[PATCH] lib/param: Consolidate code to enable smb signing on the server, always enable on AD DC
Andrew Bartlett
abartlet at samba.org
Mon Apr 14 17:37:32 MDT 2014
On Mon, 2014-04-14 at 19:05 +0200, Stefan (metze) Metzmacher wrote:
> Hi Andrew,
>
> >>> I'm wondering if this is the kind of change we can make during the 4.0
> >>> and 4.1 series? It would be good to be able to rely on SMB signing
> >>> against AD DC servers, but unless we apply this patch Samba 4.0 and 4.1
> >>> will be exceptions to that unless SMB2 is used.
> >>
> >> smbd should support FLAGS2_SMB_SECURITY_SIGNATURES_REQUIRED.
> >> So what is the actual problem here?
> >
> > The default 'server signing' is disabled, so the client can't sign even
> > if it wants to.
>
> I don't believe this is true, with modern servers.
>
> If the client sends FLAGS2_SMB_SECURITY_SIGNATURES_REQUIRED in the
> session setup request,
> the server should detect this and enable signing for the session.
>
> This was introduced in Windows (after 2000) and Samba 4.0.
>
> See commit abb24bf8e874d525382e994af7ae432212775153.
>
> So do you really see failures, if so please provide captures and log
> files:-)
I'll do one better - this reproduces it in 'make testenv' on Samba 4.1.
The patch simply makes our testenv match our real-world defaults, and
then I just ran:
SELFTEST_TESTENV=plugin_s4_dc make testenv
abartlet at ruth:/data/samba/git/samba4.1$ bin/testparm -s
st/plugin_s4_dc/etc/smb.conf -v | grep sign
Load smb config files from st/plugin_s4_dc/etc/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit
(16384)
Processing section "[tmp]"
Processing section "[xcopy_share]"
Processing section "[posix_share]"
Processing section "[test1]"
Processing section "[test2]"
Processing section "[cifs]"
WARNING: No path in service cifs - making it unavailable!
NOTE: Service cifs is flagged unavailable.
Processing section "[simple]"
Processing section "[sysvol]"
Processing section "[netlogon]"
Processing section "[cifsposix]"
Processing section "[tmpenc]"
Processing section "[tmpcase]"
Processing section "[tmpguest]"
Processing section "[hideunread]"
Processing section "[durable]"
Processing section "[print$]"
Processing section "[print1]"
Processing section "[print2]"
Processing section "[print3]"
Processing section "[lp]"
Loaded services file OK.
Server role: ROLE_ACTIVE_DIRECTORY_DC
client signing = default
server signing = default
ntp signd socket directory
= /data/samba/git/samba4.1/st/plugin_s4_dc/ntp_signd_socket
abartlet at ruth:/data/samba/git/samba4.1$ SOCKET_WRAPPER_PCAP_FILE=/tmp/sw
bin/smbclient //$SERVER/tmp -U$USERNAME%$PASSWORD -S=required
resolve_name: unknown name switch type file
smb_signing_good: BAD SIG: seq 1
session setup failed: NT_STATUS_ACCESS_DENIED
abartlet at ruth:/data/samba/git/samba4.1$
I saw this and reproduced it this way when I first proposed this patch.
This means we need a way to turn on SMB2 for winbindd in order to secure
the RPC communication.
Thanks,
Andrew Bartlett
--
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
-------------- next part --------------
A non-text attachment was scrubbed...
Name: sw
Type: application/vnd.tcpdump.pcap
Size: 16994 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20140415/e59ba707/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: undo-signing-override.patch
Type: text/x-patch
Size: 559 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20140415/e59ba707/attachment-0001.bin>
More information about the samba-technical
mailing list