Bug 13009 - Can't connect to NetApp with SMB3.1.1 due to strict interpretation of encryption flag
Can't connect to NetApp with SMB3.1.1 due to strict interpretation of encrypt...
Status: RESOLVED FIXED
Product: Samba 4.1 and newer
Classification: Unclassified
Component: libsmbclient
4.5.13
All All
: P2 major
: 4.7
Assigned To: Karolin Seeger
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-09-01 16:17 UTC by Steve French
Modified: 2017-09-22 07:42 UTC (History)
4 users (show)

See Also:


Attachments
proposed patch for fixing Samba client library and tools access to NetApp (1.40 KB, patch)
2017-09-11 23:10 UTC, Steve French
no flags Details
git-am fix for master. (1.03 KB, patch)
2017-09-11 23:58 UTC, Jeremy Allison
no flags Details
git-am fix for master. (1.33 KB, patch)
2017-09-12 18:34 UTC, Jeremy Allison
sfrench: review+
Details
Patch for v4-7-test (1.55 KB, patch)
2017-09-14 15:17 UTC, Stefan Metzmacher
jra: review+
vl: review+
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Steve French 2017-09-01 16:17:26 UTC
We had failure connecting to NetApp, with SMB3.1.1 dialect.

The problem is that for SMB3.1.1 we don't allow the encryption flag to be set, but this is a "SHOULD NOT" not a "MUST NOT" (and NetApp sets it for 3.1.1).  The problem is below:

 libcli/smb/smbXcli_base.c:
 
        if (conn->smb2.server.capabilities & SMB2_CAP_ENCRYPTION) {
                tevent_req_nterror(req,
                                NT_STATUS_INVALID_NETWORK_RESPONSE);
                return;
        }

See Edgars blog post
Comment 1 Steve French 2017-09-11 19:21:30 UTC
Reproduced at test event, and notified NetApp

Just need to remove the overly strict check (see above) in smbXcli_base.c
Comment 3 Steve French 2017-09-11 19:23:55 UTC
(In reply to Steve French from comment #1)

Note that if you set dialect to SMB3.02 it works as expected
Comment 4 Steve French 2017-09-11 23:10:14 UTC
Created attachment 13574 [details]
proposed patch for fixing Samba client library and tools access to NetApp
Comment 5 Jeremy Allison 2017-09-11 23:35:47 UTC
https://blogs.msdn.microsoft.com/openspecification/2015/09/09/smb-3-1-1-encryption-in-windows-10/

shows that when SMB3_11 is negotiated, the server *should* not use capabilities to negotiate encryption (it uses contexts), but it isn't a *must* not. So we can mask this off from the conn->smb2.server.capabilities stored on the client side.
Comment 6 Jeremy Allison 2017-09-11 23:58:15 UTC
Created attachment 13575 [details]
git-am fix for master.

How about this one instead ?
Comment 7 Steve French 2017-09-12 17:42:02 UTC
That looks wrong - unrelated patch to this bug
Comment 8 Jeremy Allison 2017-09-12 18:34:52 UTC
Created attachment 13584 [details]
git-am fix for master.

Sorry for the wrong one, this should work.
Comment 9 Steve French 2017-09-12 19:15:02 UTC
Found on latest 4.5 with min and max protocol set to their new higher values (and recreated on latest 4.7 which has updated defaults for dialects)
Comment 10 Stefan Metzmacher 2017-09-14 15:17:49 UTC
Created attachment 13597 [details]
Patch for v4-7-test
Comment 11 Karolin Seeger 2017-09-14 15:28:35 UTC
Pushed to autobuild-v4-7-test.
Comment 12 Stefan Metzmacher 2017-09-15 23:24:08 UTC
Pushed to v4-7-test.

Do we want this also for 4.6?
Comment 13 Karolin Seeger 2017-09-20 09:57:57 UTC
Pushed to v4-7-test.
Comment 14 Karolin Seeger 2017-09-22 07:42:44 UTC
Closing out bug report.

Please feel free to re-open if it should be in 4.6 also.