[PATCH] Display status of encryption and signing in smbstatus

Ralph Boehme rb at sernet.de
Thu Dec 10 17:14:58 UTC 2015 

On Wed, Dec 09, 2015 at 03:26:10PM -0800, Jeremy Allison wrote:
> On Wed, Dec 09, 2015 at 01:57:56PM +0100, Ralph Boehme wrote:
> > Hi!
> > 
> > Attached is a patchset that adds support for displaying the current
> > status of signing and encryption per session and tcon.
> > 
> > Example:
> > 
> > # smbstatus
> > 
> > Samba version 4.4.0pre1-DEVELOPERBUILD
> > PID     Username     Group        Machine                                   Protocol Version  Encryption           Signing
> > ----------------------------------------------------------------------------------------------------------------------------------------
> > 25597   slow         men          10.10.11.1 (ipv4:10.10.11.1:51241)        SMB3_02           partial(AES-128-CCM) partial(AES-128-CMAC)
> > 
> > Service      pid     Machine       Connected at                     Encryption   Signing
> > ---------------------------------------------------------------------------------------------
> > encrypted    25597   10.10.11.1    Wed Dec  9 01:40:20 PM 2015 CET  AES-128-CCM  AES-128-CMAC
> > clear        25597   10.10.11.1    Wed Dec  9 01:40:17 PM 2015 CET  -            -
> > 
> > The main changes involve modifying smbXsrv tdbs and packet processing
> > to track signing and encryption per incoming and outgoing packets.
> > 
> > tcons are either shown as encrpyted or unencrpyted, signed or
> > unsigned, sessions can be shown as partially encrypted in order to
> > give a consistent summary, otherwise it would look strange displaying
> > a sessions as unencryped when one of its tcons is encrypted.
> > 
> > Per the nature of SMB3 encryption where sessions and tcons may be
> > encrypted (smb encrypt = desired), but not enforced (smb encrypt !=
> > required), the output is NOT a guarantee that all future packets will
> > be encrypted too. The output is only a summary of what has been seen
> > so far.
> > 
> > Please review and push if ok.
> 
> Code looks nice, and I like the idea. One comment (so
> far) on first look over.
> 
> I still need to go through and understand it fully,
> but I like what it's trying to do !
> 
> Can you split the following code into an external function
> please rather than putting it inline inside switch_message() ?
> 
> Oh, and the similar code in smbd_smb2_request_dispatch()
> should also be in a different function too I think.

sure, good idea! Thanks for looking into this. Will post an updates
patchset by tomorrow.

Thanks!
-slow

-- 
SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
http://www.sernet.de,mailto:kontakt@sernet.de

More information about the samba-technical mailing list