[PATCH] Fix Bug 11103: - Samba does not set the required flags in the SMB2/SMB3 Negotiate Protocol Response when signing required by client
Jeremy Allison
jra at samba.org
Thu Feb 19 10:05:22 MST 2015
On Thu, Feb 19, 2015 at 09:28:35AM +0100, Stefan (metze) Metzmacher wrote:
> Hi Jeremy,
>
> > +++ b/source3/smbd/smb2_negprot.c
> > @@ -221,7 +221,8 @@ NTSTATUS smbd_smb2_request_process_negprot(struct smbd_smb2_request *req)
> > }
> >
> > security_mode = SMB2_NEGOTIATE_SIGNING_ENABLED;
> > - if (lp_server_signing() == SMB_SIGNING_REQUIRED) {
> > + if (lp_server_signing() == SMB_SIGNING_REQUIRED ||
> > + (in_security_mode & SMB2_NEGOTIATE_SIGNING_REQUIRED)) {
> > security_mode |= SMB2_NEGOTIATE_SIGNING_REQUIRED;
> > }
> >
> > diff --git a/source3/smbd/smb2_sesssetup.c b/source3/smbd/smb2_sesssetup.c
> > index 2f58e44..f918328 100644
> > --- a/source3/smbd/smb2_sesssetup.c
> > +++ b/source3/smbd/smb2_sesssetup.c
> > @@ -186,7 +186,9 @@ static NTSTATUS smbd_smb2_auth_generic_return(struct smbXsrv_session *session,
> > struct smbXsrv_connection *xconn = smb2req->xconn;
> >
> > if ((in_security_mode & SMB2_NEGOTIATE_SIGNING_REQUIRED) ||
> > - lp_server_signing() == SMB_SIGNING_REQUIRED) {
> > + lp_server_signing() == SMB_SIGNING_REQUIRED ||
> > + (xconn->smb2.server.security_mode &
> > + SMB2_NEGOTIATE_SIGNING_REQUIRED)) {
> > x->global->signing_required = true;
> > }
>
> I think we can remove the lp_server_signing() == SMB_SIGNING_REQUIRED) here
> as smbd_smb2_request_process_negprot() already sets
> xconn->smb2.server.security_mode.
Yes, I realized that when I created the patch. However I
deliberately left it in place to make it clear what case
we were covering here - people get twitchy over security
sensitive changes :-).
Glad to know you're always watching though metze :-).
More information about the samba-technical
mailing list