The branch, master has been updated
via 7e3ceaec449 python:tests: Add test for SMB encrypted DCERPC
connection
via 81052e41da8 s4:libcli: Require signing for SMB encryption
via d546dd1e5b8 s4:libcli: Add smb2_connect_enc_start()
via 6454ed761ad s3:libcli: Split out smb2_connect_tcon_start()
via 7387c1da31c s4:libcli: Return if encryption is requested for SMB1
via e2287011f4b s4:libcli: Return NTSTATUS errors for
smb_composite_connect_send()
via dd1cacb6a28 s3:libsmb: Make cli_cm_force_encryption_creds() static
via d7c3d86f017 examples: Remove obsolete force encryption from
smb2mount
via 29504508041 s3:rpcclient: Remove obsolete force encryption from
rpcclient
via 2bf58f182b1 s3:utils: Remove obsolete force encryption from
smbcquotas
via 85e2660b94c s3:utils: Remove obsolete force encryption from mdfind
via 0d0a3bbc83a s3:utils: Remove obsolete force encryption from smbacls
via 5698fb41bb4 s3:client: Remove unused smb encryption code
via d0062d312cb s3:libsmb: Use cli_credentials_set_smb_encryption()
via 1acc6408be1 s3:net: Use cli_credentials_set_smb_encryption()
via 5bff7a061f6 python: Add a test for SMB encryption
via 8a5bc0a6a18 s3:libsmb: Add encryption support to
cli_full_connection_creds*()
via ba04151a01b s3:libsmb: Remove signing_state from
cli_full_connection_creds()
via 886f245ace9 s3:libsmb: Remove signing_state from
cli_full_connection_creds_send()
via 6f552204d46 s3:client: Turn off smb signing for message op
via 62a4705dbcf s3:libsmb: Use 'enum smb_signing_setting' in
cliconnect.c
via 67323b1ffaa python:tests: Set smb ipc signing via the creds API
via 1a74c790bfe python:tests: Mark libsmb connection as an IPC
connection
via 8c06dc13651 s3:pylibsmb: Add ipc=True support for
CLI_FULL_CONNECTION_IPC
via c58a301c273 s3:libsmb: Introduce CLI_FULL_CONNECTION_IPC
via 946e43f0ccf python: Set smb signing via the creds API
via d55950b8408 python: Remove unused sign argument from
smb_connection()
via 34a81eca0da s3:lib: Set smb encryption also via cli creds API
via be9e60efad9 s3:lib: Use cli_credential_(get|set)_smb_signing()
via 0188885a499 auth:creds: Bump library version
via 84f1e4683e6 auth:creds: Add python bindings for
cli_credentials_set_conf()
via 66c9c68badf auth:creds: Add python bindings for
(get|set)_smb_encryption
via 836c5e01e65 auth:creds: Add
cli_credentials_(get|set)_smb_encryption()
via ef12caea073 auth:creds: Add python bindings for
(get|set)_smb_ipc_signing
via 71d65278e16 auth:creds: Add
cli_credentials_(get|set)_smb_ipc_signing()
via 098774b2441 auth:creds: Add python bindings for
(get|set)_smb_signing
via 58e0abc58f7 auth:creds: Add cli_credentials_(get|set)_smb_signing()
via 59a1272a6c8 auth:creds: Remove unused credentials autoproto header
via b0ae876a6c8 s3:lib: Use smb_signing_setting_translate for cmdline
parsing
via 4bf8a667310 libcli:smb: Add smb_encryption_setting_translate()
via e524719010b libcli:smb: Add smb_signing_setting_translate()
via 93e97d5afd3 lib:param: Add lpcfg_parse_enum_vals()
via 5a733c3c1ba docs-xml: Add 'client smb encrypt'
via 58e31f78745 s3:smbd: Use 'enum smb_encryption_setting' values
via f03bb8ad8a0 param: Create and use enum_smb_encryption_vals
via bd5a888746e param: Add 'server smb encrypt' parameter
via e9135035400 auth:creds: Introduce CRED_SMB_CONF
via 46142d8398d libcli:smb2: Use talloc NULL context if we don't have a
stackframe
via cf432bd4527 libcli:smb2: Do not leak ptext on error
from 5de7c91e6d4 s3:smbd: Fix %U substitutions if it contains a domain
name
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 7e3ceaec449a06e9646f5543a617b3b866a720aa
Author: Andreas Schneider <a...@samba.org>
Date: Tue Jul 7 14:27:07 2020 +0200
python:tests: Add test for SMB encrypted DCERPC connection
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
Autobuild-User(master): Andreas Schneider <a...@cryptomilk.org>
Autobuild-Date(master): Wed Aug 19 17:46:28 UTC 2020 on sn-devel-184
commit 81052e41da82041cd32f3f7f3f20fd52ffb7e491
Author: Andreas Schneider <a...@samba.org>
Date: Fri Jul 24 10:18:52 2020 +0200
s4:libcli: Require signing for SMB encryption
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
commit d546dd1e5b8d2fccb1e8cd4d84ef2a6209e9c23c
Author: Andreas Schneider <a...@samba.org>
Date: Tue Jul 7 12:44:26 2020 +0200
s4:libcli: Add smb2_connect_enc_start()
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
commit 6454ed761ad00198d51e4aca008a69a825189e38
Author: Andreas Schneider <a...@samba.org>
Date: Tue Jul 7 12:29:39 2020 +0200
s3:libcli: Split out smb2_connect_tcon_start()
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
commit 7387c1da31c29c4da912328ebb18c7332ebd9dd1
Author: Andreas Schneider <a...@samba.org>
Date: Tue Jul 7 12:54:26 2020 +0200
s4:libcli: Return if encryption is requested for SMB1
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
commit e2287011f4b654e085b9ddaa694b8ccdf8bfad30
Author: Andreas Schneider <a...@samba.org>
Date: Thu Aug 13 16:16:55 2020 +0200
s4:libcli: Return NTSTATUS errors for smb_composite_connect_send()
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
commit dd1cacb6a28233d0a00b376f6bdc2164a0656bb0
Author: Andreas Schneider <a...@samba.org>
Date: Mon Jul 6 11:05:59 2020 +0200
s3:libsmb: Make cli_cm_force_encryption_creds() static
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
commit d7c3d86f017068d72c9fab3406453fdee4f516ec
Author: Andreas Schneider <a...@samba.org>
Date: Mon Jul 6 10:58:36 2020 +0200
examples: Remove obsolete force encryption from smb2mount
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
commit 29504508041c018a8601979085d04e7ed290a286
Author: Andreas Schneider <a...@samba.org>
Date: Wed Jun 10 12:51:18 2020 +0200
s3:rpcclient: Remove obsolete force encryption from rpcclient
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
commit 2bf58f182b1bfd39a5f549c5b539be58deddfe6b
Author: Andreas Schneider <a...@samba.org>
Date: Wed Jun 10 12:49:28 2020 +0200
s3:utils: Remove obsolete force encryption from smbcquotas
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
commit 85e2660b94cc066b7f0deeec2a72d4fddc3463e7
Author: Andreas Schneider <a...@samba.org>
Date: Wed Jun 10 12:48:18 2020 +0200
s3:utils: Remove obsolete force encryption from mdfind
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
commit 0d0a3bbc83a06e262b4ae16ba0e09eccda17a01f
Author: Andreas Schneider <a...@samba.org>
Date: Wed Jun 10 12:47:05 2020 +0200
s3:utils: Remove obsolete force encryption from smbacls
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
commit 5698fb41bb4c0aa14955fff81f903500b333eb4c
Author: Andreas Schneider <a...@samba.org>
Date: Wed Jun 10 12:43:33 2020 +0200
s3:client: Remove unused smb encryption code
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
commit d0062d312cbbf80afd78143ca5c0be68f2d72b03
Author: Andreas Schneider <a...@samba.org>
Date: Wed Jun 10 12:40:13 2020 +0200
s3:libsmb: Use cli_credentials_set_smb_encryption()
This also adds a SMBC_ENCRYPTLEVEL_DEFAULT to 'enum
smbc_smb_encrypt_level' in order to use the smb.conf default value.
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
commit 1acc6408be11bf1a161750bb510170dae3448849
Author: Andreas Schneider <a...@samba.org>
Date: Wed Jun 10 12:31:02 2020 +0200
s3:net: Use cli_credentials_set_smb_encryption()
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
commit 5bff7a061f695d7a9a90414d4393833345a193bf
Author: Andreas Schneider <a...@samba.org>
Date: Wed Jun 10 11:26:00 2020 +0200
python: Add a test for SMB encryption
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
commit 8a5bc0a6a182d33fc4aee9d76c69aedd2b80ff65
Author: Stefan Metzmacher <me...@samba.org>
Date: Mon Jun 8 08:04:24 2020 +0200
s3:libsmb: Add encryption support to cli_full_connection_creds*()
Pair-Programmed-With: Andreas Schneider <a...@samba.org>
Signed-off-by: Andreas Schneider <a...@samba.org>
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
commit ba04151a01b31cd29ccc4133e0a8631297154a34
Author: Andreas Schneider <a...@samba.org>
Date: Thu Jun 4 14:59:14 2020 +0200
s3:libsmb: Remove signing_state from cli_full_connection_creds()
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
commit 886f245ace9024d4ceb72f72c251e5e8d3904e0c
Author: Andreas Schneider <a...@samba.org>
Date: Thu May 28 18:20:02 2020 +0200
s3:libsmb: Remove signing_state from cli_full_connection_creds_send()
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
commit 6f552204d4614ad97310fb4ab81a06d21d4b9af7
Author: Andreas Schneider <a...@samba.org>
Date: Thu May 28 18:11:31 2020 +0200
s3:client: Turn off smb signing for message op
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
commit 62a4705dbcff71b7885db18a0005b29ecf8a2c03
Author: Andreas Schneider <a...@samba.org>
Date: Thu May 28 17:59:19 2020 +0200
s3:libsmb: Use 'enum smb_signing_setting' in cliconnect.c
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
commit 67323b1ffaa019150691bcb4d859c32cd5a36cf1
Author: Andreas Schneider <a...@samba.org>
Date: Mon Aug 17 12:52:39 2020 +0200
python:tests: Set smb ipc signing via the creds API
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
commit 1a74c790bfe00d6ea1bdc02c52436f60f46ef32d
Author: Andreas Schneider <a...@samba.org>
Date: Fri Jul 24 09:47:11 2020 +0200
python:tests: Mark libsmb connection as an IPC connection
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
commit 8c06dc1365125dea3dd78ba1eba7586cdc640dfb
Author: Andreas Schneider <a...@samba.org>
Date: Thu May 28 17:29:25 2020 +0200
s3:pylibsmb: Add ipc=True support for CLI_FULL_CONNECTION_IPC
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
commit c58a301c273c24531e798cd7c1b2af9be1364af9
Author: Andreas Schneider <a...@samba.org>
Date: Thu May 28 17:22:12 2020 +0200
s3:libsmb: Introduce CLI_FULL_CONNECTION_IPC
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
commit 946e43f0ccf3bc39d65d9b096f0a40fb12726ebb
Author: Andreas Schneider <a...@samba.org>
Date: Wed Jun 3 14:02:37 2020 +0200
python: Set smb signing via the creds API
Pair-Programmed-With: Stefan Metzmacher <me...@samba.org>
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
commit d55950b8408acf48a4a0761b906ac4e2a596b2cc
Author: Andreas Schneider <a...@samba.org>
Date: Thu Aug 13 10:40:23 2020 +0200
python: Remove unused sign argument from smb_connection()
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
commit 34a81eca0da3d572992954fdbc12d97837ffd03b
Author: Andreas Schneider <a...@samba.org>
Date: Wed Jun 10 12:45:34 2020 +0200
s3:lib: Set smb encryption also via cli creds API
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
commit be9e60efad95b96b64e5ec2db927e0f92a941437
Author: Andreas Schneider <a...@samba.org>
Date: Wed May 27 11:10:30 2020 +0200
s3:lib: Use cli_credential_(get|set)_smb_signing()
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
commit 0188885a4995198a4b573a7cbde736827f496846
Author: Andreas Schneider <a...@samba.org>
Date: Thu Jul 23 08:14:23 2020 +0200
auth:creds: Bump library version
We added new functions so bump the version.
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
commit 84f1e4683e602954b0c259c81bee45926d1d5e3e
Author: Andreas Schneider <a...@samba.org>
Date: Thu Jun 4 11:19:53 2020 +0200
auth:creds: Add python bindings for cli_credentials_set_conf()
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
commit 66c9c68badff8e5957960c489b0139359ab6d550
Author: Andreas Schneider <a...@samba.org>
Date: Wed Jun 3 12:38:30 2020 +0200
auth:creds: Add python bindings for (get|set)_smb_encryption
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
commit 836c5e01e653549b8aada13b9ef8c44d79c3411a
Author: Andreas Schneider <a...@samba.org>
Date: Thu May 28 16:10:52 2020 +0200
auth:creds: Add cli_credentials_(get|set)_smb_encryption()
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
commit ef12caea07350e83676ab863c02620bf054607a5
Author: Andreas Schneider <a...@samba.org>
Date: Wed Jun 3 12:32:46 2020 +0200
auth:creds: Add python bindings for (get|set)_smb_ipc_signing
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
commit 71d65278e1644628f9419008ed47bb475ff07b55
Author: Andreas Schneider <a...@samba.org>
Date: Thu May 28 16:31:35 2020 +0200
auth:creds: Add cli_credentials_(get|set)_smb_ipc_signing()
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
commit 098774b2441679ef77d5eb29d638d07f7987c7c3
Author: Andreas Schneider <a...@samba.org>
Date: Wed Jun 3 11:56:01 2020 +0200
auth:creds: Add python bindings for (get|set)_smb_signing
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
commit 58e0abc58f77fdfc8cee3616eac44ed6c0c0523f
Author: Andreas Schneider <a...@samba.org>
Date: Tue May 26 09:32:44 2020 +0200
auth:creds: Add cli_credentials_(get|set)_smb_signing()
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
commit 59a1272a6c8f53ebfa1749ba26edfd40a11b6383
Author: Andreas Schneider <a...@samba.org>
Date: Thu Jul 23 07:47:18 2020 +0200
auth:creds: Remove unused credentials autoproto header
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
commit b0ae876a6c8733441a9ea806458eadfb3d695a78
Author: Andreas Schneider <a...@samba.org>
Date: Wed Oct 9 09:47:59 2019 +0200
s3:lib: Use smb_signing_setting_translate for cmdline parsing
The function will be removed soon.
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
commit 4bf8a667310d74561a0535655ece8745d19d1864
Author: Andreas Schneider <a...@samba.org>
Date: Tue May 26 08:39:34 2020 +0200
libcli:smb: Add smb_encryption_setting_translate()
Add encryption enum and function to avoid confusion when reading the
code.
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
commit e524719010bf69e85681295358aeec6844c0748f
Author: Andreas Schneider <a...@samba.org>
Date: Wed Oct 9 09:38:08 2019 +0200
libcli:smb: Add smb_signing_setting_translate()
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
commit 93e97d5afd309a8acf8217381f14f3dde4456a06
Author: Andreas Schneider <a...@samba.org>
Date: Wed Jul 22 17:48:25 2020 +0200
lib:param: Add lpcfg_parse_enum_vals()
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
commit 5a733c3c1ba7bb7ca7770bd0edb648b461f03cd9
Author: Andreas Schneider <a...@samba.org>
Date: Thu Apr 9 10:38:41 2020 +0200
docs-xml: Add 'client smb encrypt'
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
commit 58e31f78745906e8657d5ebd97c6f8f389911a62
Author: Andreas Schneider <a...@samba.org>
Date: Tue May 26 09:34:54 2020 +0200
s3:smbd: Use 'enum smb_encryption_setting' values
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
commit f03bb8ad8a0f7238492542a2b2d8f196a79bc161
Author: Andreas Schneider <a...@samba.org>
Date: Thu May 28 10:04:19 2020 +0200
param: Create and use enum_smb_encryption_vals
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
commit bd5a888746e15eff0a3f24e2a3e8e853fab0993b
Author: Andreas Schneider <a...@samba.org>
Date: Thu Oct 10 14:18:23 2019 +0200
param: Add 'server smb encrypt' parameter
And this also makes 'smb encrypt' a synonym of that.
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
commit e9135035400494ed198e2a1964463c42db7a00c2
Author: Stefan Metzmacher <me...@samba.org>
Date: Wed Nov 6 17:37:45 2019 +0100
auth:creds: Introduce CRED_SMB_CONF
We have several places where we check '> CRED_UNINITIALISED',
so we better don't use CRED_UNINITIALISED for values from
our smb.conf.
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
commit 46142d8398dac98046866ab06ff3185f4311ab8d
Author: Andreas Schneider <a...@samba.org>
Date: Mon Jul 13 17:23:37 2020 +0200
libcli:smb2: Use talloc NULL context if we don't have a stackframe
If we execute this code from python we don't have a talloc stackframe
around and segfault with talloc_tos().
To fix the crash we use the NULL context as we take care for freeing the
memory as soon as possible.
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
commit cf432bd4527a1605e48783c54c01b0ff518ba371
Author: Andreas Schneider <a...@samba.org>
Date: Mon Jul 13 16:15:03 2020 +0200
libcli:smb2: Do not leak ptext on error
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
-----------------------------------------------------------------------
Summary of changes:
auth/credentials/credentials.c | 147 ++++++++++++-
auth/credentials/credentials.h | 21 ++
auth/credentials/credentials_internal.h | 10 +
auth/credentials/credentials_krb5.c | 1 -
auth/credentials/credentials_secrets.c | 1 -
auth/credentials/pycredentials.c | 223 +++++++++++++++++++
auth/credentials/wscript_build | 3 +-
docs-xml/smbdotconf/security/clientsmbencrypt.xml | 126 +++++++++++
.../{smbencrypt.xml => serversmbencrypt.xml} | 35 ++-
docs-xml/smbdotconf/security/smbencrypt.xml | 241 +--------------------
examples/fuse/smb2mount.c | 14 +-
examples/winexe/winexe.c | 4 +-
lib/param/loadparm.c | 34 +++
lib/param/loadparm.h | 2 +
lib/param/param_table.c | 23 ++
libcli/smb/smb2_signing.c | 31 ++-
libcli/smb/smb_constants.h | 9 +
libcli/smb/smb_util.h | 8 +
libcli/smb/test_util_translate.c | 83 +++++++
libcli/smb/util.c | 40 ++++
libcli/smb/wscript | 5 +
python/samba/gpclass.py | 9 +-
python/samba/netcmd/domain_backup.py | 10 +-
python/samba/netcmd/gpo.py | 15 +-
python/samba/tests/credentials.py | 55 ++++-
python/samba/tests/dcerpc/binding.py | 82 +++++++
python/samba/tests/dcerpc/raw_testcase.py | 6 +-
python/samba/tests/libsmb.py | 37 ++++
selftest/tests.py | 3 +
source3/client/client.c | 5 +-
source3/client/smbspool.c | 10 -
source3/include/client.h | 1 +
source3/include/libsmbclient.h | 1 +
source3/lib/util_cmdline.c | 36 ++-
source3/libnet/libnet_join.c | 13 +-
.../{smbclient-0.6.0.sigs => smbclient-0.7.0.sigs} | 0
source3/libsmb/cliconnect.c | 196 ++++++++++++++++-
source3/libsmb/clidfs.c | 6 +-
source3/libsmb/libsmb_context.c | 4 +-
source3/libsmb/libsmb_server.c | 80 ++-----
source3/libsmb/proto.h | 14 +-
source3/libsmb/pylibsmb.c | 24 +-
source3/libsmb/wscript | 2 +-
source3/param/loadparm.c | 4 +-
source3/rpc_server/spoolss/srv_spoolss_nt.c | 3 +-
source3/rpcclient/cmd_spoolss.c | 5 +-
source3/rpcclient/rpcclient.c | 16 +-
source3/smbd/service.c | 10 +-
source3/smbd/smb2_negprot.c | 2 +-
source3/smbd/smb2_sesssetup.c | 4 +-
source3/smbd/smb2_tcon.c | 4 +-
source3/smbd/trans2.c | 3 +-
source3/torture/locktest2.c | 11 +-
source3/torture/torture.c | 6 +-
source3/utils/mdfind.c | 12 +-
source3/utils/net_ads.c | 4 +-
source3/utils/net_util.c | 27 +--
source3/utils/netlookup.c | 3 +-
source3/utils/smbcacls.c | 13 +-
source3/utils/smbcquotas.c | 15 +-
source3/wscript_build | 2 +-
source4/auth/kerberos/kerberos_util.c | 1 -
source4/auth/tests/kerberos.c | 1 -
source4/libcli/smb2/connect.c | 60 ++++-
source4/libcli/smb_composite/connect.c | 40 +++-
source4/libcli/smb_composite/sesssetup.c | 7 +
66 files changed, 1395 insertions(+), 528 deletions(-)
create mode 100644 docs-xml/smbdotconf/security/clientsmbencrypt.xml
copy docs-xml/smbdotconf/security/{smbencrypt.xml => serversmbencrypt.xml}
(88%)
create mode 100644 libcli/smb/test_util_translate.c
create mode 100644 python/samba/tests/dcerpc/binding.py
copy source3/libsmb/ABI/{smbclient-0.6.0.sigs => smbclient-0.7.0.sigs} (100%)
Changeset truncated at 500 lines:
diff --git a/auth/credentials/credentials.c b/auth/credentials/credentials.c
index 81f9dbb9eb3..9168b92d3ec 100644
--- a/auth/credentials/credentials.c
+++ b/auth/credentials/credentials.c
@@ -44,6 +44,15 @@ _PUBLIC_ struct cli_credentials
*cli_credentials_init(TALLOC_CTX *mem_ctx)
cred->winbind_separator = '\\';
+ cred->signing_state = SMB_SIGNING_DEFAULT;
+
+ /*
+ * The default value of lpcfg_client_ipc_signing() is REQUIRED, so use
+ * the same value here.
+ */
+ cred->ipc_signing_state = SMB_SIGNING_REQUIRED;
+ cred->encryption_state = SMB_ENCRYPTION_DEFAULT;
+
return cred;
}
@@ -902,12 +911,12 @@ _PUBLIC_ void cli_credentials_set_conf(struct
cli_credentials *cred,
if (lpcfg_parm_is_cmdline(lp_ctx, "workgroup")) {
cli_credentials_set_domain(cred, lpcfg_workgroup(lp_ctx),
CRED_SPECIFIED);
} else {
- cli_credentials_set_domain(cred, lpcfg_workgroup(lp_ctx),
CRED_UNINITIALISED);
+ cli_credentials_set_domain(cred, lpcfg_workgroup(lp_ctx),
CRED_SMB_CONF);
}
if (lpcfg_parm_is_cmdline(lp_ctx, "netbios name")) {
cli_credentials_set_workstation(cred,
lpcfg_netbios_name(lp_ctx), CRED_SPECIFIED);
} else {
- cli_credentials_set_workstation(cred,
lpcfg_netbios_name(lp_ctx), CRED_UNINITIALISED);
+ cli_credentials_set_workstation(cred,
lpcfg_netbios_name(lp_ctx), CRED_SMB_CONF);
}
if (realm != NULL && strlen(realm) == 0) {
realm = NULL;
@@ -915,13 +924,31 @@ _PUBLIC_ void cli_credentials_set_conf(struct
cli_credentials *cred,
if (lpcfg_parm_is_cmdline(lp_ctx, "realm")) {
cli_credentials_set_realm(cred, realm, CRED_SPECIFIED);
} else {
- cli_credentials_set_realm(cred, realm, CRED_UNINITIALISED);
+ cli_credentials_set_realm(cred, realm, CRED_SMB_CONF);
}
sep = lpcfg_winbind_separator(lp_ctx);
if (sep != NULL && sep[0] != '\0') {
cred->winbind_separator = *lpcfg_winbind_separator(lp_ctx);
}
+
+ if (cred->signing_state_obtained <= CRED_SMB_CONF) {
+ /* Will be set to default for invalid smb.conf values */
+ cred->signing_state = lpcfg_client_signing(lp_ctx);
+ cred->signing_state_obtained = CRED_SMB_CONF;
+ }
+
+ if (cred->ipc_signing_state_obtained <= CRED_SMB_CONF) {
+ /* Will be set to required for invalid smb.conf values */
+ cred->ipc_signing_state = lpcfg_client_ipc_signing(lp_ctx);
+ cred->ipc_signing_state_obtained = CRED_SMB_CONF;
+ }
+
+ if (cred->encryption_state_obtained <= CRED_SMB_CONF) {
+ /* Will be set to default for invalid smb.conf values */
+ cred->encryption_state = lpcfg_client_smb_encrypt(lp_ctx);
+ cred->encryption_state_obtained = CRED_SMB_CONF;
+ }
}
/**
@@ -1304,6 +1331,120 @@ _PUBLIC_ bool cli_credentials_parse_password_fd(struct
cli_credentials *credenti
return true;
}
+/**
+ * @brief Set the SMB signing state to request for a SMB connection.
+ *
+ * @param[in] creds The credentials structure to update.
+ *
+ * @param[in] signing_state The signing state to set.
+ *
+ * @param obtained This way the described signing state was
specified.
+ *
+ * @return true if we could set the signing state, false otherwise.
+ */
+_PUBLIC_ bool cli_credentials_set_smb_signing(struct cli_credentials *creds,
+ enum smb_signing_setting
signing_state,
+ enum credentials_obtained
obtained)
+{
+ if (obtained >= creds->signing_state_obtained) {
+ creds->signing_state_obtained = obtained;
+ creds->signing_state = signing_state;
+ return true;
+ }
+
+ return false;
+}
+
+/**
+ * @brief Obtain the SMB signing state from a credentials structure.
+ *
+ * @param[in] creds The credential structure to obtain the SMB signing state
+ * from.
+ *
+ * @return The SMB singing state.
+ */
+_PUBLIC_ enum smb_signing_setting
+cli_credentials_get_smb_signing(struct cli_credentials *creds)
+{
+ return creds->signing_state;
+}
+
+/**
+ * @brief Set the SMB IPC signing state to request for a SMB connection.
+ *
+ * @param[in] creds The credentials structure to update.
+ *
+ * @param[in] signing_state The signing state to set.
+ *
+ * @param obtained This way the described signing state was
specified.
+ *
+ * @return true if we could set the signing state, false otherwise.
+ */
+_PUBLIC_ bool
+cli_credentials_set_smb_ipc_signing(struct cli_credentials *creds,
+ enum smb_signing_setting ipc_signing_state,
+ enum credentials_obtained obtained)
+{
+ if (obtained >= creds->ipc_signing_state_obtained) {
+ creds->ipc_signing_state_obtained = obtained;
+ creds->ipc_signing_state = ipc_signing_state;
+ return true;
+ }
+
+ return false;
+}
+
+/**
+ * @brief Obtain the SMB IPC signing state from a credentials structure.
+ *
+ * @param[in] creds The credential structure to obtain the SMB IPC signing
+ * state from.
+ *
+ * @return The SMB singing state.
+ */
+_PUBLIC_ enum smb_signing_setting
+cli_credentials_get_smb_ipc_signing(struct cli_credentials *creds)
+{
+ return creds->ipc_signing_state;
+}
+
+/**
+ * @brief Set the SMB encryption state to request for a SMB connection.
+ *
+ * @param[in] creds The credentials structure to update.
+ *
+ * @param[in] encryption_state The encryption state to set.
+ *
+ * @param obtained This way the described encryption state was specified.
+ *
+ * @return true if we could set the encryption state, false otherwise.
+ */
+_PUBLIC_ bool cli_credentials_set_smb_encryption(struct cli_credentials *creds,
+ enum smb_encryption_setting
encryption_state,
+ enum credentials_obtained
obtained)
+{
+ if (obtained >= creds->encryption_state_obtained) {
+ creds->encryption_state_obtained = obtained;
+ creds->encryption_state = encryption_state;
+ return true;
+ }
+
+ return false;
+}
+
+/**
+ * @brief Obtain the SMB encryption state from a credentials structure.
+ *
+ * @param[in] creds The credential structure to obtain the SMB encryption
state
+ * from.
+ *
+ * @return The SMB singing state.
+ */
+_PUBLIC_ enum smb_encryption_setting
+cli_credentials_get_smb_encryption(struct cli_credentials *creds)
+{
+ return creds->encryption_state;
+}
/**
* Encrypt a data blob using the session key and the negotiated encryption
diff --git a/auth/credentials/credentials.h b/auth/credentials/credentials.h
index c2a17fef445..1a3e611fee8 100644
--- a/auth/credentials/credentials.h
+++ b/auth/credentials/credentials.h
@@ -38,10 +38,13 @@ struct gssapi_creds_container;
struct smb_krb5_context;
struct keytab_container;
struct db_context;
+enum smb_signing_setting;
+enum smb_encryption_setting;
/* In order of priority */
enum credentials_obtained {
CRED_UNINITIALISED = 0, /* We don't even have a guess yet */
+ CRED_SMB_CONF, /* Current value should be used, which comes
from smb.conf */
CRED_CALLBACK, /* Callback should be used to obtain value */
CRED_GUESS_ENV, /* Current value should be used, which was
guessed */
CRED_GUESS_FILE, /* A guess from a file (or file pointed at in
env variable) */
@@ -289,6 +292,24 @@ void *_cli_credentials_callback_data(struct
cli_credentials *cred);
#define cli_credentials_callback_data_void(_cred) \
_cli_credentials_callback_data(_cred)
+bool cli_credentials_set_smb_signing(struct cli_credentials *cred,
+ enum smb_signing_setting signing_state,
+ enum credentials_obtained obtained);
+enum smb_signing_setting
+cli_credentials_get_smb_signing(struct cli_credentials *cred);
+
+bool cli_credentials_set_smb_ipc_signing(struct cli_credentials *cred,
+ enum smb_signing_setting
ipc_signing_state,
+ enum credentials_obtained obtained);
+enum smb_signing_setting
+cli_credentials_get_smb_ipc_signing(struct cli_credentials *cred);
+
+bool cli_credentials_set_smb_encryption(struct cli_credentials *cred,
+ enum smb_encryption_setting
encryption_state,
+ enum credentials_obtained obtained);
+enum smb_encryption_setting
+cli_credentials_get_smb_encryption(struct cli_credentials *cred);
+
/**
* Return attached NETLOGON credentials
*/
diff --git a/auth/credentials/credentials_internal.h
b/auth/credentials/credentials_internal.h
index 68f1f25dce1..3b86b742448 100644
--- a/auth/credentials/credentials_internal.h
+++ b/auth/credentials/credentials_internal.h
@@ -24,6 +24,7 @@
#include "../lib/util/data_blob.h"
#include "librpc/gen_ndr/misc.h"
+#include "libcli/smb/smb_constants.h"
struct cli_credentials {
enum credentials_obtained workstation_obtained;
@@ -36,6 +37,9 @@ struct cli_credentials {
enum credentials_obtained principal_obtained;
enum credentials_obtained keytab_obtained;
enum credentials_obtained server_gss_creds_obtained;
+ enum credentials_obtained signing_state_obtained;
+ enum credentials_obtained ipc_signing_state_obtained;
+ enum credentials_obtained encryption_state_obtained;
/* Threshold values (essentially a MAX() over a number of the
* above) for the ccache and GSS credentials, to ensure we
@@ -117,6 +121,12 @@ struct cli_credentials {
char winbind_separator;
bool password_will_be_nt_hash;
+
+ enum smb_signing_setting signing_state;
+
+ enum smb_signing_setting ipc_signing_state;
+
+ enum smb_encryption_setting encryption_state;
};
#endif /* __CREDENTIALS_INTERNAL_H__ */
diff --git a/auth/credentials/credentials_krb5.c
b/auth/credentials/credentials_krb5.c
index 20e677e521a..259b35b73b0 100644
--- a/auth/credentials/credentials_krb5.c
+++ b/auth/credentials/credentials_krb5.c
@@ -27,7 +27,6 @@
#include "auth/kerberos/kerberos.h"
#include "auth/credentials/credentials.h"
#include "auth/credentials/credentials_internal.h"
-#include "auth/credentials/credentials_proto.h"
#include "auth/credentials/credentials_krb5.h"
#include "auth/kerberos/kerberos_credentials.h"
#include "auth/kerberos/kerberos_srv_keytab.h"
diff --git a/auth/credentials/credentials_secrets.c
b/auth/credentials/credentials_secrets.c
index 54f3ce2d078..52a89d4d5b4 100644
--- a/auth/credentials/credentials_secrets.c
+++ b/auth/credentials/credentials_secrets.c
@@ -29,7 +29,6 @@
#include "system/filesys.h"
#include "auth/credentials/credentials.h"
#include "auth/credentials/credentials_internal.h"
-#include "auth/credentials/credentials_proto.h"
#include "auth/credentials/credentials_krb5.h"
#include "auth/kerberos/kerberos_util.h"
#include "param/param.h"
diff --git a/auth/credentials/pycredentials.c b/auth/credentials/pycredentials.c
index a5d0f9e051c..17c90573f09 100644
--- a/auth/credentials/pycredentials.c
+++ b/auth/credentials/pycredentials.c
@@ -34,6 +34,7 @@
#include "auth/credentials/credentials_internal.h"
#include "system/kerberos.h"
#include "auth/kerberos/kerberos.h"
+#include "libcli/smb/smb_constants.h"
void initcredentials(void);
@@ -620,6 +621,42 @@ static PyObject *py_creds_set_forced_sasl_mech(PyObject
*self, PyObject *args)
Py_RETURN_NONE;
}
+static PyObject *py_creds_set_conf(PyObject *self, PyObject *args)
+{
+ PyObject *py_lp_ctx = Py_None;
+ struct loadparm_context *lp_ctx;
+ TALLOC_CTX *mem_ctx;
+ struct cli_credentials *creds;
+
+ creds = PyCredentials_AsCliCredentials(self);
+ if (creds == NULL) {
+ PyErr_Format(PyExc_TypeError, "Credentials expected");
+ return NULL;
+ }
+
+ if (!PyArg_ParseTuple(args, "|O", &py_lp_ctx)) {
+ return NULL;
+ }
+
+ mem_ctx = talloc_new(NULL);
+ if (mem_ctx == NULL) {
+ PyErr_NoMemory();
+ return NULL;
+ }
+
+ lp_ctx = lpcfg_from_py_object(mem_ctx, py_lp_ctx);
+ if (lp_ctx == NULL) {
+ talloc_free(mem_ctx);
+ return NULL;
+ }
+
+ cli_credentials_set_conf(creds, lp_ctx);
+
+ talloc_free(mem_ctx);
+
+ Py_RETURN_NONE;
+}
+
static PyObject *py_creds_guess(PyObject *self, PyObject *args)
{
PyObject *py_lp_ctx = Py_None;
@@ -929,6 +966,144 @@ static PyObject
*py_creds_encrypt_netr_crypt_password(PyObject *self,
Py_RETURN_NONE;
}
+static PyObject *py_creds_get_smb_signing(PyObject *self, PyObject *unused)
+{
+ enum smb_signing_setting signing_state;
+ struct cli_credentials *creds = NULL;
+
+ creds = PyCredentials_AsCliCredentials(self);
+ if (creds == NULL) {
+ PyErr_Format(PyExc_TypeError, "Credentials expected");
+ return NULL;
+ }
+
+ signing_state = cli_credentials_get_smb_signing(creds);
+ return PyLong_FromLong(signing_state);
+}
+
+static PyObject *py_creds_set_smb_signing(PyObject *self, PyObject *args)
+{
+ enum smb_signing_setting signing_state;
+ struct cli_credentials *creds = NULL;
+ enum credentials_obtained obt = CRED_SPECIFIED;
+
+ creds = PyCredentials_AsCliCredentials(self);
+ if (creds == NULL) {
+ PyErr_Format(PyExc_TypeError, "Credentials expected");
+ return NULL;
+ }
+ if (!PyArg_ParseTuple(args, "i|i", &signing_state, &obt)) {
+ return NULL;
+ }
+
+ switch (signing_state) {
+ case SMB_SIGNING_DEFAULT:
+ case SMB_SIGNING_OFF:
+ case SMB_SIGNING_IF_REQUIRED:
+ case SMB_SIGNING_DESIRED:
+ case SMB_SIGNING_REQUIRED:
+ break;
+ default:
+ PyErr_Format(PyExc_TypeError, "Invalid signing state value");
+ return NULL;
+ }
+
+ cli_credentials_set_smb_signing(creds, signing_state, obt);
+ Py_RETURN_NONE;
+}
+
+static PyObject *py_creds_get_smb_ipc_signing(PyObject *self, PyObject *unused)
+{
+ enum smb_signing_setting signing_state;
+ struct cli_credentials *creds = NULL;
+
+ creds = PyCredentials_AsCliCredentials(self);
+ if (creds == NULL) {
+ PyErr_Format(PyExc_TypeError, "Credentials expected");
+ return NULL;
+ }
+
+ signing_state = cli_credentials_get_smb_ipc_signing(creds);
+ return PyLong_FromLong(signing_state);
+}
+
+static PyObject *py_creds_set_smb_ipc_signing(PyObject *self, PyObject *args)
+{
+ enum smb_signing_setting signing_state;
+ struct cli_credentials *creds = NULL;
+ enum credentials_obtained obt = CRED_SPECIFIED;
+
+ creds = PyCredentials_AsCliCredentials(self);
+ if (creds == NULL) {
+ PyErr_Format(PyExc_TypeError, "Credentials expected");
+ return NULL;
+ }
+ if (!PyArg_ParseTuple(args, "i|i", &signing_state, &obt)) {
+ return NULL;
+ }
+
+ switch (signing_state) {
+ case SMB_SIGNING_DEFAULT:
+ case SMB_SIGNING_OFF:
+ case SMB_SIGNING_IF_REQUIRED:
+ case SMB_SIGNING_DESIRED:
+ case SMB_SIGNING_REQUIRED:
+ break;
+ default:
+ PyErr_Format(PyExc_TypeError, "Invalid signing state value");
+ return NULL;
+ }
+
+ cli_credentials_set_smb_ipc_signing(creds, signing_state, obt);
+ Py_RETURN_NONE;
+}
+
+static PyObject *py_creds_get_smb_encryption(PyObject *self, PyObject *unused)
+{
+ enum smb_encryption_setting encryption_state;
+ struct cli_credentials *creds = NULL;
+
+ creds = PyCredentials_AsCliCredentials(self);
+ if (creds == NULL) {
+ PyErr_Format(PyExc_TypeError, "Credentials expected");
+ return NULL;
+ }
+
+ encryption_state = cli_credentials_get_smb_encryption(creds);
+ return PyLong_FromLong(encryption_state);
+}
+
+static PyObject *py_creds_set_smb_encryption(PyObject *self, PyObject *args)
+{
+ enum smb_encryption_setting encryption_state;
+ struct cli_credentials *creds = NULL;
+ enum credentials_obtained obt = CRED_SPECIFIED;
+
+ creds = PyCredentials_AsCliCredentials(self);
+ if (creds == NULL) {
+ PyErr_Format(PyExc_TypeError, "Credentials expected");
+ return NULL;
+ }
+ if (!PyArg_ParseTuple(args, "i|i", &encryption_state, &obt)) {
+ return NULL;
+ }
+
+ switch (encryption_state) {
+ case SMB_ENCRYPTION_DEFAULT:
+ case SMB_ENCRYPTION_OFF:
+ case SMB_ENCRYPTION_IF_REQUIRED:
+ case SMB_ENCRYPTION_DESIRED:
+ case SMB_ENCRYPTION_REQUIRED:
+ break;
+ default:
+ PyErr_Format(PyExc_TypeError, "Invalid encryption state value");
+ return NULL;
+ }
+
+ cli_credentials_set_smb_encryption(creds, encryption_state, obt);
+ Py_RETURN_NONE;
+}
+
static PyMethodDef py_creds_methods[] = {
{
.ml_name = "get_username",
@@ -1140,6 +1315,11 @@ static PyMethodDef py_creds_methods[] = {
.ml_meth = py_creds_set_krb_forwardable,
.ml_flags = METH_VARARGS,
},
+ {
+ .ml_name = "set_conf",
+ .ml_meth = py_creds_set_conf,
+ .ml_flags = METH_VARARGS,
+ },
--
Samba Shared Repository
