12520 – Ensure global "smb encrypt = off" is effective

Bug 12520 - Ensure global "smb encrypt = off" is effective

Summary: Ensure global "smb encrypt = off" is effective

Status:	RESOLVED FIXED

Alias:	None

Product:	Samba 4.1 and newer
Classification:	Unclassified
Component:	File services (show other bugs)
Version:	unspecified
Hardware:	All All

Importance:	P5 normal (vote)
Target Milestone:	---
Assignee:	Karolin Seeger
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:

Reported:	2017-01-15 21:32 UTC by Ralph Böhme
Modified:	2017-02-13 15:37 UTC (History)
CC List:	3 users (show)

See Also:

Attachments
Patch for 4.4 cherry-picked from master (12.45 KB, patch) 2017-01-31 06:47 UTC, Ralph Böhme	jra: review+	Details
Patch for 4.5 cherry-picked from master (12.48 KB, patch) 2017-01-31 06:48 UTC, Ralph Böhme	jra: review+	Details
Patch for 4.6 cherry-picked from master (12.48 KB, patch) 2017-01-31 06:48 UTC, Ralph Böhme	jra: review+	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Ralph Böhme 2017-01-15 21:32:00 UTC

If encryption is disabled globally, per definition we shouldn't allow
enabling encryption on individual shares and given a config

[Global]
  smb encrypt = off
[share]
  smb encrypt = required

we must deny access to "share" with access denied. Current behaviour doesn't get this right for the SMB 3.1.1 case with a negprot encryption context exchange and allows Windows 10 Client encrypted access to "share".

Additionally, a config

[Global]
  smb encrypt = off
[share]
  smb encrypt = desired

must result in an unencrypted tcon to "share" because encryption if off globally, but with current code we set the "encryption required" flag on the share and again allow encrypted access for any client that can deal with the strange combination of a server that says "I don't support encryption" (in negprot) but sets the encryption required flag for the share.

Patch to follow...

Comment 1 Ralph Böhme 2017-01-31 06:47:55 UTC

Created attachment 12880 [details]
Patch for 4.4 cherry-picked from master

Comment 2 Ralph Böhme 2017-01-31 06:48:13 UTC

Created attachment 12881 [details]
Patch for 4.5 cherry-picked from master

Comment 3 Ralph Böhme 2017-01-31 06:48:34 UTC

Created attachment 12882 [details]
Patch for 4.6 cherry-picked from master

Comment 4 Jeremy Allison 2017-01-31 20:02:43 UTC

Reassigning to Karolin for inclusion in 4.6.next, 4.5.next, 4.4.next.

Comment 5 Karolin Seeger 2017-02-01 11:47:52 UTC

(In reply to Jeremy Allison from comment #4)
Pushed to autobuild-v4-{6,5,4}-test.

Comment 6 Karolin Seeger 2017-02-13 15:37:18 UTC

(In reply to Karolin Seeger from comment #5)
Pushed to all branches.
Closing out bug report.

Thanks!