From edcd3f3524c701274cd4287487b15665dd410410 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Wed, 18 Jan 2017 08:37:30 +0100 Subject: [PATCH 1/2] s3:smbd: allow "server min protocol = SMB3_00" to go via "SMB 2.???" negprot BUG: https://bugzilla.samba.org/show_bug.cgi?id=12540 Signed-off-by: Stefan Metzmacher Reviewed-by: Andreas Schneider Reviewed-by: Ralph Boehme (cherry picked from commit c207f2a989fc791b5f9bf9043d3c6ac31db5cdfd) --- source3/smbd/negprot.c | 23 +++++++++++++++++++++-- 1 file changed, 21 insertions(+), 2 deletions(-) diff --git a/source3/smbd/negprot.c b/source3/smbd/negprot.c index d2e5e2e..793306a 100644 --- a/source3/smbd/negprot.c +++ b/source3/smbd/negprot.c @@ -544,6 +544,8 @@ void reply_negprot(struct smb_request *req) struct smbXsrv_connection *xconn = req->xconn; struct smbd_server_connection *sconn = req->sconn; bool signing_required = true; + int max_proto; + int min_proto; START_PROFILE(SMBnegprot); @@ -688,11 +690,28 @@ void reply_negprot(struct smb_request *req) FLAG_MSG_GENERAL|FLAG_MSG_SMBD |FLAG_MSG_PRINT_GENERAL); + /* + * Anything higher than PROTOCOL_SMB2_10 still + * needs to go via "SMB 2.???", which is marked + * as PROTOCOL_SMB2_10. + * + * The real negotiation happens via reply_smb20ff() + * using SMB2 Negotiation. + */ + max_proto = lp_server_max_protocol(); + if (max_proto > PROTOCOL_SMB2_10) { + max_proto = PROTOCOL_SMB2_10; + } + min_proto = lp_server_min_protocol(); + if (min_proto > PROTOCOL_SMB2_10) { + min_proto = PROTOCOL_SMB2_10; + } + /* Check for protocols, most desirable first */ for (protocol = 0; supported_protocols[protocol].proto_name; protocol++) { i = 0; - if ((supported_protocols[protocol].protocol_level <= lp_server_max_protocol()) && - (supported_protocols[protocol].protocol_level >= lp_server_min_protocol())) + if ((supported_protocols[protocol].protocol_level <= max_proto) && + (supported_protocols[protocol].protocol_level >= min_proto)) while (i < num_cliprotos) { if (strequal(cliprotos[i],supported_protocols[protocol].proto_name)) { choice = i; -- 1.9.1 From 815d4d491955343b388d322ede6a407736d8f306 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Wed, 25 Jan 2017 21:15:44 +0100 Subject: [PATCH 2/2] selftest/Samba3: use "server min protocol = SMB3_00" for "ktest" This verifies that clients can still connect with that setting. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12540 Signed-off-by: Stefan Metzmacher Reviewed-by: Andreas Schneider Reviewed-by: Ralph Boehme Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Fri Jan 27 12:03:39 CET 2017 on sn-devel-144 (cherry picked from commit 348bcca76855798d60c04ddb30f1e13b2ac2d7cd) --- selftest/target/Samba3.pm | 2 ++ source3/selftest/tests.py | 6 +++++- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm index 5e62cf1..b39203f 100755 --- a/selftest/target/Samba3.pm +++ b/selftest/target/Samba3.pm @@ -742,6 +742,8 @@ sub setup_ktest($$$) security = ads username map = $prefix/lib/username.map server signing = required + server min protocol = SMB3_00 + client max protocol = SMB3 "; my $ret = $self->provision($prefix, diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py index e389fae..da9d8b3 100755 --- a/source3/selftest/tests.py +++ b/source3/selftest/tests.py @@ -431,8 +431,12 @@ for s in signseal_options: # We should try more combinations in future, but this is all # the pre-calculated credentials cache supports at the moment + # + # As the ktest env requires SMB3_00 we need to use "smb2" until + # dcerpc client code in smbtorture support autonegotiation + # of any smb dialect. e = "" - a = "" + a = "smb2" binding_string = "ncacn_np:$SERVER[%s%s%s]" % (a, s, e) options = binding_string + " -k yes --krb5-ccache=$PREFIX/ktest/krb5_ccache-2" plansmbtorture4testsuite(test, "ktest", options, 'krb5 with old ccache ncacn_np with [%s%s%s] ' % (a, s, e)) -- 1.9.1