Bug 12520 - Ensure global "smb encrypt = off" is effective
Summary: Ensure global "smb encrypt = off" is effective
Status: RESOLVED FIXED
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: File services (show other bugs)
Version: unspecified
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Karolin Seeger
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-01-15 21:32 UTC by Ralph Böhme
Modified: 2017-02-13 15:37 UTC (History)
3 users (show)

See Also:


Attachments
Patch for 4.4 cherry-picked from master (12.45 KB, patch)
2017-01-31 06:47 UTC, Ralph Böhme
jra: review+
Details
Patch for 4.5 cherry-picked from master (12.48 KB, patch)
2017-01-31 06:48 UTC, Ralph Böhme
jra: review+
Details
Patch for 4.6 cherry-picked from master (12.48 KB, patch)
2017-01-31 06:48 UTC, Ralph Böhme
jra: review+
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Ralph Böhme 2017-01-15 21:32:00 UTC
If encryption is disabled globally, per definition we shouldn't allow
enabling encryption on individual shares and given a config

[Global]
  smb encrypt = off
[share]
  smb encrypt = required

we must deny access to "share" with access denied. Current behaviour doesn't get this right for the SMB 3.1.1 case with a negprot encryption context exchange and allows Windows 10 Client encrypted access to "share".

Additionally, a config

[Global]
  smb encrypt = off
[share]
  smb encrypt = desired

must result in an unencrypted tcon to "share" because encryption if off globally, but with current code we set the "encryption required" flag on the share and again allow encrypted access for any client that can deal with the strange combination of a server that says "I don't support encryption" (in negprot) but sets the encryption required flag for the share.

Patch to follow...
Comment 1 Ralph Böhme 2017-01-31 06:47:55 UTC
Created attachment 12880 [details]
Patch for 4.4 cherry-picked from master
Comment 2 Ralph Böhme 2017-01-31 06:48:13 UTC
Created attachment 12881 [details]
Patch for 4.5 cherry-picked from master
Comment 3 Ralph Böhme 2017-01-31 06:48:34 UTC
Created attachment 12882 [details]
Patch for 4.6 cherry-picked from master
Comment 4 Jeremy Allison 2017-01-31 20:02:43 UTC
Reassigning to Karolin for inclusion in 4.6.next, 4.5.next, 4.4.next.
Comment 5 Karolin Seeger 2017-02-01 11:47:52 UTC
(In reply to Jeremy Allison from comment #4)
Pushed to autobuild-v4-{6,5,4}-test.
Comment 6 Karolin Seeger 2017-02-13 15:37:18 UTC
(In reply to Karolin Seeger from comment #5)
Pushed to all branches.
Closing out bug report.

Thanks!