[SCM] Samba Shared Repository - branch master updated

Andreas Schneider asn at samba.org
Wed Aug 19 17:47:02 UTC 2020


The branch, master has been updated
       via  7e3ceaec449 python:tests: Add test for SMB encrypted DCERPC connection
       via  81052e41da8 s4:libcli: Require signing for SMB encryption
       via  d546dd1e5b8 s4:libcli: Add smb2_connect_enc_start()
       via  6454ed761ad s3:libcli: Split out smb2_connect_tcon_start()
       via  7387c1da31c s4:libcli: Return if encryption is requested for SMB1
       via  e2287011f4b s4:libcli: Return NTSTATUS errors for smb_composite_connect_send()
       via  dd1cacb6a28 s3:libsmb: Make cli_cm_force_encryption_creds() static
       via  d7c3d86f017 examples: Remove obsolete force encryption from smb2mount
       via  29504508041 s3:rpcclient: Remove obsolete force encryption from rpcclient
       via  2bf58f182b1 s3:utils: Remove obsolete force encryption from smbcquotas
       via  85e2660b94c s3:utils: Remove obsolete force encryption from mdfind
       via  0d0a3bbc83a s3:utils: Remove obsolete force encryption from smbacls
       via  5698fb41bb4 s3:client: Remove unused smb encryption code
       via  d0062d312cb s3:libsmb: Use cli_credentials_set_smb_encryption()
       via  1acc6408be1 s3:net: Use cli_credentials_set_smb_encryption()
       via  5bff7a061f6 python: Add a test for SMB encryption
       via  8a5bc0a6a18 s3:libsmb: Add encryption support to cli_full_connection_creds*()
       via  ba04151a01b s3:libsmb: Remove signing_state from cli_full_connection_creds()
       via  886f245ace9 s3:libsmb: Remove signing_state from cli_full_connection_creds_send()
       via  6f552204d46 s3:client: Turn off smb signing for message op
       via  62a4705dbcf s3:libsmb: Use 'enum smb_signing_setting' in cliconnect.c
       via  67323b1ffaa python:tests: Set smb ipc signing via the creds API
       via  1a74c790bfe python:tests: Mark libsmb connection as an IPC connection
       via  8c06dc13651 s3:pylibsmb: Add ipc=True support for CLI_FULL_CONNECTION_IPC
       via  c58a301c273 s3:libsmb: Introduce CLI_FULL_CONNECTION_IPC
       via  946e43f0ccf python: Set smb signing via the creds API
       via  d55950b8408 python: Remove unused sign argument from smb_connection()
       via  34a81eca0da s3:lib: Set smb encryption also via cli creds API
       via  be9e60efad9 s3:lib: Use cli_credential_(get|set)_smb_signing()
       via  0188885a499 auth:creds: Bump library version
       via  84f1e4683e6 auth:creds: Add python bindings for cli_credentials_set_conf()
       via  66c9c68badf auth:creds: Add python bindings for (get|set)_smb_encryption
       via  836c5e01e65 auth:creds: Add cli_credentials_(get|set)_smb_encryption()
       via  ef12caea073 auth:creds: Add python bindings for (get|set)_smb_ipc_signing
       via  71d65278e16 auth:creds: Add cli_credentials_(get|set)_smb_ipc_signing()
       via  098774b2441 auth:creds: Add python bindings for (get|set)_smb_signing
       via  58e0abc58f7 auth:creds: Add cli_credentials_(get|set)_smb_signing()
       via  59a1272a6c8 auth:creds: Remove unused credentials autoproto header
       via  b0ae876a6c8 s3:lib: Use smb_signing_setting_translate for cmdline parsing
       via  4bf8a667310 libcli:smb: Add smb_encryption_setting_translate()
       via  e524719010b libcli:smb: Add smb_signing_setting_translate()
       via  93e97d5afd3 lib:param: Add lpcfg_parse_enum_vals()
       via  5a733c3c1ba docs-xml: Add 'client smb encrypt'
       via  58e31f78745 s3:smbd: Use 'enum smb_encryption_setting' values
       via  f03bb8ad8a0 param: Create and use enum_smb_encryption_vals
       via  bd5a888746e param: Add 'server smb encrypt' parameter
       via  e9135035400 auth:creds: Introduce CRED_SMB_CONF
       via  46142d8398d libcli:smb2: Use talloc NULL context if we don't have a stackframe
       via  cf432bd4527 libcli:smb2: Do not leak ptext on error
      from  5de7c91e6d4 s3:smbd: Fix %U substitutions if it contains a domain name

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 7e3ceaec449a06e9646f5543a617b3b866a720aa
Author: Andreas Schneider <asn at samba.org>
Date:   Tue Jul 7 14:27:07 2020 +0200

    python:tests: Add test for SMB encrypted DCERPC connection
    
    Signed-off-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>
    
    Autobuild-User(master): Andreas Schneider <asn at cryptomilk.org>
    Autobuild-Date(master): Wed Aug 19 17:46:28 UTC 2020 on sn-devel-184

commit 81052e41da82041cd32f3f7f3f20fd52ffb7e491
Author: Andreas Schneider <asn at samba.org>
Date:   Fri Jul 24 10:18:52 2020 +0200

    s4:libcli: Require signing for SMB encryption
    
    Signed-off-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>

commit d546dd1e5b8d2fccb1e8cd4d84ef2a6209e9c23c
Author: Andreas Schneider <asn at samba.org>
Date:   Tue Jul 7 12:44:26 2020 +0200

    s4:libcli: Add smb2_connect_enc_start()
    
    Signed-off-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>

commit 6454ed761ad00198d51e4aca008a69a825189e38
Author: Andreas Schneider <asn at samba.org>
Date:   Tue Jul 7 12:29:39 2020 +0200

    s3:libcli: Split out smb2_connect_tcon_start()
    
    Signed-off-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>

commit 7387c1da31c29c4da912328ebb18c7332ebd9dd1
Author: Andreas Schneider <asn at samba.org>
Date:   Tue Jul 7 12:54:26 2020 +0200

    s4:libcli: Return if encryption is requested for SMB1
    
    Signed-off-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>

commit e2287011f4b654e085b9ddaa694b8ccdf8bfad30
Author: Andreas Schneider <asn at samba.org>
Date:   Thu Aug 13 16:16:55 2020 +0200

    s4:libcli: Return NTSTATUS errors for smb_composite_connect_send()
    
    Signed-off-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>

commit dd1cacb6a28233d0a00b376f6bdc2164a0656bb0
Author: Andreas Schneider <asn at samba.org>
Date:   Mon Jul 6 11:05:59 2020 +0200

    s3:libsmb: Make cli_cm_force_encryption_creds() static
    
    Signed-off-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>

commit d7c3d86f017068d72c9fab3406453fdee4f516ec
Author: Andreas Schneider <asn at samba.org>
Date:   Mon Jul 6 10:58:36 2020 +0200

    examples: Remove obsolete force encryption from smb2mount
    
    Signed-off-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>

commit 29504508041c018a8601979085d04e7ed290a286
Author: Andreas Schneider <asn at samba.org>
Date:   Wed Jun 10 12:51:18 2020 +0200

    s3:rpcclient: Remove obsolete force encryption from rpcclient
    
    Signed-off-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>

commit 2bf58f182b1bfd39a5f549c5b539be58deddfe6b
Author: Andreas Schneider <asn at samba.org>
Date:   Wed Jun 10 12:49:28 2020 +0200

    s3:utils: Remove obsolete force encryption from smbcquotas
    
    Signed-off-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>

commit 85e2660b94cc066b7f0deeec2a72d4fddc3463e7
Author: Andreas Schneider <asn at samba.org>
Date:   Wed Jun 10 12:48:18 2020 +0200

    s3:utils: Remove obsolete force encryption from mdfind
    
    Signed-off-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>

commit 0d0a3bbc83a06e262b4ae16ba0e09eccda17a01f
Author: Andreas Schneider <asn at samba.org>
Date:   Wed Jun 10 12:47:05 2020 +0200

    s3:utils: Remove obsolete force encryption from smbacls
    
    Signed-off-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>

commit 5698fb41bb4c0aa14955fff81f903500b333eb4c
Author: Andreas Schneider <asn at samba.org>
Date:   Wed Jun 10 12:43:33 2020 +0200

    s3:client: Remove unused smb encryption code
    
    Signed-off-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>

commit d0062d312cbbf80afd78143ca5c0be68f2d72b03
Author: Andreas Schneider <asn at samba.org>
Date:   Wed Jun 10 12:40:13 2020 +0200

    s3:libsmb: Use cli_credentials_set_smb_encryption()
    
    This also adds a SMBC_ENCRYPTLEVEL_DEFAULT to 'enum
    smbc_smb_encrypt_level' in order to use the smb.conf default value.
    
    Signed-off-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>

commit 1acc6408be11bf1a161750bb510170dae3448849
Author: Andreas Schneider <asn at samba.org>
Date:   Wed Jun 10 12:31:02 2020 +0200

    s3:net: Use cli_credentials_set_smb_encryption()
    
    Signed-off-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>

commit 5bff7a061f695d7a9a90414d4393833345a193bf
Author: Andreas Schneider <asn at samba.org>
Date:   Wed Jun 10 11:26:00 2020 +0200

    python: Add a test for SMB encryption
    
    Signed-off-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>

commit 8a5bc0a6a182d33fc4aee9d76c69aedd2b80ff65
Author: Stefan Metzmacher <metze at samba.org>
Date:   Mon Jun 8 08:04:24 2020 +0200

    s3:libsmb: Add encryption support to cli_full_connection_creds*()
    
    Pair-Programmed-With: Andreas Schneider <asn at samba.org>
    
    Signed-off-by: Andreas Schneider <asn at samba.org>
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Andreas Schneider <asn at samba.org>

commit ba04151a01b31cd29ccc4133e0a8631297154a34
Author: Andreas Schneider <asn at samba.org>
Date:   Thu Jun 4 14:59:14 2020 +0200

    s3:libsmb: Remove signing_state from cli_full_connection_creds()
    
    Signed-off-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>

commit 886f245ace9024d4ceb72f72c251e5e8d3904e0c
Author: Andreas Schneider <asn at samba.org>
Date:   Thu May 28 18:20:02 2020 +0200

    s3:libsmb: Remove signing_state from cli_full_connection_creds_send()
    
    Signed-off-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>

commit 6f552204d4614ad97310fb4ab81a06d21d4b9af7
Author: Andreas Schneider <asn at samba.org>
Date:   Thu May 28 18:11:31 2020 +0200

    s3:client: Turn off smb signing for message op
    
    Signed-off-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>

commit 62a4705dbcff71b7885db18a0005b29ecf8a2c03
Author: Andreas Schneider <asn at samba.org>
Date:   Thu May 28 17:59:19 2020 +0200

    s3:libsmb: Use 'enum smb_signing_setting' in cliconnect.c
    
    Signed-off-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>

commit 67323b1ffaa019150691bcb4d859c32cd5a36cf1
Author: Andreas Schneider <asn at samba.org>
Date:   Mon Aug 17 12:52:39 2020 +0200

    python:tests: Set smb ipc signing via the creds API
    
    Signed-off-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>

commit 1a74c790bfe00d6ea1bdc02c52436f60f46ef32d
Author: Andreas Schneider <asn at samba.org>
Date:   Fri Jul 24 09:47:11 2020 +0200

    python:tests: Mark libsmb connection as an IPC connection
    
    Signed-off-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>

commit 8c06dc1365125dea3dd78ba1eba7586cdc640dfb
Author: Andreas Schneider <asn at samba.org>
Date:   Thu May 28 17:29:25 2020 +0200

    s3:pylibsmb: Add ipc=True support for CLI_FULL_CONNECTION_IPC
    
    Signed-off-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>

commit c58a301c273c24531e798cd7c1b2af9be1364af9
Author: Andreas Schneider <asn at samba.org>
Date:   Thu May 28 17:22:12 2020 +0200

    s3:libsmb: Introduce CLI_FULL_CONNECTION_IPC
    
    Signed-off-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>

commit 946e43f0ccf3bc39d65d9b096f0a40fb12726ebb
Author: Andreas Schneider <asn at samba.org>
Date:   Wed Jun 3 14:02:37 2020 +0200

    python: Set smb signing via the creds API
    
    Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>
    
    Signed-off-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>

commit d55950b8408acf48a4a0761b906ac4e2a596b2cc
Author: Andreas Schneider <asn at samba.org>
Date:   Thu Aug 13 10:40:23 2020 +0200

    python: Remove unused sign argument from smb_connection()
    
    Signed-off-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>

commit 34a81eca0da3d572992954fdbc12d97837ffd03b
Author: Andreas Schneider <asn at samba.org>
Date:   Wed Jun 10 12:45:34 2020 +0200

    s3:lib: Set smb encryption also via cli creds API
    
    Signed-off-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>

commit be9e60efad95b96b64e5ec2db927e0f92a941437
Author: Andreas Schneider <asn at samba.org>
Date:   Wed May 27 11:10:30 2020 +0200

    s3:lib: Use cli_credential_(get|set)_smb_signing()
    
    Signed-off-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>

commit 0188885a4995198a4b573a7cbde736827f496846
Author: Andreas Schneider <asn at samba.org>
Date:   Thu Jul 23 08:14:23 2020 +0200

    auth:creds: Bump library version
    
    We added new functions so bump the version.
    
    Signed-off-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>

commit 84f1e4683e602954b0c259c81bee45926d1d5e3e
Author: Andreas Schneider <asn at samba.org>
Date:   Thu Jun 4 11:19:53 2020 +0200

    auth:creds: Add python bindings for cli_credentials_set_conf()
    
    Signed-off-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>

commit 66c9c68badff8e5957960c489b0139359ab6d550
Author: Andreas Schneider <asn at samba.org>
Date:   Wed Jun 3 12:38:30 2020 +0200

    auth:creds: Add python bindings for (get|set)_smb_encryption
    
    Signed-off-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>

commit 836c5e01e653549b8aada13b9ef8c44d79c3411a
Author: Andreas Schneider <asn at samba.org>
Date:   Thu May 28 16:10:52 2020 +0200

    auth:creds: Add cli_credentials_(get|set)_smb_encryption()
    
    Signed-off-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>

commit ef12caea07350e83676ab863c02620bf054607a5
Author: Andreas Schneider <asn at samba.org>
Date:   Wed Jun 3 12:32:46 2020 +0200

    auth:creds: Add python bindings for (get|set)_smb_ipc_signing
    
    Signed-off-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>

commit 71d65278e1644628f9419008ed47bb475ff07b55
Author: Andreas Schneider <asn at samba.org>
Date:   Thu May 28 16:31:35 2020 +0200

    auth:creds: Add cli_credentials_(get|set)_smb_ipc_signing()
    
    Signed-off-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>

commit 098774b2441679ef77d5eb29d638d07f7987c7c3
Author: Andreas Schneider <asn at samba.org>
Date:   Wed Jun 3 11:56:01 2020 +0200

    auth:creds: Add python bindings for (get|set)_smb_signing
    
    Signed-off-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>

commit 58e0abc58f77fdfc8cee3616eac44ed6c0c0523f
Author: Andreas Schneider <asn at samba.org>
Date:   Tue May 26 09:32:44 2020 +0200

    auth:creds: Add cli_credentials_(get|set)_smb_signing()
    
    Signed-off-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>

commit 59a1272a6c8f53ebfa1749ba26edfd40a11b6383
Author: Andreas Schneider <asn at samba.org>
Date:   Thu Jul 23 07:47:18 2020 +0200

    auth:creds: Remove unused credentials autoproto header
    
    Signed-off-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>

commit b0ae876a6c8733441a9ea806458eadfb3d695a78
Author: Andreas Schneider <asn at samba.org>
Date:   Wed Oct 9 09:47:59 2019 +0200

    s3:lib: Use smb_signing_setting_translate for cmdline parsing
    
    The function will be removed soon.
    
    Signed-off-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>

commit 4bf8a667310d74561a0535655ece8745d19d1864
Author: Andreas Schneider <asn at samba.org>
Date:   Tue May 26 08:39:34 2020 +0200

    libcli:smb: Add smb_encryption_setting_translate()
    
    Add encryption enum and function to avoid confusion when reading the
    code.
    
    Signed-off-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>

commit e524719010bf69e85681295358aeec6844c0748f
Author: Andreas Schneider <asn at samba.org>
Date:   Wed Oct 9 09:38:08 2019 +0200

    libcli:smb: Add smb_signing_setting_translate()
    
    Signed-off-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>

commit 93e97d5afd309a8acf8217381f14f3dde4456a06
Author: Andreas Schneider <asn at samba.org>
Date:   Wed Jul 22 17:48:25 2020 +0200

    lib:param: Add lpcfg_parse_enum_vals()
    
    Signed-off-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>

commit 5a733c3c1ba7bb7ca7770bd0edb648b461f03cd9
Author: Andreas Schneider <asn at samba.org>
Date:   Thu Apr 9 10:38:41 2020 +0200

    docs-xml: Add 'client smb encrypt'
    
    Signed-off-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>

commit 58e31f78745906e8657d5ebd97c6f8f389911a62
Author: Andreas Schneider <asn at samba.org>
Date:   Tue May 26 09:34:54 2020 +0200

    s3:smbd: Use 'enum smb_encryption_setting' values
    
    Signed-off-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>

commit f03bb8ad8a0f7238492542a2b2d8f196a79bc161
Author: Andreas Schneider <asn at samba.org>
Date:   Thu May 28 10:04:19 2020 +0200

    param: Create and use enum_smb_encryption_vals
    
    Signed-off-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>

commit bd5a888746e15eff0a3f24e2a3e8e853fab0993b
Author: Andreas Schneider <asn at samba.org>
Date:   Thu Oct 10 14:18:23 2019 +0200

    param: Add 'server smb encrypt' parameter
    
    And this also makes 'smb encrypt' a synonym of that.
    
    Signed-off-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>

commit e9135035400494ed198e2a1964463c42db7a00c2
Author: Stefan Metzmacher <metze at samba.org>
Date:   Wed Nov 6 17:37:45 2019 +0100

    auth:creds: Introduce CRED_SMB_CONF
    
    We have several places where we check '> CRED_UNINITIALISED',
    so we better don't use CRED_UNINITIALISED for values from
    our smb.conf.
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Andreas Schneider <asn at samba.org>

commit 46142d8398dac98046866ab06ff3185f4311ab8d
Author: Andreas Schneider <asn at samba.org>
Date:   Mon Jul 13 17:23:37 2020 +0200

    libcli:smb2: Use talloc NULL context if we don't have a stackframe
    
    If we execute this code from python we don't have a talloc stackframe
    around and segfault with talloc_tos().
    
    To fix the crash we use the NULL context as we take care for freeing the
    memory as soon as possible.
    
    Signed-off-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>

commit cf432bd4527a1605e48783c54c01b0ff518ba371
Author: Andreas Schneider <asn at samba.org>
Date:   Mon Jul 13 16:15:03 2020 +0200

    libcli:smb2: Do not leak ptext on error
    
    Signed-off-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>

-----------------------------------------------------------------------

Summary of changes:
 auth/credentials/credentials.c                     | 147 ++++++++++++-
 auth/credentials/credentials.h                     |  21 ++
 auth/credentials/credentials_internal.h            |  10 +
 auth/credentials/credentials_krb5.c                |   1 -
 auth/credentials/credentials_secrets.c             |   1 -
 auth/credentials/pycredentials.c                   | 223 +++++++++++++++++++
 auth/credentials/wscript_build                     |   3 +-
 docs-xml/smbdotconf/security/clientsmbencrypt.xml  | 126 +++++++++++
 .../{smbencrypt.xml => serversmbencrypt.xml}       |  35 ++-
 docs-xml/smbdotconf/security/smbencrypt.xml        | 241 +--------------------
 examples/fuse/smb2mount.c                          |  14 +-
 examples/winexe/winexe.c                           |   4 +-
 lib/param/loadparm.c                               |  34 +++
 lib/param/loadparm.h                               |   2 +
 lib/param/param_table.c                            |  23 ++
 libcli/smb/smb2_signing.c                          |  31 ++-
 libcli/smb/smb_constants.h                         |   9 +
 libcli/smb/smb_util.h                              |   8 +
 libcli/smb/test_util_translate.c                   |  83 +++++++
 libcli/smb/util.c                                  |  40 ++++
 libcli/smb/wscript                                 |   5 +
 python/samba/gpclass.py                            |   9 +-
 python/samba/netcmd/domain_backup.py               |  10 +-
 python/samba/netcmd/gpo.py                         |  15 +-
 python/samba/tests/credentials.py                  |  55 ++++-
 python/samba/tests/dcerpc/binding.py               |  82 +++++++
 python/samba/tests/dcerpc/raw_testcase.py          |   6 +-
 python/samba/tests/libsmb.py                       |  37 ++++
 selftest/tests.py                                  |   3 +
 source3/client/client.c                            |   5 +-
 source3/client/smbspool.c                          |  10 -
 source3/include/client.h                           |   1 +
 source3/include/libsmbclient.h                     |   1 +
 source3/lib/util_cmdline.c                         |  36 ++-
 source3/libnet/libnet_join.c                       |  13 +-
 .../{smbclient-0.6.0.sigs => smbclient-0.7.0.sigs} |   0
 source3/libsmb/cliconnect.c                        | 196 ++++++++++++++++-
 source3/libsmb/clidfs.c                            |   6 +-
 source3/libsmb/libsmb_context.c                    |   4 +-
 source3/libsmb/libsmb_server.c                     |  80 ++-----
 source3/libsmb/proto.h                             |  14 +-
 source3/libsmb/pylibsmb.c                          |  24 +-
 source3/libsmb/wscript                             |   2 +-
 source3/param/loadparm.c                           |   4 +-
 source3/rpc_server/spoolss/srv_spoolss_nt.c        |   3 +-
 source3/rpcclient/cmd_spoolss.c                    |   5 +-
 source3/rpcclient/rpcclient.c                      |  16 +-
 source3/smbd/service.c                             |  10 +-
 source3/smbd/smb2_negprot.c                        |   2 +-
 source3/smbd/smb2_sesssetup.c                      |   4 +-
 source3/smbd/smb2_tcon.c                           |   4 +-
 source3/smbd/trans2.c                              |   3 +-
 source3/torture/locktest2.c                        |  11 +-
 source3/torture/torture.c                          |   6 +-
 source3/utils/mdfind.c                             |  12 +-
 source3/utils/net_ads.c                            |   4 +-
 source3/utils/net_util.c                           |  27 +--
 source3/utils/netlookup.c                          |   3 +-
 source3/utils/smbcacls.c                           |  13 +-
 source3/utils/smbcquotas.c                         |  15 +-
 source3/wscript_build                              |   2 +-
 source4/auth/kerberos/kerberos_util.c              |   1 -
 source4/auth/tests/kerberos.c                      |   1 -
 source4/libcli/smb2/connect.c                      |  60 ++++-
 source4/libcli/smb_composite/connect.c             |  40 +++-
 source4/libcli/smb_composite/sesssetup.c           |   7 +
 66 files changed, 1395 insertions(+), 528 deletions(-)
 create mode 100644 docs-xml/smbdotconf/security/clientsmbencrypt.xml
 copy docs-xml/smbdotconf/security/{smbencrypt.xml => serversmbencrypt.xml} (88%)
 create mode 100644 libcli/smb/test_util_translate.c
 create mode 100644 python/samba/tests/dcerpc/binding.py
 copy source3/libsmb/ABI/{smbclient-0.6.0.sigs => smbclient-0.7.0.sigs} (100%)


Changeset truncated at 500 lines:

diff --git a/auth/credentials/credentials.c b/auth/credentials/credentials.c
index 81f9dbb9eb3..9168b92d3ec 100644
--- a/auth/credentials/credentials.c
+++ b/auth/credentials/credentials.c
@@ -44,6 +44,15 @@ _PUBLIC_ struct cli_credentials *cli_credentials_init(TALLOC_CTX *mem_ctx)
 
 	cred->winbind_separator = '\\';
 
+	cred->signing_state = SMB_SIGNING_DEFAULT;
+
+	/*
+	 * The default value of lpcfg_client_ipc_signing() is REQUIRED, so use
+	 * the same value here.
+	 */
+	cred->ipc_signing_state = SMB_SIGNING_REQUIRED;
+	cred->encryption_state = SMB_ENCRYPTION_DEFAULT;
+
 	return cred;
 }
 
@@ -902,12 +911,12 @@ _PUBLIC_ void cli_credentials_set_conf(struct cli_credentials *cred,
 	if (lpcfg_parm_is_cmdline(lp_ctx, "workgroup")) {
 		cli_credentials_set_domain(cred, lpcfg_workgroup(lp_ctx), CRED_SPECIFIED);
 	} else {
-		cli_credentials_set_domain(cred, lpcfg_workgroup(lp_ctx), CRED_UNINITIALISED);
+		cli_credentials_set_domain(cred, lpcfg_workgroup(lp_ctx), CRED_SMB_CONF);
 	}
 	if (lpcfg_parm_is_cmdline(lp_ctx, "netbios name")) {
 		cli_credentials_set_workstation(cred, lpcfg_netbios_name(lp_ctx), CRED_SPECIFIED);
 	} else {
-		cli_credentials_set_workstation(cred, lpcfg_netbios_name(lp_ctx), CRED_UNINITIALISED);
+		cli_credentials_set_workstation(cred, lpcfg_netbios_name(lp_ctx), CRED_SMB_CONF);
 	}
 	if (realm != NULL && strlen(realm) == 0) {
 		realm = NULL;
@@ -915,13 +924,31 @@ _PUBLIC_ void cli_credentials_set_conf(struct cli_credentials *cred,
 	if (lpcfg_parm_is_cmdline(lp_ctx, "realm")) {
 		cli_credentials_set_realm(cred, realm, CRED_SPECIFIED);
 	} else {
-		cli_credentials_set_realm(cred, realm, CRED_UNINITIALISED);
+		cli_credentials_set_realm(cred, realm, CRED_SMB_CONF);
 	}
 
 	sep = lpcfg_winbind_separator(lp_ctx);
 	if (sep != NULL && sep[0] != '\0') {
 		cred->winbind_separator = *lpcfg_winbind_separator(lp_ctx);
 	}
+
+	if (cred->signing_state_obtained <= CRED_SMB_CONF) {
+		/* Will be set to default for invalid smb.conf values */
+		cred->signing_state = lpcfg_client_signing(lp_ctx);
+		cred->signing_state_obtained = CRED_SMB_CONF;
+	}
+
+	if (cred->ipc_signing_state_obtained <= CRED_SMB_CONF) {
+		/* Will be set to required for invalid smb.conf values */
+		cred->ipc_signing_state = lpcfg_client_ipc_signing(lp_ctx);
+		cred->ipc_signing_state_obtained = CRED_SMB_CONF;
+	}
+
+	if (cred->encryption_state_obtained <= CRED_SMB_CONF) {
+		/* Will be set to default for invalid smb.conf values */
+		cred->encryption_state = lpcfg_client_smb_encrypt(lp_ctx);
+		cred->encryption_state_obtained = CRED_SMB_CONF;
+	}
 }
 
 /**
@@ -1304,6 +1331,120 @@ _PUBLIC_ bool cli_credentials_parse_password_fd(struct cli_credentials *credenti
 	return true;
 }
 
+/**
+ * @brief Set the SMB signing state to request for a SMB connection.
+ *
+ * @param[in]  creds          The credentials structure to update.
+ *
+ * @param[in]  signing_state  The signing state to set.
+ *
+ * @param obtained            This way the described signing state was specified.
+ *
+ * @return true if we could set the signing state, false otherwise.
+ */
+_PUBLIC_ bool cli_credentials_set_smb_signing(struct cli_credentials *creds,
+					      enum smb_signing_setting signing_state,
+					      enum credentials_obtained obtained)
+{
+	if (obtained >= creds->signing_state_obtained) {
+		creds->signing_state_obtained = obtained;
+		creds->signing_state = signing_state;
+		return true;
+	}
+
+	return false;
+}
+
+/**
+ * @brief Obtain the SMB signing state from a credentials structure.
+ *
+ * @param[in]  creds  The credential structure to obtain the SMB signing state
+ *                    from.
+ *
+ * @return The SMB singing state.
+ */
+_PUBLIC_ enum smb_signing_setting
+cli_credentials_get_smb_signing(struct cli_credentials *creds)
+{
+	return creds->signing_state;
+}
+
+/**
+ * @brief Set the SMB IPC signing state to request for a SMB connection.
+ *
+ * @param[in]  creds          The credentials structure to update.
+ *
+ * @param[in]  signing_state  The signing state to set.
+ *
+ * @param obtained            This way the described signing state was specified.
+ *
+ * @return true if we could set the signing state, false otherwise.
+ */
+_PUBLIC_ bool
+cli_credentials_set_smb_ipc_signing(struct cli_credentials *creds,
+				    enum smb_signing_setting ipc_signing_state,
+				    enum credentials_obtained obtained)
+{
+	if (obtained >= creds->ipc_signing_state_obtained) {
+		creds->ipc_signing_state_obtained = obtained;
+		creds->ipc_signing_state = ipc_signing_state;
+		return true;
+	}
+
+	return false;
+}
+
+/**
+ * @brief Obtain the SMB IPC signing state from a credentials structure.
+ *
+ * @param[in]  creds  The credential structure to obtain the SMB IPC signing
+ *                    state from.
+ *
+ * @return The SMB singing state.
+ */
+_PUBLIC_ enum smb_signing_setting
+cli_credentials_get_smb_ipc_signing(struct cli_credentials *creds)
+{
+	return creds->ipc_signing_state;
+}
+
+/**
+ * @brief Set the SMB encryption state to request for a SMB connection.
+ *
+ * @param[in]  creds  The credentials structure to update.
+ *
+ * @param[in]  encryption_state  The encryption state to set.
+ *
+ * @param obtained  This way the described encryption state was specified.
+ *
+ * @return true if we could set the encryption state, false otherwise.
+ */
+_PUBLIC_ bool cli_credentials_set_smb_encryption(struct cli_credentials *creds,
+						 enum smb_encryption_setting encryption_state,
+						 enum credentials_obtained obtained)
+{
+	if (obtained >= creds->encryption_state_obtained) {
+		creds->encryption_state_obtained = obtained;
+		creds->encryption_state = encryption_state;
+		return true;
+	}
+
+	return false;
+}
+
+/**
+ * @brief Obtain the SMB encryption state from a credentials structure.
+ *
+ * @param[in]  creds  The credential structure to obtain the SMB encryption state
+ *                    from.
+ *
+ * @return The SMB singing state.
+ */
+_PUBLIC_ enum smb_encryption_setting
+cli_credentials_get_smb_encryption(struct cli_credentials *creds)
+{
+	return creds->encryption_state;
+}
 
 /**
  * Encrypt a data blob using the session key and the negotiated encryption
diff --git a/auth/credentials/credentials.h b/auth/credentials/credentials.h
index c2a17fef445..1a3e611fee8 100644
--- a/auth/credentials/credentials.h
+++ b/auth/credentials/credentials.h
@@ -38,10 +38,13 @@ struct gssapi_creds_container;
 struct smb_krb5_context;
 struct keytab_container;
 struct db_context;
+enum smb_signing_setting;
+enum smb_encryption_setting;
 
 /* In order of priority */
 enum credentials_obtained { 
 	CRED_UNINITIALISED = 0,  /* We don't even have a guess yet */
+	CRED_SMB_CONF,           /* Current value should be used, which comes from smb.conf */
 	CRED_CALLBACK, 		 /* Callback should be used to obtain value */
 	CRED_GUESS_ENV,	         /* Current value should be used, which was guessed */
 	CRED_GUESS_FILE,	 /* A guess from a file (or file pointed at in env variable) */
@@ -289,6 +292,24 @@ void *_cli_credentials_callback_data(struct cli_credentials *cred);
 #define cli_credentials_callback_data_void(_cred) \
 	_cli_credentials_callback_data(_cred)
 
+bool cli_credentials_set_smb_signing(struct cli_credentials *cred,
+				     enum smb_signing_setting signing_state,
+				     enum credentials_obtained obtained);
+enum smb_signing_setting
+cli_credentials_get_smb_signing(struct cli_credentials *cred);
+
+bool cli_credentials_set_smb_ipc_signing(struct cli_credentials *cred,
+					 enum smb_signing_setting ipc_signing_state,
+					 enum credentials_obtained obtained);
+enum smb_signing_setting
+cli_credentials_get_smb_ipc_signing(struct cli_credentials *cred);
+
+bool cli_credentials_set_smb_encryption(struct cli_credentials *cred,
+					enum smb_encryption_setting encryption_state,
+					enum credentials_obtained obtained);
+enum smb_encryption_setting
+cli_credentials_get_smb_encryption(struct cli_credentials *cred);
+
 /**
  * Return attached NETLOGON credentials 
  */
diff --git a/auth/credentials/credentials_internal.h b/auth/credentials/credentials_internal.h
index 68f1f25dce1..3b86b742448 100644
--- a/auth/credentials/credentials_internal.h
+++ b/auth/credentials/credentials_internal.h
@@ -24,6 +24,7 @@
 
 #include "../lib/util/data_blob.h"
 #include "librpc/gen_ndr/misc.h"
+#include "libcli/smb/smb_constants.h"
 
 struct cli_credentials {
 	enum credentials_obtained workstation_obtained;
@@ -36,6 +37,9 @@ struct cli_credentials {
 	enum credentials_obtained principal_obtained;
 	enum credentials_obtained keytab_obtained;
 	enum credentials_obtained server_gss_creds_obtained;
+	enum credentials_obtained signing_state_obtained;
+	enum credentials_obtained ipc_signing_state_obtained;
+	enum credentials_obtained encryption_state_obtained;
 
 	/* Threshold values (essentially a MAX() over a number of the
 	 * above) for the ccache and GSS credentials, to ensure we
@@ -117,6 +121,12 @@ struct cli_credentials {
 	char winbind_separator;
 
 	bool password_will_be_nt_hash;
+
+	enum smb_signing_setting signing_state;
+
+	enum smb_signing_setting ipc_signing_state;
+
+	enum smb_encryption_setting encryption_state;
 };
 
 #endif /* __CREDENTIALS_INTERNAL_H__ */
diff --git a/auth/credentials/credentials_krb5.c b/auth/credentials/credentials_krb5.c
index 20e677e521a..259b35b73b0 100644
--- a/auth/credentials/credentials_krb5.c
+++ b/auth/credentials/credentials_krb5.c
@@ -27,7 +27,6 @@
 #include "auth/kerberos/kerberos.h"
 #include "auth/credentials/credentials.h"
 #include "auth/credentials/credentials_internal.h"
-#include "auth/credentials/credentials_proto.h"
 #include "auth/credentials/credentials_krb5.h"
 #include "auth/kerberos/kerberos_credentials.h"
 #include "auth/kerberos/kerberos_srv_keytab.h"
diff --git a/auth/credentials/credentials_secrets.c b/auth/credentials/credentials_secrets.c
index 54f3ce2d078..52a89d4d5b4 100644
--- a/auth/credentials/credentials_secrets.c
+++ b/auth/credentials/credentials_secrets.c
@@ -29,7 +29,6 @@
 #include "system/filesys.h"
 #include "auth/credentials/credentials.h"
 #include "auth/credentials/credentials_internal.h"
-#include "auth/credentials/credentials_proto.h"
 #include "auth/credentials/credentials_krb5.h"
 #include "auth/kerberos/kerberos_util.h"
 #include "param/param.h"
diff --git a/auth/credentials/pycredentials.c b/auth/credentials/pycredentials.c
index a5d0f9e051c..17c90573f09 100644
--- a/auth/credentials/pycredentials.c
+++ b/auth/credentials/pycredentials.c
@@ -34,6 +34,7 @@
 #include "auth/credentials/credentials_internal.h"
 #include "system/kerberos.h"
 #include "auth/kerberos/kerberos.h"
+#include "libcli/smb/smb_constants.h"
 
 void initcredentials(void);
 
@@ -620,6 +621,42 @@ static PyObject *py_creds_set_forced_sasl_mech(PyObject *self, PyObject *args)
 	Py_RETURN_NONE;
 }
 
+static PyObject *py_creds_set_conf(PyObject *self, PyObject *args)
+{
+	PyObject *py_lp_ctx = Py_None;
+	struct loadparm_context *lp_ctx;
+	TALLOC_CTX *mem_ctx;
+	struct cli_credentials *creds;
+
+	creds = PyCredentials_AsCliCredentials(self);
+	if (creds == NULL) {
+		PyErr_Format(PyExc_TypeError, "Credentials expected");
+		return NULL;
+	}
+
+	if (!PyArg_ParseTuple(args, "|O", &py_lp_ctx)) {
+		return NULL;
+	}
+
+	mem_ctx = talloc_new(NULL);
+	if (mem_ctx == NULL) {
+		PyErr_NoMemory();
+		return NULL;
+	}
+
+	lp_ctx = lpcfg_from_py_object(mem_ctx, py_lp_ctx);
+	if (lp_ctx == NULL) {
+		talloc_free(mem_ctx);
+		return NULL;
+	}
+
+	cli_credentials_set_conf(creds, lp_ctx);
+
+	talloc_free(mem_ctx);
+
+	Py_RETURN_NONE;
+}
+
 static PyObject *py_creds_guess(PyObject *self, PyObject *args)
 {
 	PyObject *py_lp_ctx = Py_None;
@@ -929,6 +966,144 @@ static PyObject *py_creds_encrypt_netr_crypt_password(PyObject *self,
 	Py_RETURN_NONE;
 }
 
+static PyObject *py_creds_get_smb_signing(PyObject *self, PyObject *unused)
+{
+	enum smb_signing_setting signing_state;
+	struct cli_credentials *creds = NULL;
+
+	creds = PyCredentials_AsCliCredentials(self);
+	if (creds == NULL) {
+		PyErr_Format(PyExc_TypeError, "Credentials expected");
+		return NULL;
+	}
+
+	signing_state = cli_credentials_get_smb_signing(creds);
+	return PyLong_FromLong(signing_state);
+}
+
+static PyObject *py_creds_set_smb_signing(PyObject *self, PyObject *args)
+{
+	enum smb_signing_setting signing_state;
+	struct cli_credentials *creds = NULL;
+	enum credentials_obtained obt = CRED_SPECIFIED;
+
+	creds = PyCredentials_AsCliCredentials(self);
+	if (creds == NULL) {
+		PyErr_Format(PyExc_TypeError, "Credentials expected");
+		return NULL;
+	}
+	if (!PyArg_ParseTuple(args, "i|i", &signing_state, &obt)) {
+		return NULL;
+	}
+
+	switch (signing_state) {
+	case SMB_SIGNING_DEFAULT:
+	case SMB_SIGNING_OFF:
+	case SMB_SIGNING_IF_REQUIRED:
+	case SMB_SIGNING_DESIRED:
+	case SMB_SIGNING_REQUIRED:
+		break;
+	default:
+		PyErr_Format(PyExc_TypeError, "Invalid signing state value");
+		return NULL;
+	}
+
+	cli_credentials_set_smb_signing(creds, signing_state, obt);
+	Py_RETURN_NONE;
+}
+
+static PyObject *py_creds_get_smb_ipc_signing(PyObject *self, PyObject *unused)
+{
+	enum smb_signing_setting signing_state;
+	struct cli_credentials *creds = NULL;
+
+	creds = PyCredentials_AsCliCredentials(self);
+	if (creds == NULL) {
+		PyErr_Format(PyExc_TypeError, "Credentials expected");
+		return NULL;
+	}
+
+	signing_state = cli_credentials_get_smb_ipc_signing(creds);
+	return PyLong_FromLong(signing_state);
+}
+
+static PyObject *py_creds_set_smb_ipc_signing(PyObject *self, PyObject *args)
+{
+	enum smb_signing_setting signing_state;
+	struct cli_credentials *creds = NULL;
+	enum credentials_obtained obt = CRED_SPECIFIED;
+
+	creds = PyCredentials_AsCliCredentials(self);
+	if (creds == NULL) {
+		PyErr_Format(PyExc_TypeError, "Credentials expected");
+		return NULL;
+	}
+	if (!PyArg_ParseTuple(args, "i|i", &signing_state, &obt)) {
+		return NULL;
+	}
+
+	switch (signing_state) {
+	case SMB_SIGNING_DEFAULT:
+	case SMB_SIGNING_OFF:
+	case SMB_SIGNING_IF_REQUIRED:
+	case SMB_SIGNING_DESIRED:
+	case SMB_SIGNING_REQUIRED:
+		break;
+	default:
+		PyErr_Format(PyExc_TypeError, "Invalid signing state value");
+		return NULL;
+	}
+
+	cli_credentials_set_smb_ipc_signing(creds, signing_state, obt);
+	Py_RETURN_NONE;
+}
+
+static PyObject *py_creds_get_smb_encryption(PyObject *self, PyObject *unused)
+{
+	enum smb_encryption_setting encryption_state;
+	struct cli_credentials *creds = NULL;
+
+	creds = PyCredentials_AsCliCredentials(self);
+	if (creds == NULL) {
+		PyErr_Format(PyExc_TypeError, "Credentials expected");
+		return NULL;
+	}
+
+	encryption_state = cli_credentials_get_smb_encryption(creds);
+	return PyLong_FromLong(encryption_state);
+}
+
+static PyObject *py_creds_set_smb_encryption(PyObject *self, PyObject *args)
+{
+	enum smb_encryption_setting encryption_state;
+	struct cli_credentials *creds = NULL;
+	enum credentials_obtained obt = CRED_SPECIFIED;
+
+	creds = PyCredentials_AsCliCredentials(self);
+	if (creds == NULL) {
+		PyErr_Format(PyExc_TypeError, "Credentials expected");
+		return NULL;
+	}
+	if (!PyArg_ParseTuple(args, "i|i", &encryption_state, &obt)) {
+		return NULL;
+	}
+
+	switch (encryption_state) {
+	case SMB_ENCRYPTION_DEFAULT:
+	case SMB_ENCRYPTION_OFF:
+	case SMB_ENCRYPTION_IF_REQUIRED:
+	case SMB_ENCRYPTION_DESIRED:
+	case SMB_ENCRYPTION_REQUIRED:
+		break;
+	default:
+		PyErr_Format(PyExc_TypeError, "Invalid encryption state value");
+		return NULL;
+	}
+
+	cli_credentials_set_smb_encryption(creds, encryption_state, obt);
+	Py_RETURN_NONE;
+}
+
 static PyMethodDef py_creds_methods[] = {
 	{
 		.ml_name  = "get_username",
@@ -1140,6 +1315,11 @@ static PyMethodDef py_creds_methods[] = {
 		.ml_meth  = py_creds_set_krb_forwardable,
 		.ml_flags = METH_VARARGS,
 	},
+	{
+		.ml_name  = "set_conf",
+		.ml_meth  = py_creds_set_conf,
+		.ml_flags = METH_VARARGS,
+	},


-- 
Samba Shared Repository



More information about the samba-cvs mailing list