Andreas Schneider [Tue, 20 Jul 2021 13:55:53 +0000 (15:55 +0200)]
bootstrap: Install krb5-workstation on Fedora based distros
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Stefan Metzmacher [Thu, 15 Jul 2021 11:20:22 +0000 (13:20 +0200)]
s3:smbd: really support AES-256* in the server
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14764
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Jul 20 16:13:28 UTC 2021 on sn-devel-184
Stefan Metzmacher [Mon, 19 Jul 2021 16:38:06 +0000 (18:38 +0200)]
s4:torture/smb2: add tests to check all signing and encryption algorithms
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14764
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Stefan Metzmacher [Tue, 9 Mar 2021 09:40:04 +0000 (10:40 +0100)]
gnutls: allow gnutls_aead_cipher_encryptv2 with gcm before 3.6.15
The memory leak bug up to 3.6.14 was only related to ccm, but gcm was
fine.
This avoids talloc+memcpy on more systems, e.g. ubuntu 20.04,
and brings ~ 20% less cpu overhead, see:
https://hackmd.io/@asn/samba_crypto_benchmarks
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14764
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
David Mulder [Mon, 19 Jul 2021 17:36:09 +0000 (11:36 -0600)]
gpo: Improve debug when extension fails to apply
Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
David Mulder [Mon, 19 Jul 2021 17:18:53 +0000 (11:18 -0600)]
gpo: Warn when fetching the supported templates fails
When Certificate Auto Enrollment fails to fetch
the list of supported templates, display a
warning.
Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
David Mulder [Mon, 19 Jul 2021 17:11:56 +0000 (11:11 -0600)]
gpo: Ensure Network Device Enrollment Service if sscep fails
Prompt the user to check that Network Device
Enrollment Service is installed and configured
if sscep fails to download the certificate root
chain.
Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Stefan Metzmacher [Mon, 19 Jul 2021 10:57:50 +0000 (12:57 +0200)]
tdb: version 1.4.5
* fix standalone usage of tdb.h
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Tue Jul 20 11:48:38 UTC 2021 on sn-devel-184
Günther Deschner [Fri, 16 Jul 2021 15:29:40 +0000 (17:29 +0200)]
tdb: Fix invalid syntax in tdb.h
Defining _PUBLIC_ in the same way as in talloc.h resolves an issue with
a previous fix for Solaris Studio compiler 12.4 that prefixed all calls
in tdb.h with _PUBLIC_. Thanks to Lukas Slebodnik
<lslebodn@redhat.com>.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=14762
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Martin Schwenke [Tue, 27 Apr 2021 05:45:17 +0000 (15:45 +1000)]
utils: Avoid pylint warning
pylint warns:
Use lazy % formatting in logging functions
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Jose A. Rivera <jarrpa@samba.org>
Autobuild-User(master): Martin Schwenke <martins@samba.org>
Autobuild-Date(master): Tue Jul 20 05:29:18 UTC 2021 on sn-devel-184
Martin Schwenke [Tue, 27 Apr 2021 05:37:43 +0000 (15:37 +1000)]
utils: Reformat lines that are longer than 80 columns
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Jose A. Rivera <jarrpa@samba.org>
Martin Schwenke [Tue, 27 Apr 2021 04:56:20 +0000 (14:56 +1000)]
utils: Tweak exception handling to stop flake8 complaining
Don't bother with "as e" to avoid warning about unused variable.
Don't use bare "except:" (though pylint still complains about this
version).
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Jose A. Rivera <jarrpa@samba.org>
Martin Schwenke [Wed, 26 May 2021 01:18:04 +0000 (11:18 +1000)]
utils: Simplify log level logic, drop global variable
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Jose A. Rivera <jarrpa@samba.org>
Martin Schwenke [Tue, 27 Apr 2021 04:50:15 +0000 (14:50 +1000)]
utils: Inline defaults and help strings
Removes an unnecessary level of indirection: defaults and help strings
are now where they are expected. Also removes some global variables.
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Jose A. Rivera <jarrpa@samba.org>
Martin Schwenke [Wed, 26 May 2021 00:57:07 +0000 (10:57 +1000)]
utils: Move argument processing into function and call from main()
Removes the need for the global variables currently associated with
this processing. Also removes unnecessarily double-handling the
defaults, which are assigned to the global variables and set via
add_argument().
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Jose A. Rivera <jarrpa@samba.org>
Martin Schwenke [Tue, 27 Apr 2021 03:00:49 +0000 (13:00 +1000)]
utils: Reorder imports so that standard imports are first
Avoids numerous pylint warnings.
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Jose A. Rivera <jarrpa@samba.org>
Martin Schwenke [Tue, 27 Apr 2021 02:59:17 +0000 (12:59 +1000)]
utils: Clean up ctdb_etcd_lock using autopep8
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Jose A. Rivera <jarrpa@samba.org>
Martin Schwenke [Tue, 27 Apr 2021 05:46:14 +0000 (15:46 +1000)]
utils: Use Python 3
Due to the number of flake8 and pylint warnings it is unclear if the
source has Python 3 incompatibilities. These will be cleaned up in
subsequent commits.
Signed-off-by: "L.P.H. van Belle" <belle@bazuin.nl>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Jose A. Rivera <jarrpa@samba.org>
Volker Lendecke [Sat, 26 Jun 2021 12:21:49 +0000 (14:21 +0200)]
examples: Make winreg.py sample work with python3 in current master
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Mon Jul 19 17:44:08 UTC 2021 on sn-devel-184
Andreas Schneider [Thu, 15 Jul 2021 14:52:02 +0000 (16:52 +0200)]
gitignore: Add .cache directory
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Mon Jul 19 15:27:14 UTC 2021 on sn-devel-184
Andreas Schneider [Thu, 15 Jul 2021 14:50:56 +0000 (16:50 +0200)]
selftest: Add PYTHONPATH for lsp servers to devel_env.sh
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Andreas Schneider [Wed, 14 Jul 2021 09:38:39 +0000 (11:38 +0200)]
s3:utils: Use better error message for smbtree
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Jul 16 03:45:19 UTC 2021 on sn-devel-184
Stefan Metzmacher [Tue, 29 Jun 2021 13:42:56 +0000 (15:42 +0200)]
libcli/smb: allow unexpected padding in SMB2 READ responses
Make use of smb2cli_parse_dyn_buffer() in smb2cli_read_done()
as it was exactly introduced for a similar problem see:
commit
4c6c71e1378401d66bf2ed230544a75f7b04376f
Author: Stefan Metzmacher <metze@samba.org>
AuthorDate: Thu Jan 14 17:32:15 2021 +0100
Commit: Volker Lendecke <vl@samba.org>
CommitDate: Fri Jan 15 08:36:34 2021 +0000
libcli/smb: allow unexpected padding in SMB2 IOCTL responses
A NetApp Ontap 7.3.7 SMB server add 8 padding bytes to an
offset that's already 8 byte aligned.
RN: Work around special SMB2 IOCTL response behavior of NetApp Ontap 7.3.7
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14607
Pair-Programmed-With: Volker Lendecke <vl@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Volker Lendecke <vl@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Fri Jan 15 08:36:34 UTC 2021 on sn-devel-184
RN: Work around special SMB2 READ response behavior of NetApp Ontap 7.3.7
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14607
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Jul 15 23:53:55 UTC 2021 on sn-devel-184
Stefan Metzmacher [Tue, 29 Jun 2021 13:24:13 +0000 (15:24 +0200)]
libcli/smb: make smb2cli_ioctl_parse_buffer() available as smb2cli_parse_dyn_buffer()
It will be used in smb2cli_read.c soon...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14607
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Stefan Metzmacher [Mon, 5 Jul 2021 15:49:00 +0000 (17:49 +0200)]
s3:smbd: implement FSCTL_SMBTORTURE_GLOBAL_READ_RESPONSE_BODY_PADDING8
This turns the 'smb2.read.bug14607' test from 'skip' into 'xfailure',
as the 2nd smb2cli_read() function will now return
NT_STATUS_INVALID_NETWORK_RESPONSE.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14607
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Stefan Metzmacher [Mon, 5 Jul 2021 15:49:00 +0000 (17:49 +0200)]
s3:smbd: introduce a body_size variable in smbd_smb2_request_read_done
This will simplify the following changes.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14607
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Stefan Metzmacher [Tue, 6 Jul 2021 14:24:59 +0000 (16:24 +0200)]
s4:torture/smb2: add smb2.read.bug14607 test
This test will use a FSCTL_SMBTORTURE_GLOBAL_READ_RESPONSE_BODY_PADDING8
in order to change the server behavior of READ responses regarding
the data offset.
It will demonstrate the problem in smb2cli_read*() triggered
by NetApp Ontap servers.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14607
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
David Mulder [Mon, 12 Jul 2021 21:18:04 +0000 (15:18 -0600)]
Update WHATSNEW for Certificate Auto Enrollment
Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Jul 15 20:03:45 UTC 2021 on sn-devel-184
David Mulder [Fri, 2 Jul 2021 20:44:43 +0000 (20:44 +0000)]
gpo: Test Certificate Auto Enrollment Policy
Signed-off-by: David Mulder <dmulder@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
David Mulder [Mon, 28 Jun 2021 15:06:09 +0000 (09:06 -0600)]
gpo: Fix up rsop output of ca certificate
Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
David Mulder [Thu, 17 Jun 2021 15:13:12 +0000 (09:13 -0600)]
gpo: Add Certificate Auto Enrollment Policy
Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Karolin Seeger [Thu, 15 Jul 2021 07:42:49 +0000 (09:42 +0200)]
WHATSNEW: Start release notes for Samba 4.16.0pre1.
Signed-off-by: Karolin Seeger <kseeger@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Jule Anger <janger@samba.org>
Karolin Seeger [Thu, 15 Jul 2021 07:38:41 +0000 (09:38 +0200)]
VERSION: Bump version up to 4.16.0pre1...
and re-enable GIT_SNAPSHOT.
Signed-off-by: Karolin Seeger <kseeger@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Jule Anger <janger@samba.org>
Karolin Seeger [Thu, 15 Jul 2021 07:09:37 +0000 (09:09 +0200)]
VERSION: Disable GIT_SNAPSHOT for the Samba 4.15.0rc1 release.
Signed-off-by: Karolin Seeger <kseeger@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Jule Anger <janger@samba.org>
Karolin Seeger [Thu, 15 Jul 2021 07:06:20 +0000 (09:06 +0200)]
WHATSNEW: Up to Samba 4.15.0rc1.
Signed-off-by: Karolin Seeger <kseeger@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Jule Anger <janger@samba.org>
Karolin Seeger [Thu, 15 Jul 2021 07:04:18 +0000 (09:04 +0200)]
WHATSNEW: Fix typos.
Signed-off-by: Karolin Seeger <kseeger@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Jule Anger <janger@samba.org>
Jeremy Allison [Wed, 14 Jul 2021 18:23:54 +0000 (11:23 -0700)]
s3: VFS: default. In vfswrap_getxattrat_do_async() always use the pathref fsp.
This is always called via a path that mandates
smb_fname->fsp is valid.
https://bugzilla.samba.org/show_bug.cgi?id=14758
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Thu Jul 15 05:48:05 UTC 2021 on sn-devel-184
Jeremy Allison [Wed, 14 Jul 2021 18:23:03 +0000 (11:23 -0700)]
s3: VFS: default. In vfswrap_getxattrat_do_sync() always use the pathref fsp.
This is always called via a path that mandates
smb_fname->fsp is valid.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14758
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Jeremy Allison [Wed, 14 Jul 2021 18:35:06 +0000 (11:35 -0700)]
s3: VFS: default: Add 'handle' member to struct vfswrap_getxattrat_state
Not yet used.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14758
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Jeremy Allison [Wed, 14 Jul 2021 18:17:49 +0000 (11:17 -0700)]
s3: VFS: default: Move vfswrap_fgetxattr() before the async versions.
We want to re-use this and don't want to have to add forward
declarations.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14758
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Jeremy Allison [Wed, 14 Jul 2021 22:00:13 +0000 (15:00 -0700)]
s3: smbd: Allow "smbd async dosmode = yes" to return valid DOS attributes again.
We already have a valid smb_fname->fsp, don't drop
it when returning from smbd_dirptr_lanman2_entry()
to allow it to be reused inside dos_mode_at_send().
Remove knownfail.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14758
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Jeremy Allison [Wed, 14 Jul 2021 22:29:01 +0000 (15:29 -0700)]
s3: tests: Add "SMB2-LIST-DIR-ASYNC" test.
Add as knownfail.
Shows our "smbd async dosmode" code wasn't working.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14758
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Jeremy Allison [Wed, 14 Jul 2021 22:26:42 +0000 (15:26 -0700)]
s3: tests: Our tests for "smbd async dosmode = yes" haven't been working correctly as the parameter has been set incorrectly.
If must be "smbd async dosmode", not "smbd:async dosmode"
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14758
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Stefan Metzmacher [Wed, 14 Jul 2021 16:40:34 +0000 (18:40 +0200)]
WHATSNEW: add client/server smb3 signing/encryption algorithms
We can add more about this in the final 4.15.0 release notes later.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Thu Jul 15 00:57:24 UTC 2021 on sn-devel-184
Stefan Metzmacher [Mon, 8 Mar 2021 01:05:55 +0000 (02:05 +0100)]
s3:smbd: improve the error returns for invalid session binding requests
This brings us closer to what a Windows Server with GMAC signing
returns.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Stefan Metzmacher [Wed, 14 Jul 2021 14:12:41 +0000 (16:12 +0200)]
s4:torture: more smb2.session.bind_negative_smb3* combinations
This tests all kind of signing/encryption algorithm mismatches
and passes against Windows with GMAC signing support.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Stefan Metzmacher [Tue, 13 Jul 2021 21:28:04 +0000 (23:28 +0200)]
docs-xml: offer aes-128-gmac by default
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Stefan Metzmacher [Wed, 11 Nov 2020 13:10:01 +0000 (14:10 +0100)]
libcli/smb: add support for SMB2_SIGNING_AES128_GMAC
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Stefan Metzmacher [Wed, 14 Jul 2021 13:04:22 +0000 (15:04 +0200)]
s4:torture: force AES_CMAC or HMAC_SHA256 for some SMB 3.1.1 tests
Allowing GMAC in future will generate different results, so
make sure the tests keep working as is.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Stefan Metzmacher [Tue, 13 Jul 2021 19:26:19 +0000 (21:26 +0200)]
libcli/smb: actually make use of "client/server smb3 signing algorithms"
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Stefan Metzmacher [Tue, 13 Jul 2021 19:26:19 +0000 (21:26 +0200)]
docs-xml: add "client/server smb3 signing algorithms" options
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Stefan Metzmacher [Wed, 11 Nov 2020 13:27:30 +0000 (14:27 +0100)]
s3:smbd: prepare support for SMB2_SIGNING_CAPABILITIES
But notice that srv_sign_algos->num_algos is always 0 for now,
but that'll change in the next commits.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Stefan Metzmacher [Thu, 11 Mar 2021 10:04:14 +0000 (11:04 +0100)]
libcli/smb: prepare support for SMB2_SIGNING_CAPABILITIES negotiation
For now client_sign_algos->num_algos will always be 0,
but that'll change in the next commits.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Stefan Metzmacher [Wed, 11 Nov 2020 13:10:01 +0000 (14:10 +0100)]
libcli/smb: make sure smb2_signing_calc_signature() never generates a signature without a valid MID
This is important as AES-128-GMAC signing will derive the NONCE from the MID.
It also means a STATUS_PENDING response must never be signed.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Stefan Metzmacher [Thu, 6 May 2021 21:07:13 +0000 (23:07 +0200)]
libcli/smb: make sure we always send a valid MID in cancel PDUs
This is important as with AES-128-GMAC signing, the nonce will be
derived from the MID.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Stefan Metzmacher [Mon, 8 Mar 2021 01:03:30 +0000 (02:03 +0100)]
libcli/smb: skip session setup signing for REQUEST_OUT_OF_SEQUENCE, NOT_SUPPORTED and ACCESS_DENIED
We should propagate these errors to the caller instead of masking them
with ACCESS_DENIED. And for ACCESS_DENIED we should not disconnect the
connection.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Stefan Metzmacher [Wed, 14 Jul 2021 14:23:54 +0000 (16:23 +0200)]
libcli/smb: add smb2cli_conn_server_{signing,encryption}_algo()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Stefan Metzmacher [Tue, 13 Jul 2021 20:37:36 +0000 (22:37 +0200)]
s3:smbd: make sure we don't try to sign CANCEL response PDUs
Normally these are never generated, but it can happen when the
signing check fails.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Stefan Metzmacher [Fri, 11 Jun 2021 13:33:46 +0000 (13:33 +0000)]
s3:smbd: make sure STATUS_PENDING responses are never signed
It's important to match Windows here in order to avoid reusing
a NONCE for AES-128-GMAC signing.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Stefan Metzmacher [Thu, 6 May 2021 21:55:49 +0000 (23:55 +0200)]
s3:smbstatus: pretty print the use of new signing/encryption algorithms
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Stefan Metzmacher [Tue, 13 Jul 2021 19:50:27 +0000 (21:50 +0200)]
s3:smbd: only allow cancel with the same session
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Stefan Metzmacher [Wed, 11 Nov 2020 12:47:11 +0000 (13:47 +0100)]
libcli/smb: add SMB2_SIGNING_CAPABILITIES related defines to smb2_constants.h
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Stefan Metzmacher [Wed, 11 Nov 2020 12:47:11 +0000 (13:47 +0100)]
libcli/smb: add SMB2_RDMA_TRANSFORM_CAPABILITIES related defines to smb2_constants.h
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Stefan Metzmacher [Wed, 11 Nov 2020 12:47:11 +0000 (13:47 +0100)]
libcli/smb: add SMB2_TRANSPORT_CAPABILITIES related defines to smb2_constants.h
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Stefan Metzmacher [Tue, 10 Nov 2020 00:28:03 +0000 (01:28 +0100)]
lib/param: offer aes-256-{gcm,ccm} encryption by default
We match Windows and keep aes-128-{gcm,ccm} first...
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Stefan Metzmacher [Tue, 10 Nov 2020 00:25:19 +0000 (01:25 +0100)]
libcli/smb: add aes-256-{gcm,ccm} support to smb2_signing_[en|de]crypt_pdu()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Stefan Metzmacher [Wed, 14 Jul 2021 10:13:49 +0000 (12:13 +0200)]
s3:smbd: let 'server smb3 encryption algorithms' disable aes-128-ccm for SMB3_0*
SMB 3.0 and 3.0.2 require aes-128-ccm, so we need to reject them unless
'client smb3 encryption algorithms' allows them.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Stefan Metzmacher [Wed, 14 Jul 2021 10:13:49 +0000 (12:13 +0200)]
libcli/smb: add smb311_capabilities_check() helper
It checks that the resulting algorithms (most likely for
dialects < 3.1.1) are actually allowed.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Stefan Metzmacher [Wed, 14 Jul 2021 10:13:49 +0000 (12:13 +0200)]
libcli/smb: let 'client smb3 encryption algorithms' disable aes-128-ccm for SMB3_0*
SMB 3.0 and 3.0.2 require aes-128-ccm, so we need to reject them unless
'client smb3 encryption algorithms' allows them.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Stefan Metzmacher [Tue, 13 Jul 2021 16:16:10 +0000 (18:16 +0200)]
s3:smbd: make use of 'server smb3 encryption algorithms'
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Stefan Metzmacher [Tue, 13 Jul 2021 16:16:10 +0000 (18:16 +0200)]
s4:param: make use of 'client smb3 encryption algorithms'
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Stefan Metzmacher [Tue, 13 Jul 2021 16:16:10 +0000 (18:16 +0200)]
s3:libsmb: make use of 'client smb3 encryption algorithms'
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Stefan Metzmacher [Tue, 13 Jul 2021 16:00:59 +0000 (18:00 +0200)]
libcli/smb: add helpers to parse client/server smb3 encryption algorithms into struct smb311_capabilities
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Stefan Metzmacher [Tue, 13 Jul 2021 16:00:59 +0000 (18:00 +0200)]
docs-xml: add "client/server smb3 encryption algorithms" options
This gives administrators more control over the used algorithms.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Stefan Metzmacher [Wed, 10 Mar 2021 15:34:54 +0000 (16:34 +0100)]
smb2_negprot: make use of struct smb311_capabilities.encryption
This makes the code more generic and allow the supported ciphers
to be easily added or depend on the configuration later.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Stefan Metzmacher [Tue, 13 Jul 2021 22:16:06 +0000 (00:16 +0200)]
WHATNEW: document "server multi channel support" change
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Stefan Metzmacher [Tue, 13 Jul 2021 22:14:24 +0000 (00:14 +0200)]
lib/param: enable "server multi channel support" by default on Linux and FreeBSD
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Stefan Metzmacher [Tue, 13 Jul 2021 22:06:52 +0000 (00:06 +0200)]
lib/param: add lpcfg_parm_is_unspecified() helper
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Stefan Metzmacher [Fri, 9 Jul 2021 13:36:12 +0000 (15:36 +0200)]
s3:smbd: fallback to smb2srv_session_lookup_global() for session setups with failed signing
The motivation is to get the same error responses as a windows server.
We already fallback to smb2srv_session_lookup_global() in other places
where we don't have a valid session in the current smbd process.
If signing is failing while verifying a session setup request,
we should do the same if we don't have a valid channel binding
for the connection yet.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Stefan Metzmacher [Tue, 13 Jul 2021 14:37:42 +0000 (16:37 +0200)]
s3:smbd: remove dead code from smbd_smb2_request_dispatch()
We have '} else if (signing_required || (flags & SMB2_HDR_FLAG_SIGNED)) {'
before...
Use 'git show -U52' to see the whole story...
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Stefan Metzmacher [Wed, 14 Jul 2021 15:15:52 +0000 (17:15 +0200)]
s3:smbd: make sure smbXsrv_session_update() doesn't segfault with table == NULL
There might be other places than smb2srv_update_crypto_flags(), which
may call smbXsrv_session_update() with a fake session, they should
return in error instead of segfaulting.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Stefan Metzmacher [Thu, 10 Jun 2021 16:03:15 +0000 (16:03 +0000)]
s3:smbd: fix a NULL pointer deference caused by smb2srv_update_crypto_flags()
When we used a fake session structure from
smb2srv_session_lookup_global() there's no point in updating
any database.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Stefan Metzmacher [Thu, 10 Jun 2021 16:03:15 +0000 (16:03 +0000)]
s3:smbd: let smb2srv_session_lookup_global() clear the signing/encryption_flags
When we make use of this we only in order to provide the correct
error codes anyway.
This actually fixes even more error codes.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Stefan Metzmacher [Thu, 10 Jun 2021 16:03:15 +0000 (16:03 +0000)]
s4:torture: let smb2.session.bind_negative_* tests also use a different client guid
Testing also with a different client guid between channels
triggers (at least in samba) a different code path compaired
to the tests using the same client guid.
Testing both already revealed a bug.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Stefan Metzmacher [Thu, 10 Jun 2021 16:03:15 +0000 (16:03 +0000)]
s4:torture: let smb2.session.bind_negative_* also test without session keys
This checks the result of a 2nd session setup without the BIND flags
and also without signing being already enabled.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Stefan Metzmacher [Fri, 9 Jul 2021 10:37:38 +0000 (12:37 +0200)]
WHATSNEW: document the removal of SMB2_22, SMB2_24 and SMB3_10
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Stefan Metzmacher [Fri, 9 Jul 2021 10:04:30 +0000 (12:04 +0200)]
libcli/smb: remove unused PROTOCOL_SMB3_10 definition
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Stefan Metzmacher [Fri, 9 Jul 2021 10:03:06 +0000 (12:03 +0200)]
docs-xml: remove support for "SMB3_10"
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Stefan Metzmacher [Wed, 11 Nov 2020 14:14:12 +0000 (15:14 +0100)]
libcli/smb: replace PROTOCOL_SMB3_10 with PROTOCOL_SMB3_11
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Stefan Metzmacher [Wed, 11 Nov 2020 14:14:12 +0000 (15:14 +0100)]
s3:smbd: replace PROTOCOL_SMB3_10 with PROTOCOL_SMB3_11
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Stefan Metzmacher [Fri, 9 Jul 2021 10:04:30 +0000 (12:04 +0200)]
libcli/smb: remove unused PROTOCOL_SMB2_24 definition
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Stefan Metzmacher [Fri, 9 Jul 2021 10:03:06 +0000 (12:03 +0200)]
docs-xml: remove support for "SMB2_24"
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Stefan Metzmacher [Wed, 11 Nov 2020 14:14:12 +0000 (15:14 +0100)]
libcli/smb: replace PROTOCOL_SMB2_24 with PROTOCOL_SMB3_00
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Stefan Metzmacher [Wed, 11 Nov 2020 14:14:12 +0000 (15:14 +0100)]
s3:smbd: replace PROTOCOL_SMB2_24 with PROTOCOL_SMB3_00
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Stefan Metzmacher [Fri, 9 Jul 2021 10:04:30 +0000 (12:04 +0200)]
libcli/smb: remove unused PROTOCOL_SMB2_22 definition
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Stefan Metzmacher [Fri, 9 Jul 2021 10:03:06 +0000 (12:03 +0200)]
docs-xml: remove support for "SMB2_22"
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Stefan Metzmacher [Wed, 11 Nov 2020 14:14:12 +0000 (15:14 +0100)]
libcli/smb: replace PROTOCOL_SMB2_22 with PROTOCOL_SMB3_00
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Stefan Metzmacher [Wed, 11 Nov 2020 14:14:12 +0000 (15:14 +0100)]
s3:smbd: replace PROTOCOL_SMB2_22 with PROTOCOL_SMB3_00
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Stefan Metzmacher [Fri, 9 Jul 2021 09:57:17 +0000 (11:57 +0200)]
s3:torture: replace PROTOCOL_SMB2_22 with PROTOCOL_SMB3_00
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Stefan Metzmacher [Wed, 11 Nov 2020 14:14:12 +0000 (15:14 +0100)]
smb2_negprot: no longer use experimental dialects 2.2.2, 2.2.4, 3.1.0 on the wire
These were only used in Windows development versions but not in
production.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>