Bug 8382 - [Server signing] Samba fileshare not working with server signing =auto
Summary: [Server signing] Samba fileshare not working with server signing =auto
Status: CLOSED FIXED
Alias: None
Product: Samba 3.5
Classification: Unclassified
Component: File services (show other bugs)
Version: 3.5.10
Hardware: All All
: P5 enhancement
Target Milestone: ---
Assignee: Stefan Metzmacher
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2011-08-18 08:09 UTC by okmanoj
Modified: 2012-06-03 12:39 UTC (History)
3 users (show)

See Also:


Attachments
Logs Level 100 and smb.conf file (84.25 KB, application/octet-stream)
2011-09-01 10:43 UTC, okmanoj
no flags Details
Network Capture for failure (4.64 KB, application/octet-stream)
2011-09-01 10:44 UTC, okmanoj
no flags Details
Patch for smb server signing (418 bytes, patch)
2011-09-09 01:28 UTC, okmanoj
no flags Details
Captures between w2k8r2 and w2ksp4 (48.28 KB, application/x-bzip)
2011-09-11 10:31 UTC, Stefan Metzmacher
no flags Details
Patches for master (21.79 KB, patch)
2011-09-12 17:08 UTC, Stefan Metzmacher
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description okmanoj 2011-08-18 08:09:53 UTC
While testing samba 3.5.8/9/10 I found samba file share (of samba server) is not opening from client PC (Intel based XPSP3) if I set "server signing=auto" and "client signing=auto". 

My windows Based Client security setting are as below (I have uploaded screenshot also) 
Microsoft network client : Digitally sign communication (always)	 Disabled 
Microsoft network client : Digitally sign communication (if server agrees)	 Enabled 


I am not sure is this issue is same as Bugzilla bug #8212 where Shirish-Sir has given patch in cifs.ko for below setting 
        server signing = mandatory 
        client signing = mandatory 
        client use spnego = yes 

However My setting are auto signing (negotiation based). 

I have teken samba server logs and network capture and uploaded the same in below link 
http://www.box.net/shared/p6sd3fcks3j978f8tze9

My environment details are 
Windows Client XPSP3 name (tec-99000478-01) [172.16.105.54] 
Samba Server (3.5.8/9/10) Fedora 14 PC [172.16.105.88] 
Configuration file smb.conf (uploaded in attached link) 

**I downgraded my samba to very old version ~3.3.15 and found auto  server signing is working fine [keeping environment and conf file same]. 

Regards 
Manoj
Comment 1 okmanoj 2011-09-01 10:43:14 UTC
Created attachment 6846 [details]
Logs Level 100 and smb.conf file
Comment 2 okmanoj 2011-09-01 10:44:44 UTC
Created attachment 6847 [details]
Network Capture for failure
Comment 3 okmanoj 2011-09-01 10:46:16 UTC
I tested samba-3.5.10 with latest kernel as per bug #8212 and sirish-sir comment
samba file share is still not opening 

kernel version is 
[root@localhost startScript]# uname -a
Linux localhost.localdomain <B>3.0.4</B> #1 SMP Thu Sep 1 17:09:47 JST 2011 i686 i686 i386 GNU/Linux

I have also confirmed that Patch given by  Sirish-sir is applied in linux kernel 3.4.0 


        if (ses->server->sec_mode &
           (SECMODE_SIGN_REQUIRED | SECMODE_SIGN_ENABLED)) {
                flags |= NTLMSSP_NEGOTIATE_SIGN;
                if (!ses->server->session_estab)
                        flags |= NTLMSSP_NEGOTIATE_KEY_XCH;
        }


in build_ntlmssp_auth_blob(..) and build_ntlmssp_negotiate_blob(..)

I request to verify this issue again.

I have also used below parameter in my conf file as marked in #8212


Please let me know if I am doing something wrong.

Regards,
Manoj
Comment 4 okmanoj 2011-09-05 07:22:49 UTC
Dear Samba Team,

If I am using samba 3.5.15 below setting is working fine for me

   server signing = auto 
   client signing = auto

However if I use 3.5.0, above setting is not working.

Is It a Degrade? 

Regards,
Manoj
Comment 5 okmanoj 2011-09-06 07:45:09 UTC
Sorry I mean If I am using samba 3.4.15 below setting is working fine for me
Comment 6 okmanoj 2011-09-07 06:46:41 UTC
While debugging I found in older samba 3.4.x we are adding tmp sign 
memcpy(&outbuf[smb_ss_field], "BSRSPYL ", 8);  and setting flags2 sign bit inside srv_set_signing_negotiated(void) and temp_sign_outgoing_message()

However we are not adding any sign in current samba 3.5.x.   
srv_set_signing_negotiated () and smb_signing_set_negotiated()

Due to above SMB:Flags2 "Security signature" and "Signature" fields are empty. 

This is also clear in network capture. 

Regards, 
Manoj
Comment 7 okmanoj 2011-09-09 01:28:54 UTC
Created attachment 6875 [details]
Patch for smb server signing

While debugging i found we are not updating 
smb_signing_state.bsrspyl in file share operation due to which below code is always returning without adding sign flags and signature (even tough it is hard coded as per windows behavior)


void smb_signing_sign_pdu(struct smb_signing_state *si,
                          uint8_t *outbuf, uint32_t seqnum)
{
        uint8_t calc_md5_mac[16];
        uint16_t flags2;

        if (si->mac_key.length == 0) {
                if (!si->bsrspyl) {
                        return;
                }
        }



I tried to make patch for this, and tested all the modes auto, mandatory and disable and signing flags in SMB header (Flags2) [0x0004] and Security mode  (i.e Signatures and Sig req) are added properly

I request for patch review and let me know your comments.


Best Regards
Manoj
Comment 8 Stefan Metzmacher 2011-09-09 07:12:17 UTC
Does the client requires signing?

The client sends the SMB_FLAGS2_SMB_SECURITY_SIGNATURE_REQUIRED (0x0010)
bit in the flags2 field in the negprot request.

Currently we're ignoring this flag, which might one part of the bug.
Comment 9 okmanoj 2011-09-09 08:28:22 UTC
Thanks got your comment,
Currently I have tested only server signing. 
Just now I saw in client it is ignored.


(In reply to comment #8)
> Does the client requires signing?
> 
> The client sends the SMB_FLAGS2_SMB_SECURITY_SIGNATURE_REQUIRED (0x0010)
> bit in the flags2 field in the negprot request.
> 
> Currently we're ignoring this flag, which might one part of the bug.
Comment 10 Jeremy Allison 2011-09-09 23:26:59 UTC
According to the docs SMB_FLAGS2_SMB_SECURITY_SIGNATURE_REQUIRED (0x0010) only matters in the Sessionsetup request, not the negprot. Still, of course we're ignoring it in there as well...
Jeremy.
Comment 11 Jeremy Allison 2011-09-10 00:10:21 UTC
Ah - the problem is (looking in your capture file) you're being logged on as guest. The current code in 3.5.x (and possibly 3.6.x) won't turn on signing on a guest connection. But if signing was mandatory we should refuse to continue at this point.

Jeremy.
Comment 12 Jeremy Allison 2011-09-10 00:43:11 UTC
Ok, the real question is what should we do in the case of "server signing = mandatory" and connections that authenticate as guest - which disqualifies server signing with our current 3.5.x and above codebase ?

Should we just disconnect ? If so at what point ? At the end of the second sessionsetupX when we know we're guest (that's easy to do by making register_existing_vuid() return UID_FIELD_INVALID in the guest=true,"server signing = mandatory" case) ?

The current behavior is non-optimal (IMHO).

Metze/Volker, what are your thoughts on this ?

Jeremy.
Comment 13 Stefan Metzmacher 2011-09-10 07:06:54 UTC
(In reply to comment #12)
> Ok, the real question is what should we do in the case of "server signing =
> mandatory" and connections that authenticate as guest - which disqualifies
> server signing with our current 3.5.x and above codebase ?
> 
> Should we just disconnect ? If so at what point ? At the end of the second
> sessionsetupX when we know we're guest (that's easy to do by making
> register_existing_vuid() return UID_FIELD_INVALID in the guest=true,"server
> signing = mandatory" case) ?
> 
> The current behavior is non-optimal (IMHO).
> 
> Metze/Volker, what are your thoughts on this ?

If the session is done as guest, then we just should not do signing,
which matches windows 2k8r2.

I'm in progress to take captures of w2k sp4 against w2k8r2
with both as client and server, with all combinations
of disables, enabled and required.

When I'm finished with that I'll propose some patches to
match the windows behavior completely.
Comment 14 Jeremy Allison 2011-09-10 20:11:39 UTC
Yes, I agree with a guest connection we should not do signing. If "server signing = mandatory" though, should we then terminate - that's the question ?

I was planning to do the Windows tests on this on Monday, but if you get there first I'm happy with that :-).

Jeremy.
Comment 15 Stefan Metzmacher 2011-09-11 10:31:58 UTC
Created attachment 6878 [details]
Captures between w2k8r2 and w2ksp4
Comment 16 Stefan Metzmacher 2011-09-11 11:23:12 UTC
(In reply to comment #14)
> Yes, I agree with a guest connection we should not do signing. If "server
> signing = mandatory" though, should we then terminate - that's the question ?

I don't think so, if someone wants to avoid that, guest support could be disabled.

> I was planning to do the Windows tests on this on Monday, but if you get there
> first I'm happy with that :-).

I think I understand how all this is supposed to work, but I need to cleanup
my patches...
Comment 17 Stefan Metzmacher 2011-09-12 17:08:35 UTC
Created attachment 6879 [details]
Patches for master

Jeremy, can you take a look at this patches?

They also allows us have 'client signing = auto',
causing no signing unless the server requires it.
'client signing = yes' uses signing if the server supports it.
Comment 18 adarsh 2011-09-26 12:24:46 UTC
(In reply to comment #17)
> Created attachment 6879 [details]
> Patches for master
> 
> Jeremy, can you take a look at this patches?
> 
> They also allows us have 'client signing = auto',
> causing no signing unless the server requires it.
> 'client signing = yes' uses signing if the server supports it.

Hi Samba Team,

I tried merging the above patch with samba 3.5.10, I am not able to open the file share at all now with server signing as 'auto/mandatory/disabled'. My scenario is the same as mentioned above, I am also logging in as guest.

Let me know if i will have to change anything else also with this.

Regards,
Adarsh
Comment 19 Stefan Metzmacher 2011-10-12 14:27:22 UTC
(In reply to comment #18)
> I tried merging the above patch with samba 3.5.10, I am not able to open the
> file share at all now with server signing as 'auto/mandatory/disabled'. My
> scenario is the same as mentioned above, I am also logging in as guest.
> 
> Let me know if i will have to change anything else also with this.

I guess if you want to have guest access you need to disable signing
(at least on the client)
Comment 20 Stefan Metzmacher 2012-05-30 11:39:58 UTC
Comment on attachment 6879 [details]
Patches for master

Similar patches are in master
Comment 21 Stefan Metzmacher 2012-05-30 11:41:43 UTC
Closing this as invalid, as it's not possible to do signing as guest user.
Comment 22 okmanoj 2012-06-03 12:39:44 UTC
As a logger I would like to close this issue, as the patch worked for me....Thank you