[PATCH] Fix SMB2-only client connection to MacOSX server.

Ralph Böhme rb at sernet.de
Wed Nov 26 00:36:31 MST 2014 

On Tue, Nov 25, 2014 at 05:48:00PM -0800, Jeremy Allison wrote:
> Hi Ralph,
> 
> I found something interesting in the smbclient
> interaction with the MacOSX server if we're set
> to SMB2-only (reported by a vendor).
> 
> To reproduce, set:
> 
>         client min protocol = SMB2
>         client max protocol = SMB3
> 
> in the [global] section of your smb.conf
> and try and use smbclient to connect to
> the latest MacOSX server.
> 
> We fail to connect (to at least one version
> of the MacOSX server) as we ask for zero
> credits initially in this case, and the Mac server
> replies with zero credits, not one credit as
> a Windows server does.
> 
> It turns out that Windows clients behave
> differently in the SMB2 Negprot depending
> on how they first connect to a server.
> 
> In a pure Windows to windows environment,
> if a Windows client first attempts an
> SMB1 Negprot, including a dialect list
> of SMB2, and the server replies with
> an SMB2 Negprot reply granting one
> initial credit.
> 
> The client then sends a subsequent SMB2
> Negprot, requesting zero credits, and
> the server again replies with one credit.
> The conversation then continues.
> 
> However - if a Windows client *knows*
> it's talking to an SMB2-enabled server,
> it skips the initial SMB1 negprot, and
> sends an SMB2 negprot request instead.
> 
> In that SMB2-initial Negprot it asks
> for 31 initial credits, not zero. The
> server replies with one credit and the
> conversation continues happily..
> 
> Our client code behaves exactly as
> the Windows client does in the case
> where we begin with an SMB1 Negprot.
> 
> However - if the client min and max
> protocol settings are set as above,
> then we send an initial SMB2 negprot request
> instead, and in that case we behave
> *differently* to the Windows client,
> in that we send an initial credit
> request of zero, not 31.
> 
> A Windows server on receiving this
> just replies with one credit, and
> we're happy. However the Mac server
> tested by the OEM replies with zero
> credits (that's what we asked for,
> right !) and then we fail to connect.
> 
> The attached patch makes us behave
> exactly like a Windows client in
> the SMB2-only Negprot case, in that
> we'll ask for 31 initial credits.
> 
> It works fine against Windows servers
> (who continue to return one credit
> in the negprot reply as they do for
> a Windows client).
> 
> If you could test this against your
> Mac servers I'd appreciate it, and
> if it passes review please let me
> know and I'll raise a bug to get
> this fixed in 4.2.0 and 4.1.next.

rb: me

Tested against 10.10.1: fails without the patch, succeeds with the
patch. Checked with Wireshark that it was pure SMB2 in either case.

Cheerio!
-Ralph

-- 
SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
http://www.sernet.de,mailto:kontakt@sernet.de

More information about the samba-technical mailing list