[PATCH] Fix Bug 11103: - Samba does not set the required flags in the SMB2/SMB3 Negotiate Protocol Response when signing required by client

Steve French smfrench at gmail.com
Fri Feb 20 11:55:43 MST 2015 

I am rerunning all of the Encryption and Signing tests now against Samba
4.2 test branch (without JRA's patch) with a slightly different test config
because I saw different results against Windows 10 (a test configuration
test may have affected this).

There may be a way to run these without JRA's patch (setting the global
encryption may effect their expectation about the signing flags).  Testing
against Windows 2012 is tough because they will mandate signing in the
server (at least in the DC) so to test against Windows I am going to have
to try other test targets.

On Thu, Feb 19, 2015 at 2:28 AM, Stefan (metze) Metzmacher <metze at samba.org>
wrote:

> Hi Jeremy,
>
> > +++ b/source3/smbd/smb2_negprot.c
> > @@ -221,7 +221,8 @@ NTSTATUS smbd_smb2_request_process_negprot(struct
> smbd_smb2_request *req)
> >       }
> >
> >       security_mode = SMB2_NEGOTIATE_SIGNING_ENABLED;
> > -     if (lp_server_signing() == SMB_SIGNING_REQUIRED) {
> > +     if (lp_server_signing() == SMB_SIGNING_REQUIRED ||
> > +                     (in_security_mode &
> SMB2_NEGOTIATE_SIGNING_REQUIRED)) {
> >               security_mode |= SMB2_NEGOTIATE_SIGNING_REQUIRED;
> >       }
> >
> > diff --git a/source3/smbd/smb2_sesssetup.c
> b/source3/smbd/smb2_sesssetup.c
> > index 2f58e44..f918328 100644
> > --- a/source3/smbd/smb2_sesssetup.c
> > +++ b/source3/smbd/smb2_sesssetup.c
> > @@ -186,7 +186,9 @@ static NTSTATUS smbd_smb2_auth_generic_return(struct
> smbXsrv_session *session,
> >       struct smbXsrv_connection *xconn = smb2req->xconn;
> >
> >       if ((in_security_mode & SMB2_NEGOTIATE_SIGNING_REQUIRED) ||
> > -         lp_server_signing() == SMB_SIGNING_REQUIRED) {
> > +         lp_server_signing() == SMB_SIGNING_REQUIRED ||
> > +         (xconn->smb2.server.security_mode &
> > +                     SMB2_NEGOTIATE_SIGNING_REQUIRED)) {
> >               x->global->signing_required = true;
> >       }
>
> I think we can remove the lp_server_signing() == SMB_SIGNING_REQUIRED) here
> as smbd_smb2_request_process_negprot() already sets
> xconn->smb2.server.security_mode.
>
>
> Can you or Steve please also upload a capture that shows the correct
> behavior
> of a Windows server to the bug report?
>
> metze
>
>
>


-- 
Thanks,

Steve

More information about the samba-technical mailing list