[PATCH] s3:smb2_tcon: Add check to prevent non-DFS clients from connecting to an msdfs proxy.

Fri Apr 6 17:25:55 UTC 2018

On Fri, Apr 06, 2018 at 04:47:45PM +0200, Ralph Wuerthner via samba-technical wrote:
> On 06.04.2018 16:27, Volker Lendecke wrote:
> >On Fri, Apr 06, 2018 at 04:24:33PM +0200, Swen Schillig via samba-technical wrote:
> >>>Another team reviewer?
> >>
> >>Really ?
> >>No README.Coding anymore ?
> >>
> >>Referring to Jeremy's latest requirement regarding
> >>function parameter list.
> >
> >Ok, sorry, this is a copy&paste. NACK on this patch. Apologies.
> >
> >Volker
> >
> 
> No problem. Please see my updated version.

Looks good.

Would it be possible to implement a autobuild testcase for that? Have a
share with 'msdfs proxy' set and then verify that a tree connect from a
smbtorture testcase is refused with NT_STATUS_BAD_NETWORK_NAME?

Christof

> 
> -- 
> Regards
> 
>    Ralph Wuerthner

> From 57b3f7ce127c8db257833ae9235dd40b1ccbf74f Mon Sep 17 00:00:00 2001
> From: Ralph Wuerthner <ralph.wuerthner at de.ibm.com>
> Date: Thu, 29 Mar 2018 10:00:41 +0200
> Subject: [PATCH] s3:smb2_tcon: Add check to prevent non-DFS clients from
>  connecting to an msdfs proxy.
> 
> Signed-off-by: Ralph Wuerthner <ralph.wuerthner at de.ibm.com>
> ---
>  source3/smbd/smb2_tcon.c | 13 +++++++++++++
>  1 file changed, 13 insertions(+)
> 
> diff --git a/source3/smbd/smb2_tcon.c b/source3/smbd/smb2_tcon.c
> index 07e01cddd46..292c35cbdfd 100644
> --- a/source3/smbd/smb2_tcon.c
> +++ b/source3/smbd/smb2_tcon.c
> @@ -270,6 +270,19 @@ static NTSTATUS smbd_smb2_tree_connect(struct smbd_smb2_request *req,
>  		return NT_STATUS_BAD_NETWORK_NAME;
>  	}
>  
> +	/* Handle non-DFS clients attempting connections to msdfs proxy */
> +	if (lp_host_msdfs()) {
> +		const char *proxy = lp_msdfs_proxy(talloc_tos(), snum);
> +
> +		if ((proxy != NULL) && (*proxy != '\0')) {
> +			DBG_NOTICE("refusing connection to dfs proxy share "
> +				   "'%s' (pointing to %s)\n",
> +				   service,
> +				   proxy);
> +			return NT_STATUS_BAD_NETWORK_NAME;
> +		}
> +	}
> +
>  	if ((lp_smb_encrypt(snum) >= SMB_SIGNING_DESIRED) &&
>  	    (conn->smb2.server.cipher != 0))
>  	{
> -- 
> 2.17.0
> 