[SCM] Samba Shared Repository - branch master updated
Andrew Bartlett
abartlet at samba.org
Fri Sep 28 09:26:03 UTC 2018
The branch, master has been updated
via 34cbd89 libcli: Add debug message if fail to negoatiate SMB protocol
via 3787062 s3/smbd: Server responds incorrectly if no SMB protocol chosen
via 0122f45 netcmd: Make sure SMB connection is signed when backing up sysvol
from 9c0a9c6 s4/web_server: fix panic from wrong type extracted from conn
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 34cbd89fec836f5de0cb5ba3f289b1f4ae00c5d7
Author: Tim Beale <timbeale at catalyst.net.nz>
Date: Thu Sep 27 09:53:24 2018 +1200
libcli: Add debug message if fail to negoatiate SMB protocol
Currently if the client and server can't negotiate an SMB protocol, you
just get the followiing error on the client-side, which doesn't tell you
much.
ERROR(runtime): uncaught exception - (3221225667, 'The network responded
incorrectly.')
This patch adds a debug message to help highlight what's actually going
wrong.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13621
Signed-off-by: Tim Beale <timbeale at catalyst.net.nz>
Reviewed-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Fri Sep 28 11:25:29 CEST 2018 on sn-devel-144
commit 378706266496ce79c1887fe96ab3b15f56770244
Author: Tim Beale <timbeale at catalyst.net.nz>
Date: Thu Sep 27 09:46:41 2018 +1200
s3/smbd: Server responds incorrectly if no SMB protocol chosen
The SMBnegprot response from the server contains the DialectIndex of the
selected protocol from the client's request message. Currently, if no
protocol is selected, the server is responding with a DialectIndex=zero,
which is a valid index (PROTOCOL_CORE by default). The Windows spec, and
historically the code, should return DialectIndex=0xffff if no protocol
is chosen. The following commit changed it recently (presumably
inadvertently), so that it now returns DialectIndex=zero.
06940155f315529c5b5 s3:smbd: Fix size types in reply_negprot()
This results in somewhat confusing error messages on the client side:
ERROR(runtime): uncaught exception - (3221225997, 'The transport
connection has been reset.')
or, when signing is configured as mandatory:
smbXcli_negprot: SMB signing is mandatory and the selected protocol
level (1) doesn't support it.
ERROR(runtime): uncaught exception - (3221225506, '{Access Denied} A
process has requested access to an object but has not been granted those
access rights.')
This patch restores the old behaviour of returning 0xffff.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13621
Pair-Programmed-With: Ralph Boehme <slow at samba.org>
Signed-off-by: Tim Beale <timbeale at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 0122f45f053ecc545950c31bf1fb33fba143478c
Author: Tim Beale <timbeale at catalyst.net.nz>
Date: Wed Sep 26 17:01:03 2018 +1200
netcmd: Make sure SMB connection is signed when backing up sysvol
i.e. protect the client against man-in-the-middle attacks by default.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13621
Signed-off-by: Tim Beale <timbeale at catalyst.net.nz>
Reviewed-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
-----------------------------------------------------------------------
Summary of changes:
libcli/smb/smbXcli_base.c | 1 +
python/samba/netcmd/domain_backup.py | 4 ++--
source3/smbd/negprot.c | 9 ++++++++-
3 files changed, 11 insertions(+), 3 deletions(-)
Changeset truncated at 500 lines:
diff --git a/libcli/smb/smbXcli_base.c b/libcli/smb/smbXcli_base.c
index ad1b67b..d94b4d8 100644
--- a/libcli/smb/smbXcli_base.c
+++ b/libcli/smb/smbXcli_base.c
@@ -4369,6 +4369,7 @@ static void smbXcli_negprot_smb1_done(struct tevent_req *subreq)
}
if (conn->protocol == PROTOCOL_NONE) {
+ DBG_ERR("No compatible protocol selected by server.\n");
tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE);
return;
}
diff --git a/python/samba/netcmd/domain_backup.py b/python/samba/netcmd/domain_backup.py
index 9c8457d..683e7d2 100644
--- a/python/samba/netcmd/domain_backup.py
+++ b/python/samba/netcmd/domain_backup.py
@@ -245,7 +245,7 @@ class cmd_domain_backup_online(samba.netcmd.Command):
# Grab the remote DC's sysvol files and bundle them into a tar file
sysvol_tar = os.path.join(tmpdir, 'sysvol.tar.gz')
- smb_conn = smb.SMB(server, "sysvol", lp=lp, creds=creds)
+ smb_conn = smb.SMB(server, "sysvol", lp=lp, creds=creds, sign=True)
backup_online(smb_conn, sysvol_tar, remote_sam.get_domain_sid())
# remove the default sysvol files created by the clone (we want to
@@ -768,7 +768,7 @@ class cmd_domain_backup_rename(samba.netcmd.Command):
# use the old realm) backed here, as well as default files generated
# for the new realm as part of the clone/join.
sysvol_tar = os.path.join(tmpdir, 'sysvol.tar.gz')
- smb_conn = smb.SMB(server, "sysvol", lp=lp, creds=creds)
+ smb_conn = smb.SMB(server, "sysvol", lp=lp, creds=creds, sign=True)
backup_online(smb_conn, sysvol_tar, remote_sam.get_domain_sid())
# connect to the local DB (making sure we use the new/renamed config)
diff --git a/source3/smbd/negprot.c b/source3/smbd/negprot.c
index 27366ea..2d5edf1 100644
--- a/source3/smbd/negprot.c
+++ b/source3/smbd/negprot.c
@@ -28,6 +28,13 @@
#include "auth/gensec/gensec.h"
#include "../libcli/smb/smb_signing.h"
+/*
+ * MS-CIFS, 2.2.4.52.2 SMB_COM_NEGOTIATE Response:
+ * If the server does not support any of the listed dialects, it MUST return a
+ * DialectIndex of 0XFFFF
+ */
+#define NO_PROTOCOL_CHOSEN 0xffff
+
extern fstring remote_proto;
static void get_challenge(struct smbXsrv_connection *xconn, uint8_t buff[8])
@@ -748,7 +755,7 @@ void reply_negprot(struct smb_request *req)
DBG_NOTICE("No protocol supported !\n");
reply_outbuf(req, 1, 0);
- SSVAL(req->outbuf, smb_vwv0, choice);
+ SSVAL(req->outbuf, smb_vwv0, NO_PROTOCOL_CHOSEN);
ok = srv_send_smb(xconn, (char *)req->outbuf,
false, 0, false, NULL);
--
Samba Shared Repository
More information about the samba-cvs
mailing list