[PATCH] s3:smb2_tcon: Add check to prevent non-DFS clients from connecting to an msdfs proxy.
Christof Schmitt
cs at samba.org
Fri Apr 6 17:25:55 UTC 2018
On Fri, Apr 06, 2018 at 04:47:45PM +0200, Ralph Wuerthner via samba-technical wrote:
> On 06.04.2018 16:27, Volker Lendecke wrote:
> >On Fri, Apr 06, 2018 at 04:24:33PM +0200, Swen Schillig via samba-technical wrote:
> >>>Another team reviewer?
> >>
> >>Really ?
> >>No README.Coding anymore ?
> >>
> >>Referring to Jeremy's latest requirement regarding
> >>function parameter list.
> >
> >Ok, sorry, this is a copy&paste. NACK on this patch. Apologies.
> >
> >Volker
> >
>
> No problem. Please see my updated version.
Looks good.
Would it be possible to implement a autobuild testcase for that? Have a
share with 'msdfs proxy' set and then verify that a tree connect from a
smbtorture testcase is refused with NT_STATUS_BAD_NETWORK_NAME?
Christof
>
> --
> Regards
>
> Ralph Wuerthner
> From 57b3f7ce127c8db257833ae9235dd40b1ccbf74f Mon Sep 17 00:00:00 2001
> From: Ralph Wuerthner <ralph.wuerthner at de.ibm.com>
> Date: Thu, 29 Mar 2018 10:00:41 +0200
> Subject: [PATCH] s3:smb2_tcon: Add check to prevent non-DFS clients from
> connecting to an msdfs proxy.
>
> Signed-off-by: Ralph Wuerthner <ralph.wuerthner at de.ibm.com>
> ---
> source3/smbd/smb2_tcon.c | 13 +++++++++++++
> 1 file changed, 13 insertions(+)
>
> diff --git a/source3/smbd/smb2_tcon.c b/source3/smbd/smb2_tcon.c
> index 07e01cddd46..292c35cbdfd 100644
> --- a/source3/smbd/smb2_tcon.c
> +++ b/source3/smbd/smb2_tcon.c
> @@ -270,6 +270,19 @@ static NTSTATUS smbd_smb2_tree_connect(struct smbd_smb2_request *req,
> return NT_STATUS_BAD_NETWORK_NAME;
> }
>
> + /* Handle non-DFS clients attempting connections to msdfs proxy */
> + if (lp_host_msdfs()) {
> + const char *proxy = lp_msdfs_proxy(talloc_tos(), snum);
> +
> + if ((proxy != NULL) && (*proxy != '\0')) {
> + DBG_NOTICE("refusing connection to dfs proxy share "
> + "'%s' (pointing to %s)\n",
> + service,
> + proxy);
> + return NT_STATUS_BAD_NETWORK_NAME;
> + }
> + }
> +
> if ((lp_smb_encrypt(snum) >= SMB_SIGNING_DESIRED) &&
> (conn->smb2.server.cipher != 0))
> {
> --
> 2.17.0
>
More information about the samba-technical
mailing list