[SCM] Samba Shared Repository - branch master updated
Stefan Metzmacher
metze at samba.org
Fri Jan 27 11:04:02 UTC 2017
The branch, master has been updated
via 348bcca selftest/Samba3: use "server min protocol = SMB3_00" for "ktest"
via c207f2a s3:smbd: allow "server min protocol = SMB3_00" to go via "SMB 2.???" negprot
via 5c75238 s3:libsmb: use a local got_kerberos_mechanism variable in cli_session_creds_prepare_krb5()
via 022fb7e s3:client: don't use cli->use_kerberos && cli->got_kerberos_mechanism in smbspool.c
via 9d60ad5 rpc_server: Allow to configure the port range for RPC services
via 35dfa5c rpc_server: Use the RPC TCPIP ports of Windows
from 2cf141e waf: backport finding of pkg-config
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 348bcca76855798d60c04ddb30f1e13b2ac2d7cd
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Jan 25 21:15:44 2017 +0100
selftest/Samba3: use "server min protocol = SMB3_00" for "ktest"
This verifies that clients can still connect with that setting.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12540
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(master): Fri Jan 27 12:03:39 CET 2017 on sn-devel-144
commit c207f2a989fc791b5f9bf9043d3c6ac31db5cdfd
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Jan 18 08:37:30 2017 +0100
s3:smbd: allow "server min protocol = SMB3_00" to go via "SMB 2.???" negprot
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12540
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 5c7523890dbb1762a84c3092dc35d63a52358d0e
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Nov 4 12:57:28 2016 +0100
s3:libsmb: use a local got_kerberos_mechanism variable in cli_session_creds_prepare_krb5()
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 022fb7ea149745fdc85bc7c6bf000b4541be9705
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Nov 4 12:53:43 2016 +0100
s3:client: don't use cli->use_kerberos && cli->got_kerberos_mechanism in smbspool.c
We already know if we want to use kerberos and there's no point
in altering the error message if we tried but failed to use kerberos.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 9d60ad53b809281a5a6f6ad82a0daea99c989f2d
Author: Andreas Schneider <asn at samba.org>
Date: Mon Jan 16 12:05:09 2017 +0100
rpc_server: Allow to configure the port range for RPC services
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12521
Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Andreas Schneider <asn at samba.org>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
commit 35dfa5c6e2bf60f8f1efda5eb7026cabe8bf5ba3
Author: Andreas Schneider <asn at samba.org>
Date: Mon Jan 16 11:43:12 2017 +0100
rpc_server: Use the RPC TCPIP ports of Windows
Since Windows Server 2008 Microsoft uses a different port range for RPC
services. Before it was 1024-65535 and they changed it to 49152-65535.
We should use the same range as these are the ports the firewall in AD
networks normally allow.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12521
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
-----------------------------------------------------------------------
Summary of changes:
docs-xml/smbdotconf/protocol/rpcserverport.xml | 14 +++++--
.../smbdotconf/rpc/rpcserverdynamicportrange.xml | 22 ++++++++++
lib/param/loadparm.c | 47 ++++++++++++++++++++++
lib/param/loadparm.h | 9 ++++-
lib/param/param.h | 3 ++
python/samba/tests/docs.py | 11 +++--
selftest/target/Samba3.pm | 2 +
source3/client/smbspool.c | 17 ++++----
source3/include/client.h | 1 -
source3/include/proto.h | 2 +
source3/libsmb/cliconnect.c | 9 ++---
source3/param/loadparm.c | 16 ++++++++
source3/rpc_server/rpc_server.c | 5 +--
source3/selftest/tests.py | 6 ++-
source3/smbd/negprot.c | 23 ++++++++++-
source4/smbd/service_stream.c | 8 ++--
16 files changed, 161 insertions(+), 34 deletions(-)
create mode 100644 docs-xml/smbdotconf/rpc/rpcserverdynamicportrange.xml
Changeset truncated at 500 lines:
diff --git a/docs-xml/smbdotconf/protocol/rpcserverport.xml b/docs-xml/smbdotconf/protocol/rpcserverport.xml
index 8a70835..0fd87d6 100644
--- a/docs-xml/smbdotconf/protocol/rpcserverport.xml
+++ b/docs-xml/smbdotconf/protocol/rpcserverport.xml
@@ -4,11 +4,19 @@
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
<description>
<para>Specifies which port the server should listen on for DCE/RPC over TCP/IP traffic.</para>
- <para>This controls default port for all protocols, except for NETLOGON. If unset, the first available port after 1024 is used.</para>
- <para>The NETLOGON server will use the next available port, eg 1025. To change this port use (eg) rpc server port:netlogon = 4000.</para>
+ <para>This controls the default port for all protocols, except for NETLOGON.</para>
+ <para>If unset, the first available port from <smbconfoption name="rpc server dynamic port range"/> is used, e.g. 49152.</para>
+ <para>The NETLOGON server will use the next available port, e.g. 49153. To change this port use (eg) rpc server port:netlogon = 4000.</para>
<para>Furthermore, all RPC servers can have the port they use specified independenty, with (for example) rpc server port:drsuapi = 5000.</para>
+ <para>This option applies currently only when
+ <citerefentry><refentrytitle>samba</refentrytitle> <manvolnum>8</manvolnum></citerefentry>
+ runs as an active directory domain controller.</para>
+
+ <para>The default value 0 causes Samba to select the first available port from <smbconfoption name="rpc server dynamic port range"/>.</para>
</description>
-<para>The default value 0 causes Samba to select the first available port after 1024.</para>
+
+<related>rpc server dynamic port range</related>
+
<value type="default">0</value>
</samba:parameter>
diff --git a/docs-xml/smbdotconf/rpc/rpcserverdynamicportrange.xml b/docs-xml/smbdotconf/rpc/rpcserverdynamicportrange.xml
new file mode 100644
index 0000000..a9c51d2
--- /dev/null
+++ b/docs-xml/smbdotconf/rpc/rpcserverdynamicportrange.xml
@@ -0,0 +1,22 @@
+<samba:parameter name="rpc server dynamic port range"
+ context="G"
+ type="string"
+ handler="handle_rpc_server_dynamic_port_range"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>
+ This parameter tells the RPC server which port range it is
+ allowed to use to create a listening socket for LSA, SAM,
+ Netlogon and others without wellknown tcp ports.
+ The first value is the lowest number of the port
+ range and the second the hightest.
+ </para>
+ <para>
+ This applies to RPC servers in all server roles.
+ </para>
+</description>
+
+<related>rpc server port</related>
+
+<value type="default">49152-65535</value>
+</samba:parameter>
diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
index a056101..335c54a 100644
--- a/lib/param/loadparm.c
+++ b/lib/param/loadparm.c
@@ -83,6 +83,16 @@ struct loadparm_service *lpcfg_default_service(struct loadparm_context *lp_ctx)
return lp_ctx->sDefault;
}
+int lpcfg_rpc_low_port(struct loadparm_context *lp_ctx)
+{
+ return lp_ctx->globals->rpc_low_port;
+}
+
+int lpcfg_rpc_high_port(struct loadparm_context *lp_ctx)
+{
+ return lp_ctx->globals->rpc_high_port;
+}
+
/**
* Convenience routine to grab string parameters into temporary memory
* and run standard_sub_basic on them.
@@ -1435,6 +1445,37 @@ bool handle_smb_ports(struct loadparm_context *lp_ctx, struct loadparm_service *
return true;
}
+bool handle_rpc_server_dynamic_port_range(struct loadparm_context *lp_ctx,
+ struct loadparm_service *service,
+ const char *pszParmValue,
+ char **ptr)
+{
+ int low_port = -1, high_port = -1;
+ int rc;
+
+ if (pszParmValue == NULL || pszParmValue[0] == '\0') {
+ return false;
+ }
+
+ rc = sscanf(pszParmValue, "%d - %d", &low_port, &high_port);
+ if (rc != 2) {
+ return false;
+ }
+
+ if (low_port > high_port) {
+ return false;
+ }
+
+ if (low_port < SERVER_TCP_PORT_MIN|| high_port > SERVER_TCP_PORT_MAX) {
+ return false;
+ }
+
+ lp_ctx->globals->rpc_low_port = low_port;
+ lp_ctx->globals->rpc_high_port = high_port;
+
+ return true;
+}
+
bool handle_smb2_max_credits(struct loadparm_context *lp_ctx,
struct loadparm_service *service,
const char *pszParmValue, char **ptr)
@@ -2498,6 +2539,8 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
lp_ctx->globals = talloc_zero(lp_ctx, struct loadparm_global);
/* This appears odd, but globals in s3 isn't a pointer */
lp_ctx->globals->ctx = lp_ctx->globals;
+ lp_ctx->globals->rpc_low_port = SERVER_TCP_LOW_PORT;
+ lp_ctx->globals->rpc_high_port = SERVER_TCP_HIGH_PORT;
lp_ctx->sDefault = talloc_zero(lp_ctx, struct loadparm_service);
lp_ctx->flags = talloc_zero_array(lp_ctx, unsigned int, num_parameters());
@@ -2901,6 +2944,10 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
lpcfg_do_global_parameter(lp_ctx, "kerberos encryption types", "all");
+ lpcfg_do_global_parameter(lp_ctx,
+ "rpc server dynamic port range",
+ "49152-65535");
+
/* Allow modules to adjust defaults */
for (defaults_hook = defaults_hooks; defaults_hook;
defaults_hook = defaults_hook->next) {
diff --git a/lib/param/loadparm.h b/lib/param/loadparm.h
index 6d01b37..d1e2b7c 100644
--- a/lib/param/loadparm.h
+++ b/lib/param/loadparm.h
@@ -194,6 +194,11 @@ enum printing_types {PRINT_BSD,PRINT_SYSV,PRINT_AIX,PRINT_HPUX,
#endif /* DEVELOPER */
};
+#define SERVER_TCP_LOW_PORT 49152
+#define SERVER_TCP_HIGH_PORT 65535
+
+#define SERVER_TCP_PORT_MIN 1024
+#define SERVER_TCP_PORT_MAX 65535
@@ -275,7 +280,9 @@ enum mangled_names_options {MANGLED_NAMES_NO, MANGLED_NAMES_YES, MANGLED_NAMES_I
#define LOADPARM_EXTRA_GLOBALS \
struct parmlist_entry *param_opt; \
char *dnsdomain; \
- char *realm_original;
+ char *realm_original; \
+ int rpc_low_port; \
+ int rpc_high_port;
const char* server_role_str(uint32_t role);
int lp_find_server_role(int server_role, int security, int domain_logons, int domain_master);
diff --git a/lib/param/param.h b/lib/param/param.h
index 66037e2..e123e67 100644
--- a/lib/param/param.h
+++ b/lib/param/param.h
@@ -313,6 +313,9 @@ void lpcfg_default_kdc_policy(struct loadparm_context *lp_ctx,
time_t *usr_tkt_lifetime,
time_t *renewal_lifetime);
+int lpcfg_rpc_port_low(struct loadparm_context *lp_ctx);
+int lpcfg_rpc_port_high(struct loadparm_context *lp_ctx);
+
/* The following definitions come from lib/version.c */
const char *samba_version_string(void);
diff --git a/python/samba/tests/docs.py b/python/samba/tests/docs.py
index 22e0225..65df573 100644
--- a/python/samba/tests/docs.py
+++ b/python/samba/tests/docs.py
@@ -108,7 +108,7 @@ class SmbDotConfTests(TestCase):
'lprm command', 'lpq command', 'print command', 'template homedir',
'spoolss: os_major', 'spoolss: os_minor', 'spoolss: os_build',
'max open files', 'fss: prune stale', 'fss: sequence timeout',
- 'include system krb5 conf'])
+ 'include system krb5 conf', 'rpc server dynamic port range'])
def setUp(self):
super(SmbDotConfTests, self).setUp()
@@ -162,14 +162,16 @@ class SmbDotConfTests(TestCase):
exceptions = ['client lanman auth',
'client plaintext auth',
'registry shares',
- 'smb ports'])
+ 'smb ports',
+ 'rpc server dynamic port range'])
self._test_empty(['bin/testparm'])
def test_default_s4(self):
self._test_default(['bin/samba-tool', 'testparm'])
self._set_defaults(['bin/samba-tool', 'testparm'])
self._set_arbitrary(['bin/samba-tool', 'testparm'],
- exceptions = ['smb ports'])
+ exceptions = ['smb ports',
+ 'rpc server dynamic port range'])
self._test_empty(['bin/samba-tool', 'testparm'])
def _test_default(self, program):
@@ -178,6 +180,7 @@ class SmbDotConfTests(TestCase):
for tuples in self.defaults:
param, default, context, param_type = tuples
+
if param in self.special_cases:
continue
section = None
@@ -206,7 +209,7 @@ class SmbDotConfTests(TestCase):
for tuples in self.defaults:
param, default, context, param_type = tuples
- if param in ['printing']:
+ if param in ['printing', 'rpc server dynamic port range']:
continue
section = None
diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
index 1ae270a..32f0c6f 100755
--- a/selftest/target/Samba3.pm
+++ b/selftest/target/Samba3.pm
@@ -791,6 +791,8 @@ sub setup_ktest($$$)
security = ads
username map = $prefix/lib/username.map
server signing = required
+ server min protocol = SMB3_00
+ client max protocol = SMB3
";
my $ret = $self->provision($prefix,
diff --git a/source3/client/smbspool.c b/source3/client/smbspool.c
index 10e89c7..49241c7 100644
--- a/source3/client/smbspool.c
+++ b/source3/client/smbspool.c
@@ -58,7 +58,7 @@
* Local functions...
*/
-static int get_exit_code(struct cli_state * cli, NTSTATUS nt_status);
+static int get_exit_code(struct cli_state * cli, NTSTATUS nt_status, bool use_kerberos);
static void list_devices(void);
static struct cli_state *smb_complete_connection(const char *, const char *,
int, const char *, const char *, const char *, const char *, int, bool *need_auth);
@@ -328,7 +328,8 @@ done:
static int
get_exit_code(struct cli_state * cli,
- NTSTATUS nt_status)
+ NTSTATUS nt_status,
+ bool use_kerberos)
{
int i;
@@ -355,7 +356,7 @@ get_exit_code(struct cli_state * cli,
}
if (cli) {
- if (cli->use_kerberos && cli->got_kerberos_mechanism)
+ if (use_kerberos)
fputs("ATTR: auth-info-required=negotiate\n", stderr);
else
fputs("ATTR: auth-info-required=username,password\n", stderr);
@@ -449,7 +450,7 @@ smb_complete_connection(const char *myname,
if (!NT_STATUS_IS_OK(nt_status)) {
fprintf(stderr, "ERROR: Session setup failed: %s\n", nt_errstr(nt_status));
- if (get_exit_code(cli, nt_status) == 2) {
+ if (get_exit_code(cli, nt_status, use_kerberos) == 2) {
*need_auth = true;
}
@@ -463,7 +464,7 @@ smb_complete_connection(const char *myname,
fprintf(stderr, "ERROR: Tree connect failed (%s)\n",
nt_errstr(nt_status));
- if (get_exit_code(cli, nt_status) == 2) {
+ if (get_exit_code(cli, nt_status, use_kerberos) == 2) {
*need_auth = true;
}
@@ -601,7 +602,7 @@ smb_print(struct cli_state * cli, /* I - SMB connection */
if (!NT_STATUS_IS_OK(nt_status)) {
fprintf(stderr, "ERROR: %s opening remote spool %s\n",
nt_errstr(nt_status), title);
- return get_exit_code(cli, nt_status);
+ return get_exit_code(cli, nt_status, false);
}
/*
@@ -619,7 +620,7 @@ smb_print(struct cli_state * cli, /* I - SMB connection */
status = cli_writeall(cli, fnum, 0, (uint8_t *)buffer,
tbytes, nbytes, NULL);
if (!NT_STATUS_IS_OK(status)) {
- int ret = get_exit_code(cli, status);
+ int ret = get_exit_code(cli, status, false);
fprintf(stderr, "ERROR: Error writing spool: %s\n",
nt_errstr(status));
fprintf(stderr, "DEBUG: Returning status %d...\n",
@@ -635,7 +636,7 @@ smb_print(struct cli_state * cli, /* I - SMB connection */
if (!NT_STATUS_IS_OK(nt_status)) {
fprintf(stderr, "ERROR: %s closing remote spool %s\n",
nt_errstr(nt_status), title);
- return get_exit_code(cli, nt_status);
+ return get_exit_code(cli, nt_status, false);
} else {
return (0);
}
diff --git a/source3/include/client.h b/source3/include/client.h
index 43ec39b..db8260d 100644
--- a/source3/include/client.h
+++ b/source3/include/client.h
@@ -80,7 +80,6 @@ struct cli_state {
bool fallback_after_kerberos;
bool use_ccache;
bool pw_nt_hash;
- bool got_kerberos_mechanism; /* Server supports krb5 in SPNEGO. */
bool use_oplocks; /* should we use oplocks? */
diff --git a/source3/include/proto.h b/source3/include/proto.h
index 642900e..b3d3ca0 100644
--- a/source3/include/proto.h
+++ b/source3/include/proto.h
@@ -889,6 +889,8 @@ int lp_client_ipc_signing(void);
int lp_smb2_max_credits(void);
int lp_cups_encrypt(void);
bool lp_widelinks(int );
+int lp_rpc_low_port(void);
+int lp_rpc_high_port(void);
int lp_wi_scan_global_parametrics(
const char *regex, size_t max_matches,
diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c
index 55768bf..a9451fb 100644
--- a/source3/libsmb/cliconnect.c
+++ b/source3/libsmb/cliconnect.c
@@ -228,6 +228,7 @@ NTSTATUS cli_session_creds_prepare_krb5(struct cli_state *cli,
const char *pass = NULL;
const char *target_hostname = NULL;
const DATA_BLOB *server_blob = NULL;
+ bool got_kerberos_mechanism = false;
enum credentials_use_kerberos krb5_state;
bool try_kerberos = false;
bool need_kinit = false;
@@ -235,9 +236,7 @@ NTSTATUS cli_session_creds_prepare_krb5(struct cli_state *cli,
int ret;
target_hostname = smbXcli_conn_remote_name(cli->conn);
- if (!cli->got_kerberos_mechanism) {
- server_blob = smbXcli_conn_server_gss_blob(cli->conn);
- }
+ server_blob = smbXcli_conn_server_gss_blob(cli->conn);
/* the server might not even do spnego */
if (server_blob != NULL && server_blob->length != 0) {
@@ -275,7 +274,7 @@ NTSTATUS cli_session_creds_prepare_krb5(struct cli_state *cli,
if (strcmp(OIDs[i], OID_KERBEROS5_OLD) == 0 ||
strcmp(OIDs[i], OID_KERBEROS5) == 0) {
- cli->got_kerberos_mechanism = true;
+ got_kerberos_mechanism = true;
break;
}
}
@@ -324,7 +323,7 @@ NTSTATUS cli_session_creds_prepare_krb5(struct cli_state *cli,
need_kinit = false;
} else if (krb5_state == CRED_MUST_USE_KERBEROS) {
need_kinit = try_kerberos;
- } else if (!cli->got_kerberos_mechanism) {
+ } else if (!got_kerberos_mechanism) {
/*
* Most likely the server doesn't support
* Kerberos, don't waste time doing a kinit
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index 0ce4f92..c65e613 100644
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -929,6 +929,12 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals)
Globals.aio_max_threads = 100;
+ lpcfg_string_set(Globals.ctx,
+ &Globals.rpc_server_dynamic_port_range,
+ "49152-65535");
+ Globals.rpc_low_port = SERVER_TCP_LOW_PORT;
+ Globals.rpc_high_port = SERVER_TCP_HIGH_PORT;
+
/* Now put back the settings that were set with lp_set_cmdline() */
apply_lp_set_cmdline();
}
@@ -4548,6 +4554,16 @@ int lp_client_ipc_signing(void)
return client_ipc_signing;
}
+int lp_rpc_low_port(void)
+{
+ return Globals.rpc_low_port;
+}
+
+int lp_rpc_high_port(void)
+{
+ return Globals.rpc_high_port;
+}
+
struct loadparm_global * get_globals(void)
{
return &Globals;
diff --git a/source3/rpc_server/rpc_server.c b/source3/rpc_server/rpc_server.c
index 5effe66..f7fb8ef 100644
--- a/source3/rpc_server/rpc_server.c
+++ b/source3/rpc_server/rpc_server.c
@@ -34,9 +34,6 @@
#include "rpc_server/srv_pipe_hnd.h"
#include "rpc_server/srv_pipe.h"
-#define SERVER_TCP_LOW_PORT 1024
-#define SERVER_TCP_HIGH_PORT 1300
-
/* Creates a pipes_struct and initializes it with the information
* sent from the client */
int make_server_pipes_struct(TALLOC_CTX *mem_ctx,
@@ -608,7 +605,7 @@ int create_tcpip_socket(const struct sockaddr_storage *ifss, uint16_t *port)
if (*port == 0) {
uint16_t i;
- for (i = SERVER_TCP_LOW_PORT; i <= SERVER_TCP_HIGH_PORT; i++) {
+ for (i = lp_rpc_low_port(); i <= lp_rpc_high_port(); i++) {
fd = open_socket_in(SOCK_STREAM,
i,
0,
diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py
index 0b5a0ce..4231e1d 100755
--- a/source3/selftest/tests.py
+++ b/source3/selftest/tests.py
@@ -454,8 +454,12 @@ for s in signseal_options:
# We should try more combinations in future, but this is all
# the pre-calculated credentials cache supports at the moment
+ #
+ # As the ktest env requires SMB3_00 we need to use "smb2" until
+ # dcerpc client code in smbtorture support autonegotiation
+ # of any smb dialect.
e = ""
- a = ""
+ a = "smb2"
binding_string = "ncacn_np:$SERVER[%s%s%s]" % (a, s, e)
options = binding_string + " -k yes --krb5-ccache=$PREFIX/ktest/krb5_ccache-2"
plansmbtorture4testsuite(test, "ktest", options, 'krb5 with old ccache ncacn_np with [%s%s%s] ' % (a, s, e))
diff --git a/source3/smbd/negprot.c b/source3/smbd/negprot.c
index bd09b1d..cdde334 100644
--- a/source3/smbd/negprot.c
+++ b/source3/smbd/negprot.c
@@ -544,6 +544,8 @@ void reply_negprot(struct smb_request *req)
struct smbXsrv_connection *xconn = req->xconn;
struct smbd_server_connection *sconn = req->sconn;
bool signing_required = true;
+ int max_proto;
+ int min_proto;
START_PROFILE(SMBnegprot);
@@ -688,11 +690,28 @@ void reply_negprot(struct smb_request *req)
FLAG_MSG_GENERAL|FLAG_MSG_SMBD
|FLAG_MSG_PRINT_GENERAL);
+ /*
+ * Anything higher than PROTOCOL_SMB2_10 still
+ * needs to go via "SMB 2.???", which is marked
+ * as PROTOCOL_SMB2_10.
+ *
+ * The real negotiation happens via reply_smb20ff()
+ * using SMB2 Negotiation.
+ */
+ max_proto = lp_server_max_protocol();
+ if (max_proto > PROTOCOL_SMB2_10) {
+ max_proto = PROTOCOL_SMB2_10;
+ }
+ min_proto = lp_server_min_protocol();
+ if (min_proto > PROTOCOL_SMB2_10) {
+ min_proto = PROTOCOL_SMB2_10;
+ }
+
/* Check for protocols, most desirable first */
for (protocol = 0; supported_protocols[protocol].proto_name; protocol++) {
i = 0;
- if ((supported_protocols[protocol].protocol_level <= lp_server_max_protocol()) &&
- (supported_protocols[protocol].protocol_level >= lp_server_min_protocol()))
+ if ((supported_protocols[protocol].protocol_level <= max_proto) &&
+ (supported_protocols[protocol].protocol_level >= min_proto))
while (i < num_cliprotos) {
if (strequal(cliprotos[i],supported_protocols[protocol].proto_name)) {
choice = i;
diff --git a/source4/smbd/service_stream.c b/source4/smbd/service_stream.c
--
Samba Shared Repository
More information about the samba-cvs
mailing list