smbclient and negotiating encryption support when smb encryption is mandatory
jra at samba.org
Wed May 11 03:31:54 MDT 2011
On Wed, May 11, 2011 at 03:05:05AM -0500, Steve French wrote:
> On Wed, May 11, 2011 at 12:52 AM, Jeremy Allison <jra at samba.org> wrote:
> > On Tue, May 10, 2011 at 06:10:01PM -0500, Steve French wrote:
> >> Connecting to Samba 3.6 with smbclient to test per-share encryption, I
> >> noticed that smbclient worked when I specified "-e" (and does send the
> >> required query fs unix info and set fs calls). I don't see those
> >> calls when -e is not specified in smbclient (so the server closes the
> >> session after the first SMB echo is sent, presumably because it is not
> >> encrypted) and if a querypathinfo is sent first it gets access denied.
> >> Why would smbclient only negotiate unix extensions when "-e" is
> >> specified - how else would it know that "smb encryption" is mandatory?
> >> I have "smb encryption = mandatory" under the definition for the share
> >> in smb.conf
> > That's to be expected. The -e specifies "use encryption". There
> > is no way to know the server has a share set as "smb encryption = mandatory"
> > other than that connections without encryption will fail.
> > This has to be a client-set parameter. You have to know you're
> > connecting to an encrypted share.
> Why? Query fs unix info reports capabilities (including locking and
> acl support) and whether encryption is mandatory or optional or not
> supported on the share:
> #define CIFS_UNIX_TRANSPORT_ENCRYPTION_CAP 0x00000100 /* can do SPNEGO crypt */
> #define CIFS_UNIX_TRANSPORT_ENCRYPTION_MANDATORY_CAP 0x00000200 /* must do */
Err - yeah, you're right. We do actually set:
CIFS_UNIX_TRANSPORT_ENCRYPTION_MANDATORY_CAP on the SMB_QUERY_CIFS_UNIX_INFO:
reply when it's mandatory encryption, so the client can tell.
More information about the samba-technical