s3:rpcclient add -m option (Re: [SCM] Samba Shared Repository - branch master updated)
Jeremy Allison
jra at samba.org
Fri May 20 00:34:25 UTC 2016
On Thu, May 19, 2016 at 01:35:13PM +0200, Stefan Metzmacher wrote:
> Hi Christian,
>
> I assume this patch was originally written before the badlock fixes.
> As "client max protocol" should no longer being used in rpcclient.
> We have "client ipc max protocol" which defaults to the latest supported
> protocol
> (currently SMB3_11).
>
> With the attached patches the following works:
>
> rpcclient --option="client ipc max protocol=SMB2_10" 172.31.9.163
> -Uadministrator%A1b2C3d4 -c "getusername"
> Account Name: Administrator, Authority Name: W4EDOM-L4
>
> rpcclient --option="client ipc max protocol=NT1" 172.31.9.163
> -Uadministrator%A1b2C3d4 -c "getusername"
> Account Name: Administrator, Authority Name: W4EDOM-L4
>
> rpcclient 172.31.9.163 -Uadministrator%A1b2C3d4 -c "getusername"
> Account Name: Administrator, Authority Name: W4EDOM-L4
These changes LGTM.
But might it be easier on the users to add an additional patch
that makes '-m' on the rpcclient command line set 'client ipc max protocol' ?
smbclient and smbcacls both use -m to set the max protocol - with rpcclient
we could just change the ipc max protocol instead.
> > - Log -----------------------------------------------------------------
> > commit a55ac51f5f67c61bda1fee7067ad7d09a0c1efdf
> > Author: Christian Ambach <ambi at samba.org>
> > Date: Wed May 11 18:54:58 2016 +0200
> >
> > s3:rpcclient add -m option
> >
> > Signed-off-by: Christian Ambach <ambi at samba.org>
> > Reviewed-by: Jeremy Allison <jra at samba.org>
> >
> > Autobuild-User(master): Jeremy Allison <jra at samba.org>
> > Autobuild-Date(master): Thu May 12 17:36:09 CEST 2016 on sn-devel-144
> ...
> > diff --git a/docs-xml/manpages/rpcclient.1.xml b/docs-xml/manpages/rpcclient.1.xml
> > index fcdd0c6..2ce1443 100644
> > --- a/docs-xml/manpages/rpcclient.1.xml
> > +++ b/docs-xml/manpages/rpcclient.1.xml
> > @@ -24,6 +24,7 @@
> > <arg choice="opt">-c <command string></arg>
> > <arg choice="opt">-d debuglevel</arg>
> > <arg choice="opt">-l logdir</arg>
> > + <arg choice="opt">-m maxprotocol</arg>
> > <arg choice="opt">-N</arg>
> > <arg choice="opt">-s <smb config file></arg>
> > <arg choice="opt">-U username[%password]</arg>
> > @@ -86,6 +87,19 @@
> > </varlistentry>
> >
> > <varlistentry>
> > + <term>-m|--max-protocol protocol</term>
> > + <listitem><para>This allows the user to select the
> > + highest SMB protocol level that rpcclient will use to
> > + connect to the server. By default this is set to
> > + NT1, which is the highest available SMB1 protocol.
> > + To connect using SMB2 or SMB3 protocol, use the
> > + strings SMB2 or SMB3 respectively. Note that to connect
> > + to a Windows 2012 server with encrypted transport selecting
> > + a max-protocol of SMB3 is required.
> > + </para></listitem>
> > + </varlistentry>
> > +
> > + <varlistentry>
> > <term>-p|--port port</term>
> > <listitem><para>This number is the TCP port number that will be used
> > when making connections to the server. The standard (well-known)
> > diff --git a/source3/rpcclient/rpcclient.c b/source3/rpcclient/rpcclient.c
> > index c32fbc7..44d691b 100644
> > --- a/source3/rpcclient/rpcclient.c
> > +++ b/source3/rpcclient/rpcclient.c
> > @@ -913,6 +913,7 @@ out_free:
> > {"command", 'c', POPT_ARG_STRING, &cmdstr, 'c', "Execute semicolon separated cmds", "COMMANDS"},
> > {"dest-ip", 'I', POPT_ARG_STRING, &opt_ipaddr, 'I', "Specify destination IP address", "IP"},
> > {"port", 'p', POPT_ARG_INT, &opt_port, 'p', "Specify port number", "PORT"},
> > + {"max-protocol", 'm', POPT_ARG_STRING, NULL, 'm', "Set the max protocol level", "LEVEL" },
> > POPT_COMMON_SAMBA
> > POPT_COMMON_CONNECTION
> > POPT_COMMON_CREDENTIALS
> > @@ -949,6 +950,10 @@ out_free:
> > while((opt = poptGetNextOpt(pc)) != -1) {
> > switch (opt) {
> >
> > + case 'm':
> > + lp_set_cmdline("client max protocol", poptGetOptArg(pc));
> > + break;
> > +
> > case 'I':
> > if (!interpret_string_addr(&server_ss,
> > opt_ipaddr,
> From 5f4674e984e8ded3e0db0336b303ac32d160ceef Mon Sep 17 00:00:00 2001
> From: Stefan Metzmacher <metze at samba.org>
> Date: Thu, 19 May 2016 11:47:29 +0200
> Subject: [PATCH 1/2] Revert "s3:rpcclient add -m option"
>
> This reverts commit a55ac51f5f67c61bda1fee7067ad7d09a0c1efdf.
>
> This will be implemented in a more common way using the
> "client ipc max protocol" option.
>
> BUG: https://bugzilla.samba.org/show_bug.cgi?id=11927
>
> Signed-off-by: Stefan Metzmacher <metze at samba.org>
> ---
> docs-xml/manpages/rpcclient.1.xml | 14 --------------
> source3/rpcclient/rpcclient.c | 5 -----
> 2 files changed, 19 deletions(-)
>
> diff --git a/docs-xml/manpages/rpcclient.1.xml b/docs-xml/manpages/rpcclient.1.xml
> index 2ce1443..fcdd0c6 100644
> --- a/docs-xml/manpages/rpcclient.1.xml
> +++ b/docs-xml/manpages/rpcclient.1.xml
> @@ -24,7 +24,6 @@
> <arg choice="opt">-c <command string></arg>
> <arg choice="opt">-d debuglevel</arg>
> <arg choice="opt">-l logdir</arg>
> - <arg choice="opt">-m maxprotocol</arg>
> <arg choice="opt">-N</arg>
> <arg choice="opt">-s <smb config file></arg>
> <arg choice="opt">-U username[%password]</arg>
> @@ -87,19 +86,6 @@
> </varlistentry>
>
> <varlistentry>
> - <term>-m|--max-protocol protocol</term>
> - <listitem><para>This allows the user to select the
> - highest SMB protocol level that rpcclient will use to
> - connect to the server. By default this is set to
> - NT1, which is the highest available SMB1 protocol.
> - To connect using SMB2 or SMB3 protocol, use the
> - strings SMB2 or SMB3 respectively. Note that to connect
> - to a Windows 2012 server with encrypted transport selecting
> - a max-protocol of SMB3 is required.
> - </para></listitem>
> - </varlistentry>
> -
> - <varlistentry>
> <term>-p|--port port</term>
> <listitem><para>This number is the TCP port number that will be used
> when making connections to the server. The standard (well-known)
> diff --git a/source3/rpcclient/rpcclient.c b/source3/rpcclient/rpcclient.c
> index 44d691b..efca953 100644
> --- a/source3/rpcclient/rpcclient.c
> +++ b/source3/rpcclient/rpcclient.c
> @@ -913,7 +913,6 @@ out_free:
> {"command", 'c', POPT_ARG_STRING, &cmdstr, 'c', "Execute semicolon separated cmds", "COMMANDS"},
> {"dest-ip", 'I', POPT_ARG_STRING, &opt_ipaddr, 'I', "Specify destination IP address", "IP"},
> {"port", 'p', POPT_ARG_INT, &opt_port, 'p', "Specify port number", "PORT"},
> - {"max-protocol", 'm', POPT_ARG_STRING, NULL, 'm', "Set the max protocol level", "LEVEL" },
> POPT_COMMON_SAMBA
> POPT_COMMON_CONNECTION
> POPT_COMMON_CREDENTIALS
> @@ -950,10 +949,6 @@ out_free:
> while((opt = poptGetNextOpt(pc)) != -1) {
> switch (opt) {
>
> - case 'm':
> - lp_set_cmdline("client max protocol", poptGetOptArg(pc));
> - break;
> -
> case 'I':
> if (!interpret_string_addr(&server_ss,
> opt_ipaddr,
> --
> 1.9.1
>
>
> From 872dfac0e321fc9f29d5b25d8a79f364f636be9b Mon Sep 17 00:00:00 2001
> From: Stefan Metzmacher <metze at samba.org>
> Date: Thu, 19 May 2016 11:47:18 +0200
> Subject: [PATCH 2/2] s3:rpcclient: make use of SMB_SIGNING_IPC_DEFAULT
>
> This means we'll use the "client ipc min protocol", "client ipc max protocol"
> and "client ipc signing" options. But "--signing=no" or "--signing=required"
> still overwrite "client ipc signing".
>
> The following can be used to alter the max protocol
>
> rpcclient --option="client ipc max protocol=SMB2_10" 172.31.9.163 -Uadministrator%A1b2C3d4 -c "getusername"
> Account Name: Administrator, Authority Name: W4EDOM-L4
>
> rpcclient --option="client ipc max protocol=NT1" 172.31.9.163 -Uadministrator%A1b2C3d4 -c "getusername"
> Account Name: Administrator, Authority Name: W4EDOM-L4
>
> rpcclient 172.31.9.163 -Uadministrator%A1b2C3d4 -c "getusername"
> Account Name: Administrator, Authority Name: W4EDOM-L4
>
> BUG: https://bugzilla.samba.org/show_bug.cgi?id=11927
>
> Signed-off-by: Stefan Metzmacher <metze at samba.org>
> ---
> source3/rpcclient/rpcclient.c | 13 ++++++++++++-
> 1 file changed, 12 insertions(+), 1 deletion(-)
>
> diff --git a/source3/rpcclient/rpcclient.c b/source3/rpcclient/rpcclient.c
> index efca953..74ae708 100644
> --- a/source3/rpcclient/rpcclient.c
> +++ b/source3/rpcclient/rpcclient.c
> @@ -904,6 +904,7 @@ out_free:
> const char *binding_string = NULL;
> char *user, *domain, *q;
> const char *host;
> + int signing_state = SMB_SIGNING_IPC_DEFAULT;
>
> /* make sure the vars that get altered (4th field) are in
> a fixed location or certain compilers complain */
> @@ -1077,6 +1078,16 @@ out_free:
> }
> }
>
> + signing_state = get_cmdline_auth_info_signing_state(rpcclient_auth_info);
> + switch (signing_state) {
> + case SMB_SIGNING_OFF:
> + lp_set_cmdline("client ipc signing", "no");
> + break;
> + case SMB_SIGNING_REQUIRED:
> + lp_set_cmdline("client ipc signing", "required");
> + break;
> + }
> +
> if (get_cmdline_auth_info_use_kerberos(rpcclient_auth_info)) {
> flags |= CLI_FULL_CONNECTION_USE_KERBEROS |
> CLI_FULL_CONNECTION_FALLBACK_AFTER_KERBEROS;
> @@ -1107,7 +1118,7 @@ out_free:
> get_cmdline_auth_info_domain(rpcclient_auth_info),
> get_cmdline_auth_info_password(rpcclient_auth_info),
> flags,
> - get_cmdline_auth_info_signing_state(rpcclient_auth_info));
> + SMB_SIGNING_IPC_DEFAULT);
>
> if (!NT_STATUS_IS_OK(nt_status)) {
> DEBUG(0,("Cannot connect to server. Error was %s\n", nt_errstr(nt_status)));
> --
> 1.9.1
>
More information about the samba-technical
mailing list