Bug 13051 - "smb encrypt" setting changes are not fully applied until full smbd restart
"smb encrypt" setting changes are not fully applied until full smbd restart
Status: ASSIGNED
Product: Samba 4.1 and newer
Classification: Unclassified
Component: File services
4.7.0
All All
: P5 normal
: ---
Assigned To: Jeremy Allison
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-09-25 22:43 UTC by Justin Maggard
Modified: 2017-11-15 08:58 UTC (History)
2 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Justin Maggard 2017-09-25 22:43:44 UTC
If we change the "smb encrypt" setting from "default" to "required", clients are still able to list share names and connect to services without encryption (although actual file transactions seem to be blocked).  This state remains until smbd is completely restarted -- not even a service reload using SIGHUP works.

Conversely, if we change the "smb encrypt" from "required" to "default", clients continue to be denied unencrypted access to the Samba server until after a full smbd restart.

For example:

jmaggard@justin-rn626:~$ testparm -s 2>/dev/null | grep "smb encrypt"
jmaggard@justin-rn626:~$ smbclient -mNT1 -g -L //localhost/documents
Enter DISCOVERY\jmaggard's password: 
Disk|Documents|
Disk|dr1|
Disk|import|
Disk|Music|
IPC|IPC$|IPC Service ("justin-rn626")
Disk|jmaggard|Home directory of jmaggard
Reconnecting with SMB1 for workgroup listing.
Workgroup|DISCOVERY|JUSTIN-RR4360

jmaggard@justin-rn626:~$ testparm -s 2>/dev/null | grep "smb encrypt"
	smb encrypt = required
jmaggard@justin-rn626:~$ smbclient -mNT1 -g -L //localhost/documents
Enter DISCOVERY\jmaggard's password: 
Disk|Documents|
Disk|dr1|
Disk|import|
Disk|Music|
IPC|IPC$|IPC Service ("justin-rn626")
Disk|jmaggard|Home directory of jmaggard
Reconnecting with SMB1 for workgroup listing.
Workgroup|DISCOVERY|JUSTIN-RR4360

jmaggard@justin-rn626:~$ sudo systemctl restart smb
jmaggard@justin-rn626:~$ smbclient -mNT1 -g -L //localhost/documents
Enter DISCOVERY\jmaggard's password: 
Error returning browse list: NT_STATUS_ACCESS_DENIED
Reconnecting with SMB1 for workgroup listing.
Comment 1 Jeremy Allison 2017-09-25 23:13:08 UTC
Hmmmm. You can only reproduce this with SMB1 - correct ?

I'm guessing it doesn't happen with SMB2+.

This might be an artifact of the way encryption is implemented in SMB1, which requires a tran2 call *after* the share connection, so this may be a "just implemented that way" kind of thing (i.e. it probably always did this for the SMB1 unix extensions encryption).

If this causing a problem at customer sites, or just something you noticed ?

Jeremy.
Comment 2 Justin Maggard 2017-09-26 00:11:46 UTC
The "conversely" portion (required -> desire, enabled, or disabled) caused the complaint in the field, and that is reproducible on both SMB1 and SMB2.

But you're correct, the first issue with upgrading the encryption requirement is not reproducible using SMB2.