From 69734eb516791183a377880b060ab96c857d4850 Mon Sep 17 00:00:00 2001 From: Ralph Boehme Date: Wed, 18 Jan 2017 16:19:15 +0100 Subject: [PATCH 1/6] s3/smbd: ensure global "smb encrypt = off" is effective for SMB 1 clients If encryption is disabled globally, per definition we shouldn't allow enabling encryption on individual shares. The behaviour of setting [Global] smb encrypt = off [share_required] smb encrypt = required [share_desired] smb encrypt = desired must be to completely deny access to the share "share_required" and an unencrypted connection to "share_desired". Bug: https://bugzilla.samba.org/show_bug.cgi?id=12520 Signed-off-by: Ralph Boehme Reviewed-by: Jeremy Allison (cherry picked from commit 43a90cee46bb7a70f7973c4fc51eee7634e43145) --- source3/smbd/service.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/source3/smbd/service.c b/source3/smbd/service.c index 5b54aec..505b13a 100644 --- a/source3/smbd/service.c +++ b/source3/smbd/service.c @@ -623,6 +623,18 @@ static NTSTATUS make_connection_snum(struct smbXsrv_connection *xconn, conn->short_case_preserve = lp_short_preserve_case(snum); conn->encrypt_level = lp_smb_encrypt(snum); + if (conn->encrypt_level > SMB_SIGNING_OFF) { + if (lp_smb_encrypt(-1) == SMB_SIGNING_OFF) { + if (conn->encrypt_level == SMB_SIGNING_REQUIRED) { + DBG_ERR("Service [%s] requires encryption, but " + "it is disabled globally!\n", + lp_servicename(talloc_tos(), snum)); + status = NT_STATUS_ACCESS_DENIED; + goto err_root_exit; + } + conn->encrypt_level = SMB_SIGNING_OFF; + } + } conn->veto_list = NULL; conn->hide_list = NULL; -- 2.9.3 From be9d8730c66c4a88878f88fb2242cf8d97c6046b Mon Sep 17 00:00:00 2001 From: Ralph Boehme Date: Thu, 5 Jan 2017 12:14:35 +0100 Subject: [PATCH 2/6] s3/smbd: ensure global "smb encrypt = off" is effective for SMB 3.1.1 clients If encryption is disabled globally, per definition we shouldn't allow enabling encryption on individual shares. The behaviour of setting [Global] smb encrypt = off [share] smb encrypt = required must be to completely deny access to the share "share". This was working correctly for clients when using SMB 3 dialects < 3.1.1, but not for 3.1.1 with a negprot encryption context. Bug: https://bugzilla.samba.org/show_bug.cgi?id=12520 Signed-off-by: Ralph Boehme Reviewed-by: Jeremy Allison (cherry picked from commit 6ae63d42f5aacddf5b7b6dbdfbe620344989e4e5) --- source3/smbd/smb2_negprot.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/source3/smbd/smb2_negprot.c b/source3/smbd/smb2_negprot.c index 6cfa64f..d9ccdbe 100644 --- a/source3/smbd/smb2_negprot.c +++ b/source3/smbd/smb2_negprot.c @@ -441,7 +441,7 @@ NTSTATUS smbd_smb2_request_process_negprot(struct smbd_smb2_request *req) req->preauth = &req->xconn->smb2.preauth; } - if (in_cipher != NULL) { + if ((capabilities & SMB2_CAP_ENCRYPTION) && (in_cipher != NULL)) { size_t needed = 2; uint16_t cipher_count; const uint8_t *p; -- 2.9.3 From f47249f53af98075491b3f7747fbd0afa214c1c5 Mon Sep 17 00:00:00 2001 From: Ralph Boehme Date: Mon, 16 Jan 2017 12:56:10 +0100 Subject: [PATCH 3/6] s3/smbd: ensure global "smb encrypt = off" is effective for share with "smb encrypt = desired" If encryption is disabled globally, per definition we shouldn't allow enabling encryption on individual shares. The behaviour of specifying [Global] smb encrypt = off [share] smb encrypt = desired must be an unecrypted tree connect to the share "share". Bug: https://bugzilla.samba.org/show_bug.cgi?id=12520 Signed-off-by: Ralph Boehme Reviewed-by: Jeremy Allison (cherry picked from commit b0b418c22558fa1df547df9bdac2642343ac39e1) --- source3/smbd/smb2_tcon.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/source3/smbd/smb2_tcon.c b/source3/smbd/smb2_tcon.c index 61e2a36..5330fc3 100644 --- a/source3/smbd/smb2_tcon.c +++ b/source3/smbd/smb2_tcon.c @@ -268,7 +268,8 @@ static NTSTATUS smbd_smb2_tree_connect(struct smbd_smb2_request *req, } if ((lp_smb_encrypt(snum) >= SMB_SIGNING_DESIRED) && - (conn->smb2.client.capabilities & SMB2_CAP_ENCRYPTION)) { + (conn->smb2.server.cipher != 0)) + { encryption_desired = true; } -- 2.9.3 From 1ca4c8b93fe1ccf148e7e7b60d555410ec6a681f Mon Sep 17 00:00:00 2001 From: Ralph Boehme Date: Mon, 16 Jan 2017 15:45:32 +0100 Subject: [PATCH 4/6] docs: impact of a global "smb encrypt=off" on a share with "smb encrypt=required" Bug: https://bugzilla.samba.org/show_bug.cgi?id=12520 Signed-off-by: Ralph Boehme Reviewed-by: Jeremy Allison (cherry picked from commit f8d937b331ac985264c76d76b447683fc494d38a) --- docs-xml/smbdotconf/security/smbencrypt.xml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/docs-xml/smbdotconf/security/smbencrypt.xml b/docs-xml/smbdotconf/security/smbencrypt.xml index 0f08966..32a22cb 100644 --- a/docs-xml/smbdotconf/security/smbencrypt.xml +++ b/docs-xml/smbdotconf/security/smbencrypt.xml @@ -180,7 +180,11 @@ Setting it to off globally will - completely disable the encryption feature. + completely disable the encryption feature for all + connections. Setting smb encrypt = + required for individual shares (while it's + globally off) will deny access to this shares for all + clients. -- 2.9.3 From 12265dffd3b6f67b126ecbc55d430c0a5d4ccc94 Mon Sep 17 00:00:00 2001 From: Ralph Boehme Date: Tue, 17 Jan 2017 17:23:51 +0100 Subject: [PATCH 5/6] selftest: disable SMB encryption in simpleserver environment Encryption is currently not tested in this env so we can safely turn it off. The next commit will add a blackbox tests that test combinations of having encryption globally turned off and enabled (desired/required) on a share. This also adds a new share "enc_desired" with "smb encrypt = desired" which will be used by the test in the next commit. Bug: https://bugzilla.samba.org/show_bug.cgi?id=12520 Signed-off-by: Ralph Boehme Reviewed-by: Jeremy Allison (cherry picked from commit 573e8e15b3ed27d6b593e635e9c24eea3fdf4fb9) --- selftest/target/Samba3.pm | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm index 8f2a1f5..7fe3dac 100755 --- a/selftest/target/Samba3.pm +++ b/selftest/target/Samba3.pm @@ -554,6 +554,7 @@ sub setup_simpleserver($$) ntlm auth = yes vfs objects = xattr_tdb streams_depot time_audit full_audit change notify = no + smb encrypt = off full_audit:syslog = no full_audit:success = none @@ -571,6 +572,11 @@ sub setup_simpleserver($$) store dos attributes = yes hide files = /hidefile/ hide dot files = yes + +[enc_desired] + path = $prefix_abs/share + vfs objects = + smb encrypt = desired "; my $vars = $self->provision($path, -- 2.9.3 From 65a3abb08c6ceb7796e0fad7a2b49989726e9591 Mon Sep 17 00:00:00 2001 From: Ralph Boehme Date: Wed, 18 Jan 2017 16:23:40 +0100 Subject: [PATCH 6/6] selftest: add test for global "smb encrypt=off" Test various combinations of having encryption globally turned off and enabled (desired/required) on a share, with SMB1 UNIX Extensions and SMB3. Bug: https://bugzilla.samba.org/show_bug.cgi?id=12520 Signed-off-by: Ralph Boehme Reviewed-by: Jeremy Allison (cherry picked from commit 21d030e5bdf7dc6ef8d5f4e70bed7e70b731cd15) --- .../script/tests/test_smbclient_encryption_off.sh | 65 ++++++++++++++++++++++ source3/selftest/tests.py | 5 ++ 2 files changed, 70 insertions(+) create mode 100755 source3/script/tests/test_smbclient_encryption_off.sh diff --git a/source3/script/tests/test_smbclient_encryption_off.sh b/source3/script/tests/test_smbclient_encryption_off.sh new file mode 100755 index 0000000..467a4ee --- /dev/null +++ b/source3/script/tests/test_smbclient_encryption_off.sh @@ -0,0 +1,65 @@ +#!/bin/sh + +if [ $# -lt 4 ]; then +cat <