
3.1.1, but not for 3.1.1 with a negprot encryption context.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=12520
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 6ae63d42f5aacddf5b7b6dbdfbe620344989e4e5)
commit 98060edd45d2531637ecdfd3a0862b07eb2b944d
Author: Ralph Boehme <slow at samba.org>
Date: Wed Jan 18 16:19:15 2017 +0100
s3/smbd: ensure global "smb encrypt = off" is effective for SMB 1 clients
If encryption is disabled globally, per definition we shouldn't allow
enabling encryption on individual shares.
The behaviour of setting
[Global]
smb encrypt = off
[share_required]
smb encrypt = required
[share_desired]
smb encrypt = desired
must be to completely deny access to the share "share_required" and an
unencrypted connection to "share_desired".
Bug: https://bugzilla.samba.org/show_bug.cgi?id=12520
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 43a90cee46bb7a70f7973c4fc51eee7634e43145)
commit d9bad787c82ff5727b4277a0cb813914b66bf072
Author: Ralph Boehme <slow at samba.org>
Date: Mon Jan 30 18:49:39 2017 +0100
s3/rpc_server: shared rpc modules loading
The previous commit 58889e04bd545d7420d1193e134351bd0ccb8430 for this
bug was broken as it didn't move the goto into the "if (errno !=
ENOENT)" condition.
This updated fix folds the test "mod_init_fns == NULL" and the check for
the errno into one if condition.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=12184
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 9785fe5af6613a728a7d92c82bbc31cabbe3a0b9)
-----------------------------------------------------------------------
Summary of changes:
ctdb/tests/src/test_mutex_raw.c | 24 +++-----
ctdb/wscript | 9 +--
docs-xml/smbdotconf/security/smbencrypt.xml | 6 +-
selftest/target/Samba3.pm | 8 +++
source3/modules/vfs_dirsort.c | 4 ++
source3/modules/vfs_fruit.c | 2 +-
source3/modules/vfs_streams_xattr.c | 9 ++-
source3/rpc_server/rpc_service_setup.c | 21 +++----
source3/rpc_server/wscript_build | 11 +++-
.../script/tests/test_smbclient_encryption_off.sh | 65 ++++++++++++++++++++++
source3/selftest/tests.py | 11 +++-
source3/smbd/negprot.c | 23 +++++++-
source3/smbd/posix_acls.c | 4 +-
source3/smbd/service.c | 12 ++++
source3/smbd/smb2_negprot.c | 2 +-
source3/smbd/smb2_tcon.c | 3 +-
16 files changed, 168 insertions(+), 46 deletions(-)
create mode 100755 source3/script/tests/test_smbclient_encryption_off.sh
Changeset truncated at 500 lines:
diff --git a/ctdb/tests/src/test_mutex_raw.c b/ctdb/tests/src/test_mutex_raw.c
index 8e3cae3..ab7aff9 100644
--- a/ctdb/tests/src/test_mutex_raw.c
+++ b/ctdb/tests/src/test_mutex_raw.c
@@ -38,21 +38,11 @@
* If no pid is printed, then no process is holding the mutex.
*/
-#include <stdio.h>
-#include <unistd.h>
-#include <inttypes.h>
-#include <sys/types.h>
-#include <sys/fcntl.h>
-#include <stdlib.h>
-#include <string.h>
-#include <sys/wait.h>
-#include <sched.h>
-#include <sys/mman.h>
-#include <pthread.h>
-#include <errno.h>
-#include <stdbool.h>
-
-int pthread_mutex_consistent_np(pthread_mutex_t *);
+#include "replace.h"
+#include "system/filesys.h"
+#include "system/wait.h"
+#include "system/shmem.h"
+#include "system/threads.h"
static void set_realtime(void)
{
@@ -99,7 +89,7 @@ static void run_child(const char *filename)
again:
ret = pthread_mutex_lock(mutex);
if (ret == EOWNERDEAD) {
- ret = pthread_mutex_consistent_np(mutex);
+ ret = pthread_mutex_consistent(mutex);
} else if (ret == EAGAIN) {
goto again;
}
@@ -172,7 +162,7 @@ int main(int argc, const char **argv)
if (strcmp(argv[2], "debug") == 0) {
ret = pthread_mutex_trylock(mutex);
if (ret == EOWNERDEAD) {
- ret = pthread_mutex_consistent_np(mutex);
+ ret = pthread_mutex_consistent(mutex);
if (ret == 0) {
pthread_mutex_unlock(mutex);
}
diff --git a/ctdb/wscript b/ctdb/wscript
index 05e1be7..4b58d2f 100644
--- a/ctdb/wscript
+++ b/ctdb/wscript
@@ -750,10 +750,11 @@ def build(bld):
ib_deps,
install_path='${CTDB_TEST_LIBEXECDIR}')
- bld.SAMBA_BINARY('test_mutex_raw',
- source='tests/src/test_mutex_raw.c',
- deps='pthread',
- install_path='${CTDB_TEST_LIBEXECDIR}')
+ if bld.env.HAVE_ROBUST_MUTEXES:
+ bld.SAMBA_BINARY('test_mutex_raw',
+ source='tests/src/test_mutex_raw.c',
+ deps='pthread',
+ install_path='${CTDB_TEST_LIBEXECDIR}')
test_subdirs = [
'complex',
diff --git a/docs-xml/smbdotconf/security/smbencrypt.xml b/docs-xml/smbdotconf/security/smbencrypt.xml
index 0f08966..32a22cb 100644
--- a/docs-xml/smbdotconf/security/smbencrypt.xml
+++ b/docs-xml/smbdotconf/security/smbencrypt.xml
@@ -180,7 +180,11 @@
<listitem>
<para>
Setting it to <emphasis>off</emphasis> globally will
- completely disable the encryption feature.
+ completely disable the encryption feature for all
+ connections. Setting <parameter>smb encrypt =
+ required</parameter> for individual shares (while it's
+ globally off) will deny access to this shares for all
+ clients.
</para>
</listitem>
diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
index 8f2a1f5..f5e63e3 100755
--- a/selftest/target/Samba3.pm
+++ b/selftest/target/Samba3.pm
@@ -554,6 +554,7 @@ sub setup_simpleserver($$)
ntlm auth = yes
vfs objects = xattr_tdb streams_depot time_audit full_audit
change notify = no
+ smb encrypt = off
full_audit:syslog = no
full_audit:success = none
@@ -571,6 +572,11 @@ sub setup_simpleserver($$)
store dos attributes = yes
hide files = /hidefile/
hide dot files = yes
+
+[enc_desired]
+ path = $prefix_abs/share
+ vfs objects =
+ smb encrypt = desired
";
my $vars = $self->provision($path,
@@ -757,6 +763,8 @@ sub setup_ktest($$$)
security = ads
username map = $prefix/lib/username.map
server signing = required
+ server min protocol = SMB3_00
+ client max protocol = SMB3
";
my $ret = $self->provision($prefix,
diff --git a/source3/modules/vfs_dirsort.c b/source3/modules/vfs_dirsort.c
index f856835..4a3e152 100644
--- a/source3/modules/vfs_dirsort.c
+++ b/source3/modules/vfs_dirsort.c
@@ -138,6 +138,10 @@ static DIR *dirsort_opendir(vfs_handle_struct *handle,
return NULL;
}
+ if (ISDOT(data->smb_fname->base_name)) {
+ data->smb_fname->base_name = vfs_GetWd(data, handle->conn);
+ }
+
/* Open the underlying directory and count the number of entries */
data->source_directory = SMB_VFS_NEXT_OPENDIR(handle, smb_fname, mask,
attr);
diff --git a/source3/modules/vfs_fruit.c b/source3/modules/vfs_fruit.c
index 6e7899aa..88138af 100644
--- a/source3/modules/vfs_fruit.c
+++ b/source3/modules/vfs_fruit.c
@@ -3522,7 +3522,7 @@ static NTSTATUS fruit_readdir_attr(struct vfs_handle_struct *handle,
struct fruit_config_data,
return NT_STATUS_UNSUCCESSFUL);
- if (!config->use_aapl) {
+ if (!config->nego_aapl) {
return SMB_VFS_NEXT_READDIR_ATTR(handle, fname, mem_ctx, pattr_data);
}
diff --git a/source3/modules/vfs_streams_xattr.c b/source3/modules/vfs_streams_xattr.c
index d9eb2e1..d3c988c 100644
--- a/source3/modules/vfs_streams_xattr.c
+++ b/source3/modules/vfs_streams_xattr.c
@@ -527,8 +527,15 @@ static int streams_xattr_open(vfs_handle_struct *handle,
sio->xattr_name = talloc_strdup(VFS_MEMCTX_FSP_EXTENSION(handle, fsp),
xattr_name);
+ /*
+ * so->base needs to be a copy of fsp->fsp_name->base_name,
+ * making it identical to streams_xattr_recheck(). If the
+ * open is changing directories, fsp->fsp_name->base_name
+ * will be the full path from the share root, whilst
+ * smb_fname will be relative to the $cwd.
+ */
sio->base = talloc_strdup(VFS_MEMCTX_FSP_EXTENSION(handle, fsp),
- smb_fname->base_name);
+ fsp->fsp_name->base_name);
sio->fsp_name_ptr = fsp->fsp_name;
sio->handle = handle;
sio->fsp = fsp;
diff --git a/source3/rpc_server/rpc_service_setup.c b/source3/rpc_server/rpc_service_setup.c
index 263fcaf..751a638 100644
--- a/source3/rpc_server/rpc_service_setup.c
+++ b/source3/rpc_server/rpc_service_setup.c
@@ -535,18 +535,15 @@ bool dcesrv_ep_setup(struct tevent_context *ev_ctx,
/* Initialize shared modules */
mod_init_fns = load_samba_modules(tmp_ctx, "rpc");
- if (mod_init_fns == NULL) {
- if (errno != ENOENT) {
- /*
- * ENOENT means the directory doesn't exist
- * which can happen if all modules are
- * static. So ENOENT is ok, everything else is
- * not ok.
- */
- DBG_ERR("Loading shared RPC modules failed [%s]\n",
- strerror(errno));
- ok = false;
- }
+ if ((mod_init_fns == NULL) && (errno != ENOENT)) {
+ /*
+ * ENOENT means the directory doesn't exist which can happen if
+ * all modules are static. So ENOENT is ok, everything else is
+ * not ok.
+ */
+ DBG_ERR("Loading shared RPC modules failed [%s]\n",
+ strerror(errno));
+ ok = false;
goto done;
}
diff --git a/source3/rpc_server/wscript_build b/source3/rpc_server/wscript_build
index 1d0facb..ed378c5 100755
--- a/source3/rpc_server/wscript_build
+++ b/source3/rpc_server/wscript_build
@@ -39,6 +39,10 @@ bld.SAMBA3_SUBSYSTEM('RPC_SERVER',
NDR_NAMED_PIPE_AUTH
''')
+bld.SAMBA3_SUBSYSTEM('RPC_MODULES',
+ source='rpc_modules.c',
+ deps='samba-util')
+
### RPC_SERVICES
bld.SAMBA3_SUBSYSTEM('RPC_DSSETUP',
source='''dssetup/srv_dssetup_nt.c
@@ -150,11 +154,12 @@ bld.SAMBA3_SUBSYSTEM('RPC_SERVER_REGISTER',
deps='samba-util')
bld.SAMBA3_SUBSYSTEM('RPC_SERVICE',
- source='rpc_service_setup.c rpc_modules.c',
+ source='rpc_service_setup.c',
deps='''
rpc
RPC_SERVER
RPC_SERVER_REGISTER
+ RPC_MODULES
RPC_SAMR
RPC_LSARPC
RPC_WINREG
@@ -192,6 +197,6 @@ bld.SAMBA3_SUBSYSTEM('FSSD',
deps='samba-util')
bld.SAMBA3_SUBSYSTEM('MDSSD',
- source='mdssd.c rpc_modules.c',
- deps='RPC_SOCK_HELPER samba-util',
+ source='mdssd.c',
+ deps='RPC_SOCK_HELPER RPC_MODULES samba-util',
enabled=bld.env.with_spotlight)
diff --git a/source3/script/tests/test_smbclient_encryption_off.sh b/source3/script/tests/test_smbclient_encryption_off.sh
new file mode 100755
index 0000000..467a4ee
--- /dev/null
+++ b/source3/script/tests/test_smbclient_encryption_off.sh
@@ -0,0 +1,65 @@
+#!/bin/sh
+
+if [ $# -lt 4 ]; then
+cat <<EOF
+Usage: test_smbclient_encryption_off.sh USERNAME PASSWORD SERVER SMBCLIENT
+EOF
+exit 1;
+fi
+
+USERNAME="$1"
+PASSWORD="$2"
+SERVER="$3"
+SMBCLIENT="$VALGRIND $4"
+
+incdir=`dirname $0`/../../../testprogs/blackbox
+. $incdir/subunit.sh
+
+failed=0
+
+#
+# Let me introduce you to the shares used in this test:
+#
+# "tmp" has the default "smb encrypt" (which is "enabled")
+# "tmpenc" has "smb encrypt = required"
+# "enc_desired" has "smb encrypt = desired"
+#
+
+# Unencrypted connections should work of course, let's test em to be sure...
+
+# SMB1
+testit "smbclient //$SERVER/enc_desired" $SMBCLIENT -U $USERNAME%$PASSWORD //$SERVER/enc_desired -c quit || failed=`expr $failed + 1`
+testit "smbclient //$SERVER/tmp" $SMBCLIENT -U $USERNAME%$PASSWORD //$SERVER/tmp -c quit || failed=`expr $failed + 1`
+# SMB3_02
+testit "smbclient -m smb3_02 //$SERVER/enc_desired" $SMBCLIENT -m smb3_02 -U $USERNAME%$PASSWORD //$SERVER/enc_desired -c quit || failed=`expr $failed + 1`
+testit "smbclient -m smb3_02 //$SERVER/tmp" $SMBCLIENT -m smb3_02 -U $USERNAME%$PASSWORD //$SERVER/tmp -c quit || failed=`expr $failed + 1`
+# SMB3_11
+testit "smbclient -m smb3_11 //$SERVER/enc_desired" $SMBCLIENT -m smb3_11 -U $USERNAME%$PASSWORD //$SERVER/enc_desired -c quit || failed=`expr $failed + 1`
+testit "smbclient -m smb3_11 //$SERVER/tmp" $SMBCLIENT -m smb3_11 -U $USERNAME%$PASSWORD //$SERVER/tmp -c quit || failed=`expr $failed + 1`
+
+# These tests must fail, as encryption is globally off and in combination with "smb
+# encrypt=required" on the share "tmpenc" the server *must* reject the tcon.
+
+# SMB1
+testit_expect_failure "smbclient //$SERVER/tmpenc" $SMBCLIENT -U $USERNAME%$PASSWORD //$SERVER/tmpenc -c quit && failed=`expr $failed + 1`
+testit_expect_failure "smbclient -e //$SERVER/tmpenc" $SMBCLIENT -e -U $USERNAME%$PASSWORD //$SERVER/tmpenc -c quit && failed=`expr $failed + 1`
+# SMB3_02
+testit_expect_failure "smbclient -m smb3_02 //$SERVER/tmpenc" $SMBCLIENT -m smb3_02 -U $USERNAME%$PASSWORD //$SERVER/tmpenc -c quit && failed=`expr $failed + 1`
+testit_expect_failure "smbclient -e -m smb3_02 //$SERVER/tmpenc" $SMBCLIENT -e -m smb3_02 -U $USERNAME%$PASSWORD //$SERVER/tmpenc -c quit && failed=`expr $failed + 1`
+# SMB3_11
+testit_expect_failure "smbclient -m smb3_11 //$SERVER/tmpenc" $SMBCLIENT -m smb3_11 -U $USERNAME%$PASSWORD //$SERVER/tmpenc -c quit && failed=`expr $failed + 1`
+testit_expect_failure "smbclient -e -m smb3_11 //$SERVER/tmpenc" $SMBCLIENT -e -m smb3_11 -U $USERNAME%$PASSWORD //$SERVER/tmpenc -c quit && failed=`expr $failed + 1`
+
+# These tests must fail, as the client requires encryption and it's off on the server
+
+# SMB1
+testit_expect_failure "smbclient -e //$SERVER/enc_desired" $SMBCLIENT -e -U $USERNAME%$PASSWORD //$SERVER/enc_desired -c quit && failed=`expr $failed + 1`
+testit_expect_failure "smbclient -e //$SERVER/tmp" $SMBCLIENT -e -U $USERNAME%$PASSWORD //$SERVER/tmp -c quit && failed=`expr $failed + 1`
+# SMB3_02
+testit_expect_failure "smbclient -e -m smb3_02 //$SERVER/enc_desired" $SMBCLIENT -e -m smb3_02 -U $USERNAME%$PASSWORD //$SERVER/enc_desired -c quit && failed=`expr $failed + 1`
+testit_expect_failure "smbclient -e -m smb3_02 //$SERVER/tmp" $SMBCLIENT -e -m smb3_02 -U $USERNAME%$PASSWORD //$SERVER/tmp -c quit && failed=`expr $failed + 1`
+# SMB3_11
+testit_expect_failure "smbclient -e -m smb3_11 //$SERVER/enc_desired" $SMBCLIENT -e -m smb3_11 -U $USERNAME%$PASSWORD //$SERVER/enc_desired -c quit && failed=`expr $failed + 1`
+testit_expect_failure "smbclient -e -m smb3_11 //$SERVER/tmp" $SMBCLIENT -e -m smb3_11 -U $USERNAME%$PASSWORD //$SERVER/tmp -c quit && failed=`expr $failed + 1`
+
+testok $0 $failed
diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py
index d80750e..754e754 100755
--- a/source3/selftest/tests.py
+++ b/source3/selftest/tests.py
@@ -442,8 +442,12 @@ for s in signseal_options:
# We should try more combinations in future, but this is all
# the pre-calculated credentials cache supports at the moment
+ #
+ # As the ktest env requires SMB3_00 we need to use "smb2" until
+ # dcerpc client code in smbtorture support autonegotiation
+ # of any smb dialect.
e = ""
- a = ""
+ a = "smb2"
binding_string = "ncacn_np:$SERVER[%s%s%s]" % (a, s, e)
options = binding_string + " -k yes --krb5-ccache=$PREFIX/ktest/krb5_ccache-2"
plansmbtorture4testsuite(test, "ktest", options, 'krb5 with old ccache ncacn_np with [%s%s%s] ' % (a, s, e))
@@ -483,6 +487,11 @@ plantestsuite("samba3.blackbox.rpcclient.pw-nt-hash", "simpleserver",
"$USERNAME", "$PASSWORD", "$SERVER",
os.path.join(bindir(), "rpcclient")])
+plantestsuite("samba3.blackbox.smbclient.encryption_off", "simpleserver",
+ [os.path.join(samba3srcdir, "script/tests/test_smbclient_encryption_off.sh"),
+ "$USERNAME", "$PASSWORD", "$SERVER",
+ smbclient3])
+
options_list = ["", "-e"]
for options in options_list:
plantestsuite("samba3.blackbox.smbclient_krb5 old ccache %s" % options, "ktest:local",
diff --git a/source3/smbd/negprot.c b/source3/smbd/negprot.c
index d2e5e2e..793306a 100644
--- a/source3/smbd/negprot.c
+++ b/source3/smbd/negprot.c
@@ -544,6 +544,8 @@ void reply_negprot(struct smb_request *req)
struct smbXsrv_connection *xconn = req->xconn;
struct smbd_server_connection *sconn = req->sconn;
bool signing_required = true;
+ int max_proto;
+ int min_proto;
START_PROFILE(SMBnegprot);
@@ -688,11 +690,28 @@ void reply_negprot(struct smb_request *req)
FLAG_MSG_GENERAL|FLAG_MSG_SMBD
|FLAG_MSG_PRINT_GENERAL);
+ /*
+ * Anything higher than PROTOCOL_SMB2_10 still
+ * needs to go via "SMB 2.???", which is marked
+ * as PROTOCOL_SMB2_10.
+ *
+ * The real negotiation happens via reply_smb20ff()
+ * using SMB2 Negotiation.
+ */
+ max_proto = lp_server_max_protocol();
+ if (max_proto > PROTOCOL_SMB2_10) {
+ max_proto = PROTOCOL_SMB2_10;
+ }
+ min_proto = lp_server_min_protocol();
+ if (min_proto > PROTOCOL_SMB2_10) {
+ min_proto = PROTOCOL_SMB2_10;
+ }
+
/* Check for protocols, most desirable first */
for (protocol = 0; supported_protocols[protocol].proto_name; protocol++) {
i = 0;
- if ((supported_protocols[protocol].protocol_level <= lp_server_max_protocol()) &&
- (supported_protocols[protocol].protocol_level >= lp_server_min_protocol()))
+ if ((supported_protocols[protocol].protocol_level <= max_proto) &&
+ (supported_protocols[protocol].protocol_level >= min_proto))
while (i < num_cliprotos) {
if (strequal(cliprotos[i],supported_protocols[protocol].proto_name)) {
choice = i;
diff --git a/source3/smbd/posix_acls.c b/source3/smbd/posix_acls.c
index c575568..b462f53 100644
--- a/source3/smbd/posix_acls.c
+++ b/source3/smbd/posix_acls.c
@@ -2700,9 +2700,9 @@ static canon_ace *canonicalise_acl(struct connection_struct *conn,
.attr = ALLOW_ACE,
.trustee = sid,
.unix_ug = unix_ug,
- .owner_type = owner_type,
- .ace_flags = get_pai_flags(pal, ace, is_default_acl)
+ .owner_type = owner_type
};
+ ace->ace_flags = get_pai_flags(pal, ace, is_default_acl);
DLIST_ADD(l_head, ace);
}
diff --git a/source3/smbd/service.c b/source3/smbd/service.c
index 5b54aec..505b13a 100644
--- a/source3/smbd/service.c
+++ b/source3/smbd/service.c
@@ -623,6 +623,18 @@ static NTSTATUS make_connection_snum(struct smbXsrv_connection *xconn,
conn->short_case_preserve = lp_short_preserve_case(snum);
conn->encrypt_level = lp_smb_encrypt(snum);
+ if (conn->encrypt_level > SMB_SIGNING_OFF) {
+ if (lp_smb_encrypt(-1) == SMB_SIGNING_OFF) {
+ if (conn->encrypt_level == SMB_SIGNING_REQUIRED) {
+ DBG_ERR("Service [%s] requires encryption, but "
+ "it is disabled globally!\n",
+ lp_servicename(talloc_tos(), snum));
+ status = NT_STATUS_ACCESS_DENIED;
+ goto err_root_exit;
+ }
+ conn->encrypt_level = SMB_SIGNING_OFF;
+ }
+ }
conn->veto_list = NULL;
conn->hide_list = NULL;
diff --git a/source3/smbd/smb2_negprot.c b/source3/smbd/smb2_negprot.c
index 6cfa64f..d9ccdbe 100644
--- a/source3/smbd/smb2_negprot.c
+++ b/source3/smbd/smb2_negprot.c
@@ -441,7 +441,7 @@ NTSTATUS smbd_smb2_request_process_negprot(struct smbd_smb2_request *req)
req->preauth = &req->xconn->smb2.preauth;
}
- if (in_cipher != NULL) {
+ if ((capabilities & SMB2_CAP_ENCRYPTION) && (in_cipher != NULL)) {
size_t needed = 2;
uint16_t cipher_count;
const uint8_t *p;
diff --git a/source3/smbd/smb2_tcon.c b/source3/smbd/smb2_tcon.c
index 61e2a36..5330fc3 100644
--- a/source3/smbd/smb2_tcon.c
+++ b/source3/smbd/smb2_tcon.c
@@ -268,7 +268,8 @@ static NTSTATUS smbd_smb2_tree_connect(struct smbd_smb2_request *req,
}
if ((lp_smb_encrypt(snum) >= SMB_SIGNING_DESIRED) &&
- (conn->smb2.client.capabilities & SMB2_CAP_ENCRYPTION)) {
+ (conn->smb2.server.cipher != 0))
+ {
encryption_desired = true;
}
--
Samba Shared Repository
More information about the samba-cvs
mailing list