[PATCH] lib/param: Consolidate code to enable smb signing on the server, always enable on AD DC
Stefan (metze) Metzmacher
metze at samba.org
Tue Apr 15 06:05:45 MDT 2014
Am 15.04.2014 01:37, schrieb Andrew Bartlett:
> On Mon, 2014-04-14 at 19:05 +0200, Stefan (metze) Metzmacher wrote:
>> Hi Andrew,
>>
>>>>> I'm wondering if this is the kind of change we can make during the 4.0
>>>>> and 4.1 series? It would be good to be able to rely on SMB signing
>>>>> against AD DC servers, but unless we apply this patch Samba 4.0 and 4.1
>>>>> will be exceptions to that unless SMB2 is used.
>>>>
>>>> smbd should support FLAGS2_SMB_SECURITY_SIGNATURES_REQUIRED.
>>>> So what is the actual problem here?
>>>
>>> The default 'server signing' is disabled, so the client can't sign even
>>> if it wants to.
>>
>> I don't believe this is true, with modern servers.
>>
>> If the client sends FLAGS2_SMB_SECURITY_SIGNATURES_REQUIRED in the
>> session setup request,
>> the server should detect this and enable signing for the session.
>>
>> This was introduced in Windows (after 2000) and Samba 4.0.
>>
>> See commit abb24bf8e874d525382e994af7ae432212775153.
>>
>> So do you really see failures, if so please provide captures and log
>> files:-)
>
> I'll do one better - this reproduces it in 'make testenv' on Samba 4.1.
> The patch simply makes our testenv match our real-world defaults, and
> then I just ran:
>
> SELFTEST_TESTENV=plugin_s4_dc make testenv
>
> abartlet at ruth:/data/samba/git/samba4.1$ bin/testparm -s
> st/plugin_s4_dc/etc/smb.conf -v | grep sign
> Load smb config files from st/plugin_s4_dc/etc/smb.conf
> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit
> (16384)
> Processing section "[tmp]"
> Processing section "[xcopy_share]"
> Processing section "[posix_share]"
> Processing section "[test1]"
> Processing section "[test2]"
> Processing section "[cifs]"
> WARNING: No path in service cifs - making it unavailable!
> NOTE: Service cifs is flagged unavailable.
> Processing section "[simple]"
> Processing section "[sysvol]"
> Processing section "[netlogon]"
> Processing section "[cifsposix]"
> Processing section "[tmpenc]"
> Processing section "[tmpcase]"
> Processing section "[tmpguest]"
> Processing section "[hideunread]"
> Processing section "[durable]"
> Processing section "[print$]"
> Processing section "[print1]"
> Processing section "[print2]"
> Processing section "[print3]"
> Processing section "[lp]"
> Loaded services file OK.
> Server role: ROLE_ACTIVE_DIRECTORY_DC
> client signing = default
> server signing = default
> ntp signd socket directory
> = /data/samba/git/samba4.1/st/plugin_s4_dc/ntp_signd_socket
> abartlet at ruth:/data/samba/git/samba4.1$ SOCKET_WRAPPER_PCAP_FILE=/tmp/sw
> bin/smbclient //$SERVER/tmp -U$USERNAME%$PASSWORD -S=required
> resolve_name: unknown name switch type file
> smb_signing_good: BAD SIG: seq 1
> session setup failed: NT_STATUS_ACCESS_DENIED
> abartlet at ruth:/data/samba/git/samba4.1$
>
>
> I saw this and reproduced it this way when I first proposed this patch.
>
> This means we need a way to turn on SMB2 for winbindd in order to secure
> the RPC communication.
The attached to patches let us behave like a windows server.
In the capture I tested smbclient against w2012r2 server with disabled
signing
and it still works.
metze
-------------- next part --------------
A non-text attachment was scrubbed...
Name: tmp.diff
Type: text/x-diff
Size: 3739 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20140415/b30bca03/attachment.diff>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smbclient-required-signing-against-w2012r2-disabled-signing-01.pcap.gz
Type: application/x-gzip
Size: 2389 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20140415/b30bca03/attachment.bin>
More information about the samba-technical
mailing list