Bug 11372 - smbd: SMB3 functionality of "smb encrypt" broken/confusing
smbd: SMB3 functionality of "smb encrypt" broken/confusing
Status: RESOLVED FIXED
Product: Samba 4.1 and newer
Classification: Unclassified
Component: File services
4.1.19
All All
: P5 normal
: ---
Assigned To: Karolin Seeger
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2015-06-30 09:32 UTC by Michael Adam
Modified: 2015-07-21 14:39 UTC (History)
4 users (show)

See Also:


Attachments
Patch for v4-2-test cherry-picked from master (1.78 KB, patch)
2015-06-30 09:36 UTC, Michael Adam
obnox: review+
vl: review+
Details
Patch for v4-1-test cherry-picked from master (1.87 KB, patch)
2015-06-30 09:38 UTC, Michael Adam
obnox: review+
vl: review+
Details
updated patchset for 4.1 (20.05 KB, patch)
2015-07-07 22:18 UTC, Michael Adam
obnox: review+
gd: review+
Details
updated patchset for 4.2 (20.35 KB, patch)
2015-07-07 22:21 UTC, Michael Adam
obnox: review+
gd: review+
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Adam 2015-06-30 09:32:49 UTC
With "smb encrypt = enabled", the server should announce the SMB3 encryption capability and require traffic encryption for those SMB2+ clients that support it. This is currently broken in Samba 4.2 and 4.1. Instead, encryption only happens if smb encrypt is set to mandatory.
Comment 1 Michael Adam 2015-06-30 09:36:28 UTC
Created attachment 11218 [details]
Patch for v4-2-test cherry-picked from master
Comment 2 Michael Adam 2015-06-30 09:38:03 UTC
Created attachment 11219 [details]
Patch for v4-1-test cherry-picked from master

Patch with a minor contextual adaption for 4.1
Comment 3 Michael Adam 2015-06-30 09:45:22 UTC
Karo, please pick for 4.1.next and 4.2.next.
Thanks!
Comment 4 Michael Adam 2015-06-30 11:05:37 UTC
No pushing yet, please:
Apparently there is need for more discussion.

As discussed with Metze:
We should actually have these states for smb encrypt:

off - ...
enabled - just negotiate the cap
desired - enable enc for those clients that support it
required - enable for all and deny clients that don't support enc.
Comment 5 Michael Adam 2015-07-07 22:18:58 UTC
Created attachment 11239 [details]
updated patchset for 4.1
Comment 6 Michael Adam 2015-07-07 22:21:51 UTC
Created attachment 11240 [details]
updated patchset for 4.2
Comment 7 Guenther Deschner 2015-07-07 22:27:59 UTC
Karolin, please add to 4.2 and 4.1.
Comment 10 Karolin Seeger 2015-07-16 09:39:17 UTC
Pushed to autobuild-v4-[1|2]-test.
Comment 11 Karolin Seeger 2015-07-21 14:39:05 UTC
(In reply to Karolin Seeger from comment #10)
Pushed to both branches.
Closing out bug report.

Thanks!