s3:rpcclient add -m option (Re: [SCM] Samba Shared Repository - branch master updated)

Stefan Metzmacher metze at samba.org
Thu May 19 11:35:13 UTC 2016 

Hi Christian,

I assume this patch was originally written before the badlock fixes.
As "client max protocol" should no longer being used in rpcclient.
We have "client ipc max protocol" which defaults to the latest supported
protocol
(currently SMB3_11).

With the attached patches the following works:

rpcclient --option="client ipc max protocol=SMB2_10" 172.31.9.163
-Uadministrator%A1b2C3d4 -c "getusername"
Account Name: Administrator, Authority Name: W4EDOM-L4

rpcclient --option="client ipc max protocol=NT1" 172.31.9.163
-Uadministrator%A1b2C3d4 -c "getusername"
Account Name: Administrator, Authority Name: W4EDOM-L4

rpcclient 172.31.9.163 -Uadministrator%A1b2C3d4 -c "getusername"
Account Name: Administrator, Authority Name: W4EDOM-L4

metze

> - Log -----------------------------------------------------------------
> commit a55ac51f5f67c61bda1fee7067ad7d09a0c1efdf
> Author: Christian Ambach <ambi at samba.org>
> Date:   Wed May 11 18:54:58 2016 +0200
> 
>     s3:rpcclient add -m option
>     
>     Signed-off-by: Christian Ambach <ambi at samba.org>
>     Reviewed-by: Jeremy Allison <jra at samba.org>
>     
>     Autobuild-User(master): Jeremy Allison <jra at samba.org>
>     Autobuild-Date(master): Thu May 12 17:36:09 CEST 2016 on sn-devel-144
...
> diff --git a/docs-xml/manpages/rpcclient.1.xml b/docs-xml/manpages/rpcclient.1.xml
> index fcdd0c6..2ce1443 100644
> --- a/docs-xml/manpages/rpcclient.1.xml
> +++ b/docs-xml/manpages/rpcclient.1.xml
> @@ -24,6 +24,7 @@
>  		<arg choice="opt">-c <command string></arg>
>  		<arg choice="opt">-d debuglevel</arg>
>  		<arg choice="opt">-l logdir</arg>
> +		<arg choice="opt">-m maxprotocol</arg>
>  		<arg choice="opt">-N</arg>
>  		<arg choice="opt">-s <smb config file></arg>
>  		<arg choice="opt">-U username[%password]</arg>
> @@ -86,6 +87,19 @@
>  		</varlistentry>
>  
>  		<varlistentry>
> +		<term>-m|--max-protocol protocol</term>
> +		<listitem><para>This allows the user to select the
> +		highest SMB protocol level that rpcclient will use to
> +		connect to the server. By default this is set to
> +		NT1, which is the highest available SMB1 protocol.
> +		To connect using SMB2 or SMB3 protocol, use the
> +		strings SMB2 or SMB3 respectively. Note that to connect
> +		to a Windows 2012 server with encrypted transport selecting
> +		a max-protocol of SMB3 is required.
> +		</para></listitem>
> +		</varlistentry>
> +
> +		<varlistentry>
>  		<term>-p|--port port</term>
>  		<listitem><para>This number is the TCP port number that will be used
>  		when making connections to the server. The standard (well-known)
> diff --git a/source3/rpcclient/rpcclient.c b/source3/rpcclient/rpcclient.c
> index c32fbc7..44d691b 100644
> --- a/source3/rpcclient/rpcclient.c
> +++ b/source3/rpcclient/rpcclient.c
> @@ -913,6 +913,7 @@ out_free:
>  		{"command",	'c', POPT_ARG_STRING,	&cmdstr, 'c', "Execute semicolon separated cmds", "COMMANDS"},
>  		{"dest-ip", 'I', POPT_ARG_STRING,   &opt_ipaddr, 'I', "Specify destination IP address", "IP"},
>  		{"port", 'p', POPT_ARG_INT,   &opt_port, 'p', "Specify port number", "PORT"},
> +		{"max-protocol", 'm', POPT_ARG_STRING, NULL, 'm', "Set the max protocol level", "LEVEL" },
>  		POPT_COMMON_SAMBA
>  		POPT_COMMON_CONNECTION
>  		POPT_COMMON_CREDENTIALS
> @@ -949,6 +950,10 @@ out_free:
>  	while((opt = poptGetNextOpt(pc)) != -1) {
>  		switch (opt) {
>  
> +		case 'm':
> +			lp_set_cmdline("client max protocol", poptGetOptArg(pc));
> +			break;
> +
>  		case 'I':
>  			if (!interpret_string_addr(&server_ss,
>  						opt_ipaddr,
-------------- next part --------------
From 5f4674e984e8ded3e0db0336b303ac32d160ceef Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Thu, 19 May 2016 11:47:29 +0200
Subject: [PATCH 1/2] Revert "s3:rpcclient add -m option"

This reverts commit a55ac51f5f67c61bda1fee7067ad7d09a0c1efdf.

This will be implemented in a more common way using the
"client ipc max protocol" option.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11927

Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
 docs-xml/manpages/rpcclient.1.xml | 14 --------------
 source3/rpcclient/rpcclient.c     |  5 -----
 2 files changed, 19 deletions(-)

diff --git a/docs-xml/manpages/rpcclient.1.xml b/docs-xml/manpages/rpcclient.1.xml
index 2ce1443..fcdd0c6 100644
--- a/docs-xml/manpages/rpcclient.1.xml
+++ b/docs-xml/manpages/rpcclient.1.xml
@@ -24,7 +24,6 @@
 		<arg choice="opt">-c <command string></arg>
 		<arg choice="opt">-d debuglevel</arg>
 		<arg choice="opt">-l logdir</arg>
-		<arg choice="opt">-m maxprotocol</arg>
 		<arg choice="opt">-N</arg>
 		<arg choice="opt">-s <smb config file></arg>
 		<arg choice="opt">-U username[%password]</arg>
@@ -87,19 +86,6 @@
 		</varlistentry>
 
 		<varlistentry>
-		<term>-m|--max-protocol protocol</term>
-		<listitem><para>This allows the user to select the
-		highest SMB protocol level that rpcclient will use to
-		connect to the server. By default this is set to
-		NT1, which is the highest available SMB1 protocol.
-		To connect using SMB2 or SMB3 protocol, use the
-		strings SMB2 or SMB3 respectively. Note that to connect
-		to a Windows 2012 server with encrypted transport selecting
-		a max-protocol of SMB3 is required.
-		</para></listitem>
-		</varlistentry>
-
-		<varlistentry>
 		<term>-p|--port port</term>
 		<listitem><para>This number is the TCP port number that will be used
 		when making connections to the server. The standard (well-known)
diff --git a/source3/rpcclient/rpcclient.c b/source3/rpcclient/rpcclient.c
index 44d691b..efca953 100644
--- a/source3/rpcclient/rpcclient.c
+++ b/source3/rpcclient/rpcclient.c
@@ -913,7 +913,6 @@ out_free:
 		{"command",	'c', POPT_ARG_STRING,	&cmdstr, 'c', "Execute semicolon separated cmds", "COMMANDS"},
 		{"dest-ip", 'I', POPT_ARG_STRING,   &opt_ipaddr, 'I', "Specify destination IP address", "IP"},
 		{"port", 'p', POPT_ARG_INT,   &opt_port, 'p', "Specify port number", "PORT"},
-		{"max-protocol", 'm', POPT_ARG_STRING, NULL, 'm', "Set the max protocol level", "LEVEL" },
 		POPT_COMMON_SAMBA
 		POPT_COMMON_CONNECTION
 		POPT_COMMON_CREDENTIALS
@@ -950,10 +949,6 @@ out_free:
 	while((opt = poptGetNextOpt(pc)) != -1) {
 		switch (opt) {
 
-		case 'm':
-			lp_set_cmdline("client max protocol", poptGetOptArg(pc));
-			break;
-
 		case 'I':
 			if (!interpret_string_addr(&server_ss,
 						opt_ipaddr,
-- 
1.9.1


From 872dfac0e321fc9f29d5b25d8a79f364f636be9b Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Thu, 19 May 2016 11:47:18 +0200
Subject: [PATCH 2/2] s3:rpcclient: make use of SMB_SIGNING_IPC_DEFAULT

This means we'll use the "client ipc min protocol", "client ipc max protocol"
and "client ipc signing" options. But "--signing=no" or "--signing=required"
still overwrite "client ipc signing".

The following can be used to alter the max protocol

rpcclient --option="client ipc max protocol=SMB2_10" 172.31.9.163 -Uadministrator%A1b2C3d4 -c "getusername"
Account Name: Administrator, Authority Name: W4EDOM-L4

rpcclient --option="client ipc max protocol=NT1" 172.31.9.163 -Uadministrator%A1b2C3d4 -c "getusername"
Account Name: Administrator, Authority Name: W4EDOM-L4

rpcclient 172.31.9.163 -Uadministrator%A1b2C3d4 -c "getusername"
Account Name: Administrator, Authority Name: W4EDOM-L4

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11927

Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
 source3/rpcclient/rpcclient.c | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/source3/rpcclient/rpcclient.c b/source3/rpcclient/rpcclient.c
index efca953..74ae708 100644
--- a/source3/rpcclient/rpcclient.c
+++ b/source3/rpcclient/rpcclient.c
@@ -904,6 +904,7 @@ out_free:
 	const char *binding_string = NULL;
 	char *user, *domain, *q;
 	const char *host;
+	int signing_state = SMB_SIGNING_IPC_DEFAULT;
 
 	/* make sure the vars that get altered (4th field) are in
 	   a fixed location or certain compilers complain */
@@ -1077,6 +1078,16 @@ out_free:
 		}
 	}
 
+	signing_state = get_cmdline_auth_info_signing_state(rpcclient_auth_info);
+	switch (signing_state) {
+	case SMB_SIGNING_OFF:
+		lp_set_cmdline("client ipc signing", "no");
+		break;
+	case SMB_SIGNING_REQUIRED:
+		lp_set_cmdline("client ipc signing", "required");
+		break;
+	}
+
 	if (get_cmdline_auth_info_use_kerberos(rpcclient_auth_info)) {
 		flags |= CLI_FULL_CONNECTION_USE_KERBEROS |
 			 CLI_FULL_CONNECTION_FALLBACK_AFTER_KERBEROS;
@@ -1107,7 +1118,7 @@ out_free:
 					get_cmdline_auth_info_domain(rpcclient_auth_info),
 					get_cmdline_auth_info_password(rpcclient_auth_info),
 					flags,
-					get_cmdline_auth_info_signing_state(rpcclient_auth_info));
+					SMB_SIGNING_IPC_DEFAULT);
 
 	if (!NT_STATUS_IS_OK(nt_status)) {
 		DEBUG(0,("Cannot connect to server.  Error was %s\n", nt_errstr(nt_status)));
-- 
1.9.1

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20160519/23c92111/signature.sig>

More information about the samba-technical mailing list