s3:rpcclient add -m option (Re: [SCM] Samba Shared Repository - branch master updated)

Jeremy Allison jra at samba.org
Fri May 20 00:34:25 UTC 2016 

On Thu, May 19, 2016 at 01:35:13PM +0200, Stefan Metzmacher wrote:
> Hi Christian,
> 
> I assume this patch was originally written before the badlock fixes.
> As "client max protocol" should no longer being used in rpcclient.
> We have "client ipc max protocol" which defaults to the latest supported
> protocol
> (currently SMB3_11).
> 
> With the attached patches the following works:
> 
> rpcclient --option="client ipc max protocol=SMB2_10" 172.31.9.163
> -Uadministrator%A1b2C3d4 -c "getusername"
> Account Name: Administrator, Authority Name: W4EDOM-L4
> 
> rpcclient --option="client ipc max protocol=NT1" 172.31.9.163
> -Uadministrator%A1b2C3d4 -c "getusername"
> Account Name: Administrator, Authority Name: W4EDOM-L4
> 
> rpcclient 172.31.9.163 -Uadministrator%A1b2C3d4 -c "getusername"
> Account Name: Administrator, Authority Name: W4EDOM-L4


These changes LGTM.

But might it be easier on the users to add an additional patch
that makes '-m' on the rpcclient command line set 'client ipc max protocol' ?
smbclient and smbcacls both use -m to set the max protocol - with rpcclient
we could just change the ipc max protocol instead.

> > - Log -----------------------------------------------------------------
> > commit a55ac51f5f67c61bda1fee7067ad7d09a0c1efdf
> > Author: Christian Ambach <ambi at samba.org>
> > Date:   Wed May 11 18:54:58 2016 +0200
> > 
> >     s3:rpcclient add -m option
> >     
> >     Signed-off-by: Christian Ambach <ambi at samba.org>
> >     Reviewed-by: Jeremy Allison <jra at samba.org>
> >     
> >     Autobuild-User(master): Jeremy Allison <jra at samba.org>
> >     Autobuild-Date(master): Thu May 12 17:36:09 CEST 2016 on sn-devel-144
> ...
> > diff --git a/docs-xml/manpages/rpcclient.1.xml b/docs-xml/manpages/rpcclient.1.xml
> > index fcdd0c6..2ce1443 100644
> > --- a/docs-xml/manpages/rpcclient.1.xml
> > +++ b/docs-xml/manpages/rpcclient.1.xml
> > @@ -24,6 +24,7 @@
> >  		<arg choice="opt">-c <command string></arg>
> >  		<arg choice="opt">-d debuglevel</arg>
> >  		<arg choice="opt">-l logdir</arg>
> > +		<arg choice="opt">-m maxprotocol</arg>
> >  		<arg choice="opt">-N</arg>
> >  		<arg choice="opt">-s <smb config file></arg>
> >  		<arg choice="opt">-U username[%password]</arg>
> > @@ -86,6 +87,19 @@
> >  		</varlistentry>
> >  
> >  		<varlistentry>
> > +		<term>-m|--max-protocol protocol</term>
> > +		<listitem><para>This allows the user to select the
> > +		highest SMB protocol level that rpcclient will use to
> > +		connect to the server. By default this is set to
> > +		NT1, which is the highest available SMB1 protocol.
> > +		To connect using SMB2 or SMB3 protocol, use the
> > +		strings SMB2 or SMB3 respectively. Note that to connect
> > +		to a Windows 2012 server with encrypted transport selecting
> > +		a max-protocol of SMB3 is required.
> > +		</para></listitem>
> > +		</varlistentry>
> > +
> > +		<varlistentry>
> >  		<term>-p|--port port</term>
> >  		<listitem><para>This number is the TCP port number that will be used
> >  		when making connections to the server. The standard (well-known)
> > diff --git a/source3/rpcclient/rpcclient.c b/source3/rpcclient/rpcclient.c
> > index c32fbc7..44d691b 100644
> > --- a/source3/rpcclient/rpcclient.c
> > +++ b/source3/rpcclient/rpcclient.c
> > @@ -913,6 +913,7 @@ out_free:
> >  		{"command",	'c', POPT_ARG_STRING,	&cmdstr, 'c', "Execute semicolon separated cmds", "COMMANDS"},
> >  		{"dest-ip", 'I', POPT_ARG_STRING,   &opt_ipaddr, 'I', "Specify destination IP address", "IP"},
> >  		{"port", 'p', POPT_ARG_INT,   &opt_port, 'p', "Specify port number", "PORT"},
> > +		{"max-protocol", 'm', POPT_ARG_STRING, NULL, 'm', "Set the max protocol level", "LEVEL" },
> >  		POPT_COMMON_SAMBA
> >  		POPT_COMMON_CONNECTION
> >  		POPT_COMMON_CREDENTIALS
> > @@ -949,6 +950,10 @@ out_free:
> >  	while((opt = poptGetNextOpt(pc)) != -1) {
> >  		switch (opt) {
> >  
> > +		case 'm':
> > +			lp_set_cmdline("client max protocol", poptGetOptArg(pc));
> > +			break;
> > +
> >  		case 'I':
> >  			if (!interpret_string_addr(&server_ss,
> >  						opt_ipaddr,

> From 5f4674e984e8ded3e0db0336b303ac32d160ceef Mon Sep 17 00:00:00 2001
> From: Stefan Metzmacher <metze at samba.org>
> Date: Thu, 19 May 2016 11:47:29 +0200
> Subject: [PATCH 1/2] Revert "s3:rpcclient add -m option"
> 
> This reverts commit a55ac51f5f67c61bda1fee7067ad7d09a0c1efdf.
> 
> This will be implemented in a more common way using the
> "client ipc max protocol" option.
> 
> BUG: https://bugzilla.samba.org/show_bug.cgi?id=11927
> 
> Signed-off-by: Stefan Metzmacher <metze at samba.org>
> ---
>  docs-xml/manpages/rpcclient.1.xml | 14 --------------
>  source3/rpcclient/rpcclient.c     |  5 -----
>  2 files changed, 19 deletions(-)
> 
> diff --git a/docs-xml/manpages/rpcclient.1.xml b/docs-xml/manpages/rpcclient.1.xml
> index 2ce1443..fcdd0c6 100644
> --- a/docs-xml/manpages/rpcclient.1.xml
> +++ b/docs-xml/manpages/rpcclient.1.xml
> @@ -24,7 +24,6 @@
>  		<arg choice="opt">-c <command string></arg>
>  		<arg choice="opt">-d debuglevel</arg>
>  		<arg choice="opt">-l logdir</arg>
> -		<arg choice="opt">-m maxprotocol</arg>
>  		<arg choice="opt">-N</arg>
>  		<arg choice="opt">-s <smb config file></arg>
>  		<arg choice="opt">-U username[%password]</arg>
> @@ -87,19 +86,6 @@
>  		</varlistentry>
>  
>  		<varlistentry>
> -		<term>-m|--max-protocol protocol</term>
> -		<listitem><para>This allows the user to select the
> -		highest SMB protocol level that rpcclient will use to
> -		connect to the server. By default this is set to
> -		NT1, which is the highest available SMB1 protocol.
> -		To connect using SMB2 or SMB3 protocol, use the
> -		strings SMB2 or SMB3 respectively. Note that to connect
> -		to a Windows 2012 server with encrypted transport selecting
> -		a max-protocol of SMB3 is required.
> -		</para></listitem>
> -		</varlistentry>
> -
> -		<varlistentry>
>  		<term>-p|--port port</term>
>  		<listitem><para>This number is the TCP port number that will be used
>  		when making connections to the server. The standard (well-known)
> diff --git a/source3/rpcclient/rpcclient.c b/source3/rpcclient/rpcclient.c
> index 44d691b..efca953 100644
> --- a/source3/rpcclient/rpcclient.c
> +++ b/source3/rpcclient/rpcclient.c
> @@ -913,7 +913,6 @@ out_free:
>  		{"command",	'c', POPT_ARG_STRING,	&cmdstr, 'c', "Execute semicolon separated cmds", "COMMANDS"},
>  		{"dest-ip", 'I', POPT_ARG_STRING,   &opt_ipaddr, 'I', "Specify destination IP address", "IP"},
>  		{"port", 'p', POPT_ARG_INT,   &opt_port, 'p', "Specify port number", "PORT"},
> -		{"max-protocol", 'm', POPT_ARG_STRING, NULL, 'm', "Set the max protocol level", "LEVEL" },
>  		POPT_COMMON_SAMBA
>  		POPT_COMMON_CONNECTION
>  		POPT_COMMON_CREDENTIALS
> @@ -950,10 +949,6 @@ out_free:
>  	while((opt = poptGetNextOpt(pc)) != -1) {
>  		switch (opt) {
>  
> -		case 'm':
> -			lp_set_cmdline("client max protocol", poptGetOptArg(pc));
> -			break;
> -
>  		case 'I':
>  			if (!interpret_string_addr(&server_ss,
>  						opt_ipaddr,
> -- 
> 1.9.1
> 
> 
> From 872dfac0e321fc9f29d5b25d8a79f364f636be9b Mon Sep 17 00:00:00 2001
> From: Stefan Metzmacher <metze at samba.org>
> Date: Thu, 19 May 2016 11:47:18 +0200
> Subject: [PATCH 2/2] s3:rpcclient: make use of SMB_SIGNING_IPC_DEFAULT
> 
> This means we'll use the "client ipc min protocol", "client ipc max protocol"
> and "client ipc signing" options. But "--signing=no" or "--signing=required"
> still overwrite "client ipc signing".
> 
> The following can be used to alter the max protocol
> 
> rpcclient --option="client ipc max protocol=SMB2_10" 172.31.9.163 -Uadministrator%A1b2C3d4 -c "getusername"
> Account Name: Administrator, Authority Name: W4EDOM-L4
> 
> rpcclient --option="client ipc max protocol=NT1" 172.31.9.163 -Uadministrator%A1b2C3d4 -c "getusername"
> Account Name: Administrator, Authority Name: W4EDOM-L4
> 
> rpcclient 172.31.9.163 -Uadministrator%A1b2C3d4 -c "getusername"
> Account Name: Administrator, Authority Name: W4EDOM-L4
> 
> BUG: https://bugzilla.samba.org/show_bug.cgi?id=11927
> 
> Signed-off-by: Stefan Metzmacher <metze at samba.org>
> ---
>  source3/rpcclient/rpcclient.c | 13 ++++++++++++-
>  1 file changed, 12 insertions(+), 1 deletion(-)
> 
> diff --git a/source3/rpcclient/rpcclient.c b/source3/rpcclient/rpcclient.c
> index efca953..74ae708 100644
> --- a/source3/rpcclient/rpcclient.c
> +++ b/source3/rpcclient/rpcclient.c
> @@ -904,6 +904,7 @@ out_free:
>  	const char *binding_string = NULL;
>  	char *user, *domain, *q;
>  	const char *host;
> +	int signing_state = SMB_SIGNING_IPC_DEFAULT;
>  
>  	/* make sure the vars that get altered (4th field) are in
>  	   a fixed location or certain compilers complain */
> @@ -1077,6 +1078,16 @@ out_free:
>  		}
>  	}
>  
> +	signing_state = get_cmdline_auth_info_signing_state(rpcclient_auth_info);
> +	switch (signing_state) {
> +	case SMB_SIGNING_OFF:
> +		lp_set_cmdline("client ipc signing", "no");
> +		break;
> +	case SMB_SIGNING_REQUIRED:
> +		lp_set_cmdline("client ipc signing", "required");
> +		break;
> +	}
> +
>  	if (get_cmdline_auth_info_use_kerberos(rpcclient_auth_info)) {
>  		flags |= CLI_FULL_CONNECTION_USE_KERBEROS |
>  			 CLI_FULL_CONNECTION_FALLBACK_AFTER_KERBEROS;
> @@ -1107,7 +1118,7 @@ out_free:
>  					get_cmdline_auth_info_domain(rpcclient_auth_info),
>  					get_cmdline_auth_info_password(rpcclient_auth_info),
>  					flags,
> -					get_cmdline_auth_info_signing_state(rpcclient_auth_info));
> +					SMB_SIGNING_IPC_DEFAULT);
>  
>  	if (!NT_STATUS_IS_OK(nt_status)) {
>  		DEBUG(0,("Cannot connect to server.  Error was %s\n", nt_errstr(nt_status)));
> -- 
> 1.9.1
>

More information about the samba-technical mailing list