[Patches] allow "min protocol = SMB3_00" to go via "SMB 2.???" negprot
Stefan Metzmacher
metze at samba.org
Thu Jan 26 09:11:45 UTC 2017
Hi,
with the recent discussion regarding the end of SMB1 I found
that not all combinations of "server min proto" allow clients to
connect.
Please review and push:-)
Thanks!
metze
-------------- next part --------------
From e5a29b2a89c828d002f604be525ad03f6e823a71 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Wed, 18 Jan 2017 08:37:30 +0100
Subject: [PATCH 1/2] s3:smbd: allow "server min protocol = SMB3_00" to go via
"SMB 2.???" negprot
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12540
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
source3/smbd/negprot.c | 23 +++++++++++++++++++++--
1 file changed, 21 insertions(+), 2 deletions(-)
diff --git a/source3/smbd/negprot.c b/source3/smbd/negprot.c
index bd09b1d..cdde334 100644
--- a/source3/smbd/negprot.c
+++ b/source3/smbd/negprot.c
@@ -544,6 +544,8 @@ void reply_negprot(struct smb_request *req)
struct smbXsrv_connection *xconn = req->xconn;
struct smbd_server_connection *sconn = req->sconn;
bool signing_required = true;
+ int max_proto;
+ int min_proto;
START_PROFILE(SMBnegprot);
@@ -688,11 +690,28 @@ void reply_negprot(struct smb_request *req)
FLAG_MSG_GENERAL|FLAG_MSG_SMBD
|FLAG_MSG_PRINT_GENERAL);
+ /*
+ * Anything higher than PROTOCOL_SMB2_10 still
+ * needs to go via "SMB 2.???", which is marked
+ * as PROTOCOL_SMB2_10.
+ *
+ * The real negotiation happens via reply_smb20ff()
+ * using SMB2 Negotiation.
+ */
+ max_proto = lp_server_max_protocol();
+ if (max_proto > PROTOCOL_SMB2_10) {
+ max_proto = PROTOCOL_SMB2_10;
+ }
+ min_proto = lp_server_min_protocol();
+ if (min_proto > PROTOCOL_SMB2_10) {
+ min_proto = PROTOCOL_SMB2_10;
+ }
+
/* Check for protocols, most desirable first */
for (protocol = 0; supported_protocols[protocol].proto_name; protocol++) {
i = 0;
- if ((supported_protocols[protocol].protocol_level <= lp_server_max_protocol()) &&
- (supported_protocols[protocol].protocol_level >= lp_server_min_protocol()))
+ if ((supported_protocols[protocol].protocol_level <= max_proto) &&
+ (supported_protocols[protocol].protocol_level >= min_proto))
while (i < num_cliprotos) {
if (strequal(cliprotos[i],supported_protocols[protocol].proto_name)) {
choice = i;
--
1.9.1
From cd298c0956dce89e367b146ab76cebff437d667f Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Wed, 25 Jan 2017 21:15:44 +0100
Subject: [PATCH 2/2] selftest/Samba3: use "server min protocol = SMB3_00" for
"ktest"
This verifies that clients can still connect with that setting.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12540
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
selftest/target/Samba3.pm | 2 ++
source3/selftest/tests.py | 6 +++++-
2 files changed, 7 insertions(+), 1 deletion(-)
diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
index 1ae270a..32f0c6f 100755
--- a/selftest/target/Samba3.pm
+++ b/selftest/target/Samba3.pm
@@ -791,6 +791,8 @@ sub setup_ktest($$$)
security = ads
username map = $prefix/lib/username.map
server signing = required
+ server min protocol = SMB3_00
+ client max protocol = SMB3
";
my $ret = $self->provision($prefix,
diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py
index 0b5a0ce..4231e1d 100755
--- a/source3/selftest/tests.py
+++ b/source3/selftest/tests.py
@@ -454,8 +454,12 @@ for s in signseal_options:
# We should try more combinations in future, but this is all
# the pre-calculated credentials cache supports at the moment
+ #
+ # As the ktest env requires SMB3_00 we need to use "smb2" until
+ # dcerpc client code in smbtorture support autonegotiation
+ # of any smb dialect.
e = ""
- a = ""
+ a = "smb2"
binding_string = "ncacn_np:$SERVER[%s%s%s]" % (a, s, e)
options = binding_string + " -k yes --krb5-ccache=$PREFIX/ktest/krb5_ccache-2"
plansmbtorture4testsuite(test, "ktest", options, 'krb5 with old ccache ncacn_np with [%s%s%s] ' % (a, s, e))
--
1.9.1
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20170126/06ae6851/signature.sig>
More information about the samba-technical
mailing list