static struct cli_state *smb_connect(const char *, const char *, int, const char *, const char *, const char *, const char *);
static int smb_print(struct cli_state *, char *, FILE *);
static char * uri_unescape_alloc(const char *);
-
+#if 0
+static bool smb_encrypt;
+#endif
/*
* 'main()' - Main entry for SMB backend.
return NULL;
}
+#if 0
+ /* Need to work out how to specify this on the URL. */
+ if (smb_encrypt)
+ {
+ if (!cli_cm_force_encryption(cli,
+ username,
+ password,
+ workgroup,
+ share))
+ {
+ fprintf(stderr, "ERROR: encryption setup failed\n");
+ cli_shutdown(cli);
+ return NULL;
+ }
+ }
+#endif
+
return cli;
}
bool got_pass;
bool use_kerberos;
int signing_state;
+ bool smb_encrypt;
};
#endif /* _POPT_COMMON_H */
* -N,--no-pass
* -S,--signing
* -P --machine-pass
+ * -e --encrypt
*/
case 'N':
set_cmdline_auth_info_password("");
break;
+ case 'e':
+ set_cmdline_auth_info_smb_encrypt();
+ break;
+
}
}
{ "authentication-file", 'A', POPT_ARG_STRING, NULL, 'A', "Get the credentials from a file", "FILE" },
{ "signing", 'S', POPT_ARG_STRING, NULL, 'S', "Set the client signing state", "on|off|required" },
{"machine-pass", 'P', POPT_ARG_NONE, NULL, 'P', "Use stored machine account password" },
+ {"encrypt", 'e', POPT_ARG_NONE, NULL, 'e', "Encrypt SMB transport (UNIX extended servers only)" },
POPT_TABLEEND
};
NULL, /* password */
false, /* got_pass */
false, /* use_kerberos */
- Undefined /* signing state */
+ Undefined, /* signing state */
+ false /* smb_encrypt */
};
const char *get_cmdline_auth_info_username(void)
cmdline_auth_info.got_pass = true;
}
+/* This should only be used by lib/popt_common.c JRA */
+bool set_cmdline_auth_info_smb_encrypt(void)
+{
+ cmdline_auth_info.smb_encrypt = true;
+}
+
bool get_cmdline_auth_info_got_pass(void)
{
return cmdline_auth_info.got_pass;
}
+bool get_cmdline_auth_info_smb_encrypt(void)
+{
+ return cmdline_auth_info.smb_encrypt;
+}
+
bool get_cmdline_auth_info_copy(struct user_auth_info *info)
{
*info = cmdline_auth_info;
Ensure a connection is encrypted.
********************************************************************/
-static bool force_cli_encryption(struct cli_state *c,
+NTSTATUS cli_cm_force_encryption(struct cli_state *c,
const char *username,
const char *password,
const char *domain,
const char *sharename)
{
- uint16 major, minor;
- uint32 caplow, caphigh;
- NTSTATUS status;
+ NTSTATUS status = cli_force_encryption(c,
+ username,
+ password,
+ domain);
- if (!SERVER_HAS_UNIX_CIFS(c)) {
+ if (NT_STATUS_EQUAL(status,NT_STATUS_NOT_SUPPORTED)) {
d_printf("Encryption required and "
"server that doesn't support "
"UNIX extensions - failing connect\n");
- return false;
- }
-
- if (!cli_unix_extensions_version(c, &major, &minor, &caplow, &caphigh)) {
+ } else if (NT_STATUS_EQUAL(status,NT_STATUS_UNKNOWN_REVISION)) {
d_printf("Encryption required and "
"can't get UNIX CIFS extensions "
"version from server.\n");
- return false;
- }
-
- if (!(caplow & CIFS_UNIX_TRANSPORT_ENCRYPTION_CAP)) {
+ } else if (NT_STATUS_EQUAL(status,NT_STATUS_UNSUPPORTED_COMPRESSION)) {
d_printf("Encryption required and "
"share %s doesn't support "
"encryption.\n", sharename);
- return false;
- }
-
- if (c->use_kerberos) {
- status = cli_gss_smb_encryption_start(c);
- } else {
- status = cli_raw_ntlm_smb_encryption_start(c,
- username,
- password,
- domain);
- }
-
- if (!NT_STATUS_IS_OK(status)) {
+ } else if (!NT_STATUS_IS_OK(status)) {
d_printf("Encryption required and "
"setup failed with error %s.\n",
nt_errstr(status));
- return false;
}
- return true;
+ return status;
}
/********************************************************************
return NULL;
}
- if (force_encrypt && !force_cli_encryption(c,
+ if (force_encrypt) {
+ status = cli_cm_force_encryption(c,
username,
password,
lp_workgroup(),
- sharename)) {
- cli_shutdown(c);
- return NULL;
+ sharename);
+ if (!NT_STATUS_IS_OK(status)) {
+ cli_shutdown(c);
+ return NULL;
+ }
}
DEBUG(4,(" tconx ok\n"));
return false;
}
- if (force_encrypt && !force_cli_encryption(cli,
+ if (force_encrypt) {
+ NTSTATUS status = cli_cm_force_encryption(cli,
username,
password,
lp_workgroup(),
- "IPC$")) {
- return false;
+ "IPC$");
+ if (!NT_STATUS_IS_OK(status)) {
+ return false;
+ }
}
res = cli_dfs_get_referral(ctx, cli, fullpath, &refs, &num_refs, &consumed);
return NT_STATUS_NOT_SUPPORTED;
}
#endif
+
+/********************************************************************
+ Ensure a connection is encrypted.
+********************************************************************/
+
+NTSTATUS cli_force_encryption(struct cli_state *c,
+ const char *username,
+ const char *password,
+ const char *domain)
+{
+ uint16 major, minor;
+ uint32 caplow, caphigh;
+
+ if (!SERVER_HAS_UNIX_CIFS(c)) {
+ return NT_STATUS_NOT_SUPPORTED;
+ }
+
+ if (!cli_unix_extensions_version(c, &major, &minor, &caplow, &caphigh)) {
+ return NT_STATUS_UNKNOWN_REVISION;
+ }
+
+ if (!(caplow & CIFS_UNIX_TRANSPORT_ENCRYPTION_CAP)) {
+ return NT_STATUS_UNSUPPORTED_COMPRESSION;
+ }
+
+ if (c->use_kerberos) {
+ return cli_gss_smb_encryption_start(c);
+ }
+ return cli_raw_ntlm_smb_encryption_start(c,
+ username,
+ password,
+ domain);
+}
goto done;
}
+ if (get_cmdline_auth_info_smb_encrypt()) {
+ nt_status = cli_cm_force_encryption(cli,
+ get_cmdline_auth_info_username(),
+ get_cmdline_auth_info_password(),
+ lp_workgroup(),
+ "IPC$");
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ result = 1;
+ goto done;
+ }
+ }
+
#if 0 /* COMMENT OUT FOR TESTING */
memset(cmdline_auth_info.password,'X',sizeof(cmdline_auth_info.password));
#endif
int opt_have_ip = False;
struct sockaddr_storage opt_dest_ip;
+bool smb_encrypt;
extern bool AllowDebugChange;
service_name, service_type,
opt_user_name, opt_workgroup,
opt_password, 0, Undefined, NULL);
- if (NT_STATUS_IS_OK(nt_status)) {
- return nt_status;
- } else {
+ if (!NT_STATUS_IS_OK(nt_status)) {
d_fprintf(stderr, "Could not connect to server %s\n", server_name);
/* Display a nicer message depending on the result */
if (NT_STATUS_V(nt_status) ==
NT_STATUS_V(NT_STATUS_ACCOUNT_DISABLED))
d_fprintf(stderr, "The account was disabled.\n");
-
return nt_status;
}
+
+ if (smb_encrypt) {
+ nt_status = cli_force_encryption(*c,
+ opt_user_name,
+ opt_password,
+ opt_workgroup,
+ service_name);
+
+ if (NT_STATUS_EQUAL(nt_status,NT_STATUS_NOT_SUPPORTED)) {
+ d_printf("Encryption required and "
+ "server that doesn't support "
+ "UNIX extensions - failing connect\n");
+ } else if (NT_STATUS_EQUAL(nt_status,NT_STATUS_UNKNOWN_REVISION)) {
+ d_printf("Encryption required and "
+ "can't get UNIX CIFS extensions "
+ "version from server.\n");
+ } else if (NT_STATUS_EQUAL(nt_status,NT_STATUS_UNSUPPORTED_COMPRESSION)) {
+ d_printf("Encryption required and "
+ "share %s doesn't support "
+ "encryption.\n", service_name);
+ } else if (!NT_STATUS_IS_OK(nt_status)) {
+ d_printf("Encryption required and "
+ "setup failed with error %s.\n",
+ nt_errstr(nt_status));
+ }
+
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ cli_shutdown(*c);
+ *c = NULL;
+ }
+ }
+
+ return nt_status;
}
/****************************************************************************
SAFE_FREE(user_and_realm);
- if (NT_STATUS_IS_OK(nt_status)) {
- return nt_status;
- } else {
+ if (!NT_STATUS_IS_OK(nt_status)) {
DEBUG(1,("Cannot connect to server using kerberos. Error was %s\n", nt_errstr(nt_status)));
return nt_status;
}
+
+ if (smb_encrypt) {
+ nt_status = cli_cm_force_encryption(*c,
+ user_and_realm,
+ opt_password,
+ opt_workgroup,
+ "IPC$");
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ cli_shutdown(*c);
+ *c = NULL;
+ }
+ }
+
+ return nt_status;
}
/**
{"port", 'p', POPT_ARG_INT, &opt_port},
{"myname", 'n', POPT_ARG_STRING, &opt_requester_name},
{"server", 'S', POPT_ARG_STRING, &opt_host},
+ {"encrypt", 'e', POPT_ARG_NONE, NULL, 'e', "Encrypt SMB transport (UNIX extended servers only)" },
{"container", 'c', POPT_ARG_STRING, &opt_container},
{"comment", 'C', POPT_ARG_STRING, &opt_comment},
{"maxusers", 'M', POPT_ARG_INT, &opt_maxusers},
{"acls", 0, POPT_ARG_NONE, &opt_acls},
{"attrs", 0, POPT_ARG_NONE, &opt_attrs},
{"timestamps", 0, POPT_ARG_NONE, &opt_timestamps},
- {"exclude", 'e', POPT_ARG_STRING, &opt_exclude},
+ {"exclude", 'X', POPT_ARG_STRING, &opt_exclude},
{"destination", 0, POPT_ARG_STRING, &opt_destination},
{"tallocreport", 0, POPT_ARG_NONE, &do_talloc_report},
net_help(argc, argv);
exit(0);
break;
+ case 'e':
+ smb_encrypt=true;
+ break;
case 'I':
if (!interpret_string_addr(&opt_dest_ip,
poptGetOptArg(pc), 0)) {
d_printf("\t-l or --long\t\t\tDisplay full information\n");
d_printf("\t-V or --version\t\t\tPrint samba version information\n");
d_printf("\t-P or --machine-pass\t\tAuthenticate as machine account\n");
+ d_printf("\t-e or --encrypt\t\tEncrypt SMB transport (UNIX extended servers only)\n");
return -1;
}
*******************************************************/
static struct cli_state *connect_one(const char *server, const char *share)
{
- struct cli_state *c;
+ struct cli_state *c = NULL;
struct sockaddr_storage ss;
NTSTATUS nt_status;
zero_addr(&ss);
}
}
- if (NT_STATUS_IS_OK(nt_status = cli_full_connection(&c, global_myname(), server,
- &ss, 0,
- share, "?????",
- get_cmdline_auth_info_username(),
- lp_workgroup(),
- get_cmdline_auth_info_password(),
- get_cmdline_auth_info_use_kerberos() ? CLI_FULL_CONNECTION_USE_KERBEROS : 0,
- get_cmdline_auth_info_signing_state(),
- NULL))) {
- return c;
- } else {
+ nt_status = cli_full_connection(&c, global_myname(), server,
+ &ss, 0,
+ share, "?????",
+ get_cmdline_auth_info_username(),
+ lp_workgroup(),
+ get_cmdline_auth_info_password(),
+ get_cmdline_auth_info_use_kerberos() ? CLI_FULL_CONNECTION_USE_KERBEROS : 0,
+ get_cmdline_auth_info_signing_state(),
+ NULL);
+ if (!NT_STATUS_IS_OK(nt_status)) {
DEBUG(0,("cli_full_connection failed! (%s)\n", nt_errstr(nt_status)));
return NULL;
}
+
+ if (get_cmdline_auth_info_smb_encrypt()) {
+ nt_status = cli_cm_force_encryption(c,
+ get_cmdline_auth_info_username(),
+ get_cmdline_auth_info_password(),
+ lp_workgroup(),
+ share);
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ cli_shutdown(c);
+ c = NULL;
+ }
+ }
+
+ return c;
}
/****************************************************************************