Testing with the Microsoft SMB2/SMB3 Functional Test Cases against Samba I found that SigningTestCaseS0 fails since Samba 4.2 doesn't set signing required to true in the negotiate response when the client sends it in the Negotiate Request (dialect is SMB3) See MS-SMB2 section 3.3.5.4 If RequireMessageSigning is TRUE, the server MUST also set SMB2_NEGOTIATE_SIGNING_REQUIRED in the SecurityMode field. 5. Session.SigningRequired MUST be set to TRUE under the following conditions: If the SMB2_NEGOTIATE_SIGNING_REQUIRED bit is set in the SecurityMode field of the client request. If the SMB2_SESSION_FLAG_IS_GUEST bit is not set in the SessionFlags field and Session.IsAnonymous is FALSE and
Created attachment 10744 [details] Possible patch for master/4.2.0 Steve - please test ! Thanks, Jeremy.
Created attachment 10745 [details] trace showing incorrect flags in negotiate response See frame 6
(In reply to Steve French from comment #2) Is this with my patch or without ?
(In reply to Jeremy Allison from comment #3) Your patch fixes the problem. Signing test S0 now passes. This trace was without your patch. With your patch it gets past this, then does a guest session setup which works - resulting in the test passing.
Created attachment 10746 [details] git-am fix for master and 4.2.0
Reviewed fix and approve
Comment on attachment 10746 [details] git-am fix for master and 4.2.0 You need to change the '?' in the details dialog to '+' to formally approve the fix for 4.2.0. Also, please send a reply to the samba-technical mailing list in order to approve the patch for master (you can just hit reply-all on the [PATCH] mail I sent).
Comment on attachment 10746 [details] git-am fix for master and 4.2.0 Code Reviewed and ptch tested. Looks fine.
Created attachment 10755 [details] git-am fix for 4.2.0 Cherry-picked from the fix that went into master (reviewed by Steve).
Created attachment 10756 [details] git-am back-port for 4.1.next, 4.0.next. Backport for 4.1.next, 4.0.next. Steve please review.
Re-assigning to Karolin to get the 4.2.0 patch in, 4.1.x, 4.0.x patches need Stevef review.
These patches seems to be wrong. A standalone Windows 2012 doesn't behave like this...
Created attachment 10759 [details] capture with smbclient -mSMB2 --signing=required against Windows 2012 standalone See frames 7 and 8!
(In reply to Stefan (metze) Metzmacher from comment #13) Hmmm. So Windows isn't behaving the way the SMB2 spec requires. What a surprise :-). Can you try against Windows 8 ? I'm guessing the Windows test authors were only running against their latest server build when they froze the 'correct' responses.
Comment on attachment 10759 [details] capture with smbclient -mSMB2 --signing=required against Windows 2012 standalone You may be right that we should not include this patch - I tested against Windows 10 and did not see this behavior either. The Microsoft tests have some confusing settings relating to whether encryption is mandated or not (not just signing) and I am rerunning with different settings in the test configuration. Currently I have at least all but six of the tests in the encryption subcategories passing without JRA's negotiation change (test 2038 for example fails on the negotiate in a similar way to what is described in the bug report but I am working on figuring out if we can configure around it). I reran all tests (about 200 total) in the signing, encryption and negotiation categories and the only failing ones are these six encryption ones: 2038, 3378, 3707, 3930, 4360 and 4494 -
OK, let me know if you want me to revert from master. We should at the very least raise a dochelp request to get them to document in a Windows behavior note that Windows servers themselves don't follow the written spec :-).
(In reply to Jeremy Allison from comment #16) Yes, please revert it in master. A Windows 10 preview release behaves like windows 2012.
Looks like this is an SMB2 spec bug. Reverting in master.