[PATCH] lib/param: Consolidate code to enable smb signing on the server, always enable on AD DC

Tue Apr 15 15:26:36 MDT 2014

On Tue, 2014-04-15 at 14:05 +0200, Stefan (metze) Metzmacher wrote:
> Am 15.04.2014 01:37, schrieb Andrew Bartlett:
> > On Mon, 2014-04-14 at 19:05 +0200, Stefan (metze) Metzmacher wrote:
> >> Hi Andrew,
> >>
> >>>>> I'm wondering if this is the kind of change we can make during the 4.0
> >>>>> and 4.1 series?  It would be good to be able to rely on SMB signing
> >>>>> against AD DC servers, but unless we apply this patch Samba 4.0 and 4.1
> >>>>> will be exceptions to that unless SMB2 is used. 
> >>>>
> >>>> smbd should support FLAGS2_SMB_SECURITY_SIGNATURES_REQUIRED.
> >>>> So what is the actual problem here?
> >>>
> >>> The default 'server signing' is disabled, so the client can't sign even
> >>> if it wants to. 
> >>
> >> I don't believe this is true, with modern servers.
> >>
> >> If the client sends FLAGS2_SMB_SECURITY_SIGNATURES_REQUIRED in the
> >> session setup request,
> >> the server should detect this and enable signing for the session.
> >>
> >> This was introduced in Windows (after 2000) and Samba 4.0.
> >>
> >> See commit abb24bf8e874d525382e994af7ae432212775153.
> >>
> >> So do you really see failures, if so please provide captures and log
> >> files:-)
> > 
> > I'll do one better - this reproduces it in 'make testenv' on Samba 4.1.
> > The patch simply makes our testenv match our real-world defaults, and
> > then I just ran:
> > 
> > SELFTEST_TESTENV=plugin_s4_dc make testenv
> > 
> > abartlet at ruth:/data/samba/git/samba4.1$ bin/testparm -s
> > st/plugin_s4_dc/etc/smb.conf -v | grep sign
> > Load smb config files from st/plugin_s4_dc/etc/smb.conf
> > rlimit_max: increasing rlimit_max (1024) to minimum Windows limit
> > (16384)
> > Processing section "[tmp]"
> > Processing section "[xcopy_share]"
> > Processing section "[posix_share]"
> > Processing section "[test1]"
> > Processing section "[test2]"
> > Processing section "[cifs]"
> > WARNING: No path in service cifs - making it unavailable!
> > NOTE: Service cifs is flagged unavailable.
> > Processing section "[simple]"
> > Processing section "[sysvol]"
> > Processing section "[netlogon]"
> > Processing section "[cifsposix]"
> > Processing section "[tmpenc]"
> > Processing section "[tmpcase]"
> > Processing section "[tmpguest]"
> > Processing section "[hideunread]"
> > Processing section "[durable]"
> > Processing section "[print$]"
> > Processing section "[print1]"
> > Processing section "[print2]"
> > Processing section "[print3]"
> > Processing section "[lp]"
> > Loaded services file OK.
> > Server role: ROLE_ACTIVE_DIRECTORY_DC
> >         client signing = default
> >         server signing = default
> >         ntp signd socket directory
> > = /data/samba/git/samba4.1/st/plugin_s4_dc/ntp_signd_socket
> > abartlet at ruth:/data/samba/git/samba4.1$ SOCKET_WRAPPER_PCAP_FILE=/tmp/sw
> > bin/smbclient //$SERVER/tmp -U$USERNAME%$PASSWORD -S=required
> > resolve_name: unknown name switch type file
> > smb_signing_good: BAD SIG: seq 1
> > session setup failed: NT_STATUS_ACCESS_DENIED
> > abartlet at ruth:/data/samba/git/samba4.1$ 
> > 
> > 
> > I saw this and reproduced it this way when I first proposed this patch.
> > 
> > This means we need a way to turn on SMB2 for winbindd in order to secure
> > the RPC communication. 
> 
> The attached to patches let us behave like a windows server.
> 
> In the capture I tested smbclient against w2012r2 server with disabled
> signing
> and it still works.

Thanks.  That works for master.  For 4.0 and 4.1, should we backport the
December patch also but simply omit the AD DC special case?  (so as not
to otherwise change behaviours)

Reviewed-by: Andrew Bartlett <abartlet at samba.org>

Andrew Bartlett

-- 
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba