[Patches] allow "min protocol = SMB3_00" to go via "SMB 2.???" negprot

Stefan Metzmacher metze at samba.org
Thu Jan 26 09:11:45 UTC 2017 

Hi,

with the recent discussion regarding the end of SMB1 I found
that not all combinations of "server min proto" allow clients to
connect.

Please review and push:-)

Thanks!
metze
-------------- next part --------------
From e5a29b2a89c828d002f604be525ad03f6e823a71 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Wed, 18 Jan 2017 08:37:30 +0100
Subject: [PATCH 1/2] s3:smbd: allow "server min protocol = SMB3_00" to go via
 "SMB 2.???" negprot

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12540

Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
 source3/smbd/negprot.c | 23 +++++++++++++++++++++--
 1 file changed, 21 insertions(+), 2 deletions(-)

diff --git a/source3/smbd/negprot.c b/source3/smbd/negprot.c
index bd09b1d..cdde334 100644
--- a/source3/smbd/negprot.c
+++ b/source3/smbd/negprot.c
@@ -544,6 +544,8 @@ void reply_negprot(struct smb_request *req)
 	struct smbXsrv_connection *xconn = req->xconn;
 	struct smbd_server_connection *sconn = req->sconn;
 	bool signing_required = true;
+	int max_proto;
+	int min_proto;
 
 	START_PROFILE(SMBnegprot);
 
@@ -688,11 +690,28 @@ void reply_negprot(struct smb_request *req)
 			  FLAG_MSG_GENERAL|FLAG_MSG_SMBD
 			  |FLAG_MSG_PRINT_GENERAL);
 
+	/*
+	 * Anything higher than PROTOCOL_SMB2_10 still
+	 * needs to go via "SMB 2.???", which is marked
+	 * as PROTOCOL_SMB2_10.
+	 *
+	 * The real negotiation happens via reply_smb20ff()
+	 * using SMB2 Negotiation.
+	 */
+	max_proto = lp_server_max_protocol();
+	if (max_proto > PROTOCOL_SMB2_10) {
+		max_proto = PROTOCOL_SMB2_10;
+	}
+	min_proto = lp_server_min_protocol();
+	if (min_proto > PROTOCOL_SMB2_10) {
+		min_proto = PROTOCOL_SMB2_10;
+	}
+
 	/* Check for protocols, most desirable first */
 	for (protocol = 0; supported_protocols[protocol].proto_name; protocol++) {
 		i = 0;
-		if ((supported_protocols[protocol].protocol_level <= lp_server_max_protocol()) &&
-				(supported_protocols[protocol].protocol_level >= lp_server_min_protocol()))
+		if ((supported_protocols[protocol].protocol_level <= max_proto) &&
+		    (supported_protocols[protocol].protocol_level >= min_proto))
 			while (i < num_cliprotos) {
 				if (strequal(cliprotos[i],supported_protocols[protocol].proto_name)) {
 					choice = i;
-- 
1.9.1


From cd298c0956dce89e367b146ab76cebff437d667f Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Wed, 25 Jan 2017 21:15:44 +0100
Subject: [PATCH 2/2] selftest/Samba3: use "server min protocol = SMB3_00" for
 "ktest"

This verifies that clients can still connect with that setting.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12540

Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
 selftest/target/Samba3.pm | 2 ++
 source3/selftest/tests.py | 6 +++++-
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
index 1ae270a..32f0c6f 100755
--- a/selftest/target/Samba3.pm
+++ b/selftest/target/Samba3.pm
@@ -791,6 +791,8 @@ sub setup_ktest($$$)
 	security = ads
         username map = $prefix/lib/username.map
         server signing = required
+	server min protocol = SMB3_00
+	client max protocol = SMB3
 ";
 
 	my $ret = $self->provision($prefix,
diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py
index 0b5a0ce..4231e1d 100755
--- a/source3/selftest/tests.py
+++ b/source3/selftest/tests.py
@@ -454,8 +454,12 @@ for s in signseal_options:
 
     # We should try more combinations in future, but this is all
     # the pre-calculated credentials cache supports at the moment
+    #
+    # As the ktest env requires SMB3_00 we need to use "smb2" until
+    # dcerpc client code in smbtorture support autonegotiation
+    # of any smb dialect.
     e = ""
-    a = ""
+    a = "smb2"
     binding_string = "ncacn_np:$SERVER[%s%s%s]" % (a, s, e)
     options = binding_string + " -k yes --krb5-ccache=$PREFIX/ktest/krb5_ccache-2"
     plansmbtorture4testsuite(test, "ktest", options, 'krb5 with old ccache ncacn_np with [%s%s%s] ' % (a, s, e))
-- 
1.9.1

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20170126/06ae6851/signature.sig>

More information about the samba-technical mailing list