12609 – smbclient encryption returns error in newer version

Bug 12609 - smbclient encryption returns error in newer version

Summary: smbclient encryption returns error in newer version

Status:	RESOLVED WONTFIX

Alias:	None

Product:	Samba 4.1 and newer
Classification:	Unclassified
Component:	libsmbclient (show other bugs)
Version:	4.4.4
Hardware:	x86 Linux

Importance:	P5 minor (vote)
Target Milestone:	---
Assignee:	Samba QA Contact
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:

Reported:	2017-03-02 19:42 UTC by Charlie
Modified:	2017-03-03 16:29 UTC (History)
CC List:	1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Charlie 2017-03-02 19:42:28 UTC

I am writing a short article about smbclient for Linuxjournal, and I can't use encryption on a newer smbclient version (where it works on an older release, and also works without the -e flag). This should only work under -mNT1, as the target does not support SMB3. Both systems are current on updates. Am I doing something incorrectly?



This encryption attempt fails:
___
$ smbclient -V
Version 4.4.4

$ smbclient //samba.foo.com/public -U USER -W GROUP        #PLAINTEXT
Enter USER's password: 
Domain=[GROUP] OS=[Unix] Server=[Samba 3.6.23-13.0.1.el5_11]
smb: \> quit

$ smbclient -e //samba.foo.com/public -U USER -W GROUP 
Enter USER's password: 
smb_signing_good: BAD SIG: seq 1
session setup failed: NT_STATUS_ACCESS_DENIED

$ cat /etc/oracle-release /etc/redhat-release
Oracle Linux Server release 7.3
Red Hat Enterprise Linux Server release 7.3 (Maipo)



While this one works:
___
$ smbclient -V
Version 3.6.23-13.0.1.el5_11

$ smbclient -e //samba.foo.com/public -U USER -W GROUP 
Enter USER's password: 
Domain=[GROUP] OS=[Unix] Server=[Samba 3.6.23-13.0.1.el5_11]
smb: \> quit

$ cat /etc/oracle-release /etc/redhat-release 
Oracle Linux Server release 5.11
Red Hat Enterprise Linux Server release 5.11 (Tikanga)

Comment 1 Stefan Metzmacher 2017-03-03 07:16:01 UTC

(In reply to Charlie from comment #0)

The problem is that the -e option requires SMB signing
and that's not enabled by default by the server.
The client can overwrite that with the FLAGS2_SMB_SECURITY_SIGNATURES_REQUIRED
option. But the FLAGS2_SMB_SECURITY_SIGNATURES_REQUIRED handling in the
server is only available in 4.2.0 and newer versions.

So you need to either backport the FLAGS2_SMB_SECURITY_SIGNATURES_REQUIRED
handling to 3.6 or upgrade the server, sorry.

Comment 2 Stefan Metzmacher 2017-03-03 07:22:39 UTC

(In reply to Stefan Metzmacher from comment #1)

Or you just use "server signing = auto", as that will affect all clients
and most clients start to use signing if it's available, you may want to
enable it for a specific client (were you could also use "server signing = required") only.

See https://wiki.samba.org/index.php/Client_specific_logging
how configure client ip address specific "include = " lines
in the servers smb.conf.

Comment 3 Charlie 2017-03-03 16:29:44 UTC

This global config has fixed the problem. Many thanks!

Are there any security or performance drawbacks to this? The manual page implies there is no (effective) impact to SMB2.

server signing          =       auto

Now I can login:

$ smbclient -V
Version 4.4.4
limsdev $ smbclient -e //samba.foo.com/public -U USER -W GROUP
Enter USER's password: 
Domain=[GROUP] OS=[Unix] Server=[Samba 3.6.23-13.0.1.el5_11]
smb: \> quit