[PATCH] smb encrypt - new value desired

Michael Adam obnox at samba.org
Tue Jun 30 09:58:58 MDT 2015


Hi,

there is BUG https://bugzilla.samba.org/show_bug.cgi?id=11372
which addresses inconsistencies between settings of smb encrypt
in master and 4.2/4.1.

During discussion it was noticed that we do actually have not
enough settings for 'smb encrypt' to explicitly reflect all
that we need to achieve. We need:

- off      : ...
- enabled  : enable SMB3 encryption cap in negotiate
- desired  : enable cap and turn on data encryption
- required : enable cap, turn on data enc, and reject clients
             that don't support it

We are currently lacking 'desired'.

The attached patchset adds this value,
modifies the server to reflect the above table
and amends the manpage documentation to explain it.

Review / comments appreciated!

Thanks - Michael

-------------- next part --------------
From 166c616b82bb2999378acccf70ddf98846940fe5 Mon Sep 17 00:00:00 2001
From: Michael Adam <obnox at samba.org>
Date: Tue, 30 Jun 2015 14:16:19 +0200
Subject: [PATCH 1/3] Introduce setting "desired" for 'smb encrypt' and
 'client/server signing'

This should trigger the behaviour where the server requires
signing when the client supports it, but does not reject
clients that don't support it.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11372

Signed-off-by: Michael Adam <obnox at samba.org>
---
 lib/param/loadparm.c              | 1 +
 lib/param/param_table.c           | 1 +
 libcli/smb/smbXcli_base.c         | 6 ++++++
 libcli/smb/smb_constants.h        | 1 +
 source4/smb_server/smb2/negprot.c | 1 +
 5 files changed, 10 insertions(+)

diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
index bb215b2..0e11428 100644
--- a/lib/param/loadparm.c
+++ b/lib/param/loadparm.c
@@ -3207,6 +3207,7 @@ bool lpcfg_server_signing_allowed(struct loadparm_context *lp_ctx, bool *mandato
 	case SMB_SIGNING_REQUIRED:
 		*mandatory = true;
 		break;
+	case SMB_SIGNING_DESIRED:
 	case SMB_SIGNING_IF_REQUIRED:
 		break;
 	case SMB_SIGNING_DEFAULT:
diff --git a/lib/param/param_table.c b/lib/param/param_table.c
index 287839f..ff31038 100644
--- a/lib/param/param_table.c
+++ b/lib/param/param_table.c
@@ -115,6 +115,7 @@ static const struct enum_list enum_smb_signing_vals[] = {
 	{SMB_SIGNING_IF_REQUIRED, "On"},
 	{SMB_SIGNING_IF_REQUIRED, "enabled"},
 	{SMB_SIGNING_IF_REQUIRED, "auto"},
+	{SMB_SIGNING_DESIRED, "desired"},
 	{SMB_SIGNING_REQUIRED, "required"},
 	{SMB_SIGNING_REQUIRED, "mandatory"},
 	{SMB_SIGNING_REQUIRED, "force"},
diff --git a/libcli/smb/smbXcli_base.c b/libcli/smb/smbXcli_base.c
index c8ae5b0..6c35430 100644
--- a/libcli/smb/smbXcli_base.c
+++ b/libcli/smb/smbXcli_base.c
@@ -376,6 +376,12 @@ struct smbXcli_conn *smbXcli_conn_create(TALLOC_CTX *mem_ctx,
 		conn->desire_signing = false;
 		conn->mandatory_signing = false;
 		break;
+	case SMB_SIGNING_DESIRED:
+		/* if the server desires it */
+		conn->allow_signing = true;
+		conn->desire_signing = true;
+		conn->mandatory_signing = false;
+		break;
 	case SMB_SIGNING_REQUIRED:
 		/* always */
 		conn->allow_signing = true;
diff --git a/libcli/smb/smb_constants.h b/libcli/smb/smb_constants.h
index 589b1a63..c4cca15 100644
--- a/libcli/smb/smb_constants.h
+++ b/libcli/smb/smb_constants.h
@@ -98,6 +98,7 @@ enum smb_signing_setting {
 	SMB_SIGNING_DEFAULT = -1,
 	SMB_SIGNING_OFF = 0,
 	SMB_SIGNING_IF_REQUIRED = 1,
+	SMB_SIGNING_DESIRED = 2,
 	SMB_SIGNING_REQUIRED = 3,
 };
 
diff --git a/source4/smb_server/smb2/negprot.c b/source4/smb_server/smb2/negprot.c
index 81f2547..b48b170 100644
--- a/source4/smb_server/smb2/negprot.c
+++ b/source4/smb_server/smb2/negprot.c
@@ -150,6 +150,7 @@ static NTSTATUS smb2srv_negprot_backend(struct smb2srv_request *req, struct smb2
 	case SMB_SIGNING_OFF:
 		io->out.security_mode = 0;
 		break;
+	case SMB_SIGNING_DESIRED:
 	case SMB_SIGNING_IF_REQUIRED:
 		io->out.security_mode = SMB2_NEGOTIATE_SIGNING_ENABLED;
 		break;
-- 
2.4.3


From 7c35b5fcc2d470a0690ccdfc7401a19b92d71a0c Mon Sep 17 00:00:00 2001
From: Michael Adam <obnox at samba.org>
Date: Tue, 30 Jun 2015 15:17:37 +0200
Subject: [PATCH 2/3] smbd:smb2: enable encryption for clients that support
 encryption only if desired

Setting smb encrypt to 'desired' or 'required' corresponds
to the windows setting of 'EncryptData' (without or with
RejectUnencryptedAccess set). The default behaviour with
smb encrypt set to enabled (or auto) would be to announce
the capability, but not enflict encryption on clients that
don't request it.

This explicit state for 'desired' was missing before,
and hence we were using 'enabled' for it. Now we have
the setting, we let smbd use it appropriately.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11372

Signed-off-by: Michael Adam <obnox at samba.org>
---
 source3/smbd/smb2_sesssetup.c | 2 +-
 source3/smbd/smb2_tcon.c      | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/source3/smbd/smb2_sesssetup.c b/source3/smbd/smb2_sesssetup.c
index da7adb3..1e84058 100644
--- a/source3/smbd/smb2_sesssetup.c
+++ b/source3/smbd/smb2_sesssetup.c
@@ -262,7 +262,7 @@ static NTSTATUS smbd_smb2_auth_generic_return(struct smbXsrv_session *session,
 		x->global->signing_required = true;
 	}
 
-	if ((lp_smb_encrypt(-1) > SMB_SIGNING_OFF) &&
+	if ((lp_smb_encrypt(-1) >= SMB_SIGNING_DESIRED) &&
 	    (xconn->smb2.client.capabilities & SMB2_CAP_ENCRYPTION)) {
 		x->global->encryption_required = true;
 	}
diff --git a/source3/smbd/smb2_tcon.c b/source3/smbd/smb2_tcon.c
index eb66ea0..0e3f580 100644
--- a/source3/smbd/smb2_tcon.c
+++ b/source3/smbd/smb2_tcon.c
@@ -266,7 +266,7 @@ static NTSTATUS smbd_smb2_tree_connect(struct smbd_smb2_request *req,
 		return NT_STATUS_BAD_NETWORK_NAME;
 	}
 
-	if ((lp_smb_encrypt(snum) > SMB_SIGNING_OFF) &&
+	if ((lp_smb_encrypt(snum) >= SMB_SIGNING_DESIRED) &&
 	    (conn->smb2.client.capabilities & SMB2_CAP_ENCRYPTION)) {
 		encryption_required = true;
 	}
-- 
2.4.3


From acc1d88b03219b04a0071d65d5d8a0778879631c Mon Sep 17 00:00:00 2001
From: Michael Adam <obnox at samba.org>
Date: Tue, 30 Jun 2015 17:46:36 +0200
Subject: [PATCH 3/3] docs:smb.conf: explain effect of new setting 'desired' of
 smb encrypt

Thereby clarify some details.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11372

Signed-off-by: Michael Adam <obnox at samba.org>
---
 docs-xml/smbdotconf/security/smbencrypt.xml | 66 ++++++++++++++++++++---------
 1 file changed, 47 insertions(+), 19 deletions(-)

diff --git a/docs-xml/smbdotconf/security/smbencrypt.xml b/docs-xml/smbdotconf/security/smbencrypt.xml
index 17248e6..ae0682b 100644
--- a/docs-xml/smbdotconf/security/smbencrypt.xml
+++ b/docs-xml/smbdotconf/security/smbencrypt.xml
@@ -30,11 +30,15 @@
 	<para>
 		This parameter can be set globally and on a per-share bases.
 		Possible values are
-		<emphasis>off</emphasis> or <emphasis>disabled</emphasis>,
-		<emphasis>auto</emphasis> or <emphasis>enabled</emphasis>, and
-		<emphasis>mandatory</emphasis> or <emphasis>required</emphasis>.
+		<emphasis>off</emphasis> (or <emphasis>disabled</emphasis>),
+		<emphasis>enabled</emphasis> (or <emphasis>auto</emphasis>, or
+		<emphasis>if_required</emphasis>),
+		<emphasis>desired</emphasis>,
+		and
+		<emphasis>required</emphasis>
+		(or <emphasis>mandatory</emphasis>).
 		A special value is <emphasis>default</emphasis> which is
-		the implicit default setting.
+		the implicit default setting of <emphasis>enabled</emphasis>.
 	</para>
 
 	<variablelist>
@@ -103,7 +107,7 @@
 			<listitem>
 			<para>
 			The capability to perform SMB encryption can be
-			negotiated during prorocol negotiation.
+			negotiated during protocol negotiation.
 			</para>
 			</listitem>
 
@@ -145,8 +149,9 @@
 		<itemizedlist>
 			<listitem>
 			<para>
-			Leaving it as default or explicitly setting
-			<emphasis>default</emphasis> globally will enable
+			Leaving it as default, explicitly setting
+			<emphasis>default</emphasis>, or setting it to
+			<emphasis>enabled</emphasis> globally will enable
 			negotiation of encryption but will not turn on
 			data encryption globally or per share.
 			</para>
@@ -154,16 +159,20 @@
 
 			<listitem>
 			<para>
-			Setting it to <emphasis>enabled</emphasis> globally will
-			enable negotiation and turn on data encryption globally.
+			Setting it to <emphasis>desired</emphasis> globally
+			will enable negotiation and will turn on data encryption
+			on sessions and share connections for those clients
+			that support it.
 			</para>
 			</listitem>
 
 			<listitem>
 			<para>
 			Setting it to <emphasis>required</emphasis> globally
-			will enable negotiation and enforce data encryption
-			globally.
+			will enable negotiation and turn on data encryption
+			on sessions and share connections. Clients that do
+			not support encryption will be denied access to the
+			server.
 			</para>
 			</listitem>
 
@@ -176,9 +185,10 @@
 
 			<listitem>
 			<para>
-			Setting it to <emphasis>enabled</emphasis> on a share
-			will turn on data encryption for this share if
-			negotiation has been enabled globally.
+			Setting it to <emphasis>desired</emphasis> on a share
+			will turn on data encryption for this share for clients
+			that support encryption if negotiation has been
+			enabled globally.
 			</para>
 			</listitem>
 
@@ -186,16 +196,34 @@
 			<para>
 			Setting it to <emphasis>required</emphasis> on a share
 			will enforce data encryption for this share if
-			negotiation has been enabled globally. Note that this
-			allows enforcing to be controlled in Samba more
-			fine-grainedly than in Windows.  This is a small
-			deviation from the MS-SMB2 protocol document.
+			negotiation has been enabled globally. I.e. clients that
+			do not support encryption will be denied access to the
+			share.
+			</para>
+			<para>
+			Note that this allows per-share enforcing to be
+			controlled in Samba differently from Windows:
+			In Windows, <emphasis>RejectUnencryptedAccess</emphasis>
+			is a global setting, and if it is set, all shares with
+			data encryption turned on
+			are automatically enforcing encryption. In order to
+			achieve the same effect in Samba, one
+			has to globally set <emphasis>smb encrypt</emphasis> to
+			<emphasis>enabled</emphasis>, and then set all shares
+			that should be encrypted to
+			<emphasis>required</emphasis>.
+			Additionally, it is possible in Samba to have some
+			shares with encryption <emphasis>required</emphasis>
+			and some other shares with encryption only
+			<emphasis>desired</emphasis>, which is not possible in
+			Windows.
 			</para>
 			</listitem>
 
 			<listitem>
 			<para>
-			Setting it to <emphasis>off</emphasis> for a share has
+			Setting it to <emphasis>off</emphasis> or
+			<emphasis>enabled</emphasis> for a share has
 			no effect.
 			</para>
 			</listitem>
-- 
2.4.3

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20150630/87f14246/attachment.pgp>


More information about the samba-technical mailing list