Bug 13009 - Can't connect to NetApp with SMB3.1.1 due to strict interpretation of encryption flag
Summary: Can't connect to NetApp with SMB3.1.1 due to strict interpretation of encrypt...
Status: RESOLVED FIXED
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: libsmbclient (show other bugs)
Version: 4.5.13
Hardware: All All
: P2 major (vote)
Target Milestone: 4.7
Assignee: Karolin Seeger
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-09-01 16:17 UTC by Steve French
Modified: 2017-09-22 07:42 UTC (History)
4 users (show)

See Also:

Attachments
proposed patch for fixing Samba client library and tools access to NetApp (1.40 KB, patch)
2017-09-11 23:10 UTC, Steve French 		no flags Details
git-am fix for master. (1.03 KB, patch)
2017-09-11 23:58 UTC, Jeremy Allison 		no flags Details
git-am fix for master. (1.33 KB, patch)
2017-09-12 18:34 UTC, Jeremy Allison 		sfrench: review+
Details
Patch for v4-7-test (1.55 KB, patch)
2017-09-14 15:17 UTC, Stefan Metzmacher 		jra: review+
vl: review+
Details
Show Obsolete (2) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Steve French 2017-09-01 16:17:26 UTC 
We had failure connecting to NetApp, with SMB3.1.1 dialect.

The problem is that for SMB3.1.1 we don't allow the encryption flag to be set, but this is a "SHOULD NOT" not a "MUST NOT" (and NetApp sets it for 3.1.1).  The problem is below:

 libcli/smb/smbXcli_base.c:
 
        if (conn->smb2.server.capabilities & SMB2_CAP_ENCRYPTION) {
                tevent_req_nterror(req,
                                NT_STATUS_INVALID_NETWORK_RESPONSE);
                return;
        }

See Edgars blog post
Comment 1 Steve French 2017-09-11 19:21:30 UTC 
Reproduced at test event, and notified NetApp

Just need to remove the overly strict check (see above) in smbXcli_base.c
Comment 3 Steve French 2017-09-11 19:23:55 UTC 
(In reply to Steve French from comment #1)

Note that if you set dialect to SMB3.02 it works as expected
Comment 4 Steve French 2017-09-11 23:10:14 UTC 
Created attachment 13574 [details]
proposed patch for fixing Samba client library and tools access to NetApp
Comment 5 Jeremy Allison 2017-09-11 23:35:47 UTC 
https://blogs.msdn.microsoft.com/openspecification/2015/09/09/smb-3-1-1-encryption-in-windows-10/

shows that when SMB3_11 is negotiated, the server *should* not use capabilities to negotiate encryption (it uses contexts), but it isn't a *must* not. So we can mask this off from the conn->smb2.server.capabilities stored on the client side.
Comment 6 Jeremy Allison 2017-09-11 23:58:15 UTC 
Created attachment 13575 [details]
git-am fix for master.

How about this one instead ?
Comment 7 Steve French 2017-09-12 17:42:02 UTC 
That looks wrong - unrelated patch to this bug
Comment 8 Jeremy Allison 2017-09-12 18:34:52 UTC 
Created attachment 13584 [details]
git-am fix for master.

Sorry for the wrong one, this should work.
Comment 9 Steve French 2017-09-12 19:15:02 UTC 
Found on latest 4.5 with min and max protocol set to their new higher values (and recreated on latest 4.7 which has updated defaults for dialects)
Comment 10 Stefan Metzmacher 2017-09-14 15:17:49 UTC 
Created attachment 13597 [details]
Patch for v4-7-test
Comment 11 Karolin Seeger 2017-09-14 15:28:35 UTC 
Pushed to autobuild-v4-7-test.
Comment 12 Stefan Metzmacher 2017-09-15 23:24:08 UTC 
Pushed to v4-7-test.

Do we want this also for 4.6?
Comment 13 Karolin Seeger 2017-09-20 09:57:57 UTC 
Pushed to v4-7-test.
Comment 14 Karolin Seeger 2017-09-22 07:42:44 UTC 
Closing out bug report.

Please feel free to re-open if it should be in 4.6 also.