Fix reauth of Windows clients without signing
Stefan (metze) Metzmacher
metze at samba.org
Fri Dec 12 08:12:22 MST 2014
Hi,
here're patches for https://bugzilla.samba.org/show_bug.cgi?id=10958.
Please review and push.
metze
-------------- next part --------------
From b4e5a04f069f73db46d1463dc8aba0cab814d2c0 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Fri, 12 Dec 2014 09:22:15 +0100
Subject: [PATCH 1/2] s3:smb2_server: allow reauthentication without signing
If signing is not required we should not require it for reauthentication.
Windows clients would otherwise fail to reauthenticate.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=10958
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
source3/smbd/smb2_server.c | 5 -----
source3/smbd/smb2_sesssetup.c | 4 ++++
2 files changed, 4 insertions(+), 5 deletions(-)
diff --git a/source3/smbd/smb2_server.c b/source3/smbd/smb2_server.c
index 4a2c875..46bf6f9 100644
--- a/source3/smbd/smb2_server.c
+++ b/source3/smbd/smb2_server.c
@@ -1990,11 +1990,6 @@ NTSTATUS smbd_smb2_request_dispatch(struct smbd_smb2_request *req)
if (x != NULL) {
signing_required = x->global->signing_required;
encryption_required = x->global->encryption_required;
-
- if (opcode == SMB2_OP_SESSSETUP &&
- x->global->signing_key.length > 0) {
- signing_required = true;
- }
}
req->do_signing = false;
diff --git a/source3/smbd/smb2_sesssetup.c b/source3/smbd/smb2_sesssetup.c
index 78cafe8..2f58e44 100644
--- a/source3/smbd/smb2_sesssetup.c
+++ b/source3/smbd/smb2_sesssetup.c
@@ -422,6 +422,10 @@ static NTSTATUS smbd_smb2_reauth_generic_return(struct smbXsrv_session *session,
conn_clear_vuid_caches(smb2req->sconn, session->compat->vuid);
+ if (security_session_user_level(session_info, NULL) >= SECURITY_USER) {
+ smb2req->do_signing = true;
+ }
+
*out_session_id = session->global->session_wire_id;
return NT_STATUS_OK;
--
1.9.1
From d3578997eb0f15ab887ea955c6c99980817c4270 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Fri, 12 Dec 2014 13:55:38 +0000
Subject: [PATCH 2/2] libcli/smb: only force signing of smb2 session setups
when binding a new session
Bug: https://bugzilla.samba.org/show_bug.cgi?id=10958
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
libcli/smb/smbXcli_base.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/libcli/smb/smbXcli_base.c b/libcli/smb/smbXcli_base.c
index a3a7ecb..8aa6020 100644
--- a/libcli/smb/smbXcli_base.c
+++ b/libcli/smb/smbXcli_base.c
@@ -2682,7 +2682,12 @@ struct tevent_req *smb2cli_req_create(TALLOC_CTX *mem_ctx,
state->smb2.should_encrypt = session->smb2->should_encrypt;
if (cmd == SMB2_OP_SESSSETUP &&
- session->smb2->signing_key.length != 0) {
+ session->smb2_channel.signing_key.length == 0 &&
+ session->smb2->signing_key.length != 0)
+ {
+ /*
+ * a session bind needs to be signed
+ */
state->smb2.should_sign = true;
}
--
1.9.1
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20141212/b2d03791/attachment.pgp>
More information about the samba-technical
mailing list