diff options
| author | Stefan Metzmacher <metze@samba.org> | 2021-08-11 14:33:24 +0200 |
|---|---|---|
| committer | Jule Anger <janger@samba.org> | 2021-08-13 07:23:15 +0000 |
| commit | 9d152be356dc4bf48943a45f22591ab017f0ca1b (patch) | |
| tree | 94331b63446ce7b632cbd445f2874d8f177e2d64 | |
| parent | eb8518e4fb828337a331779fbac14a25b0761d45 (diff) | |
| download | samba-9d152be356dc4bf48943a45f22591ab017f0ca1b.tar.gz | |
s3:libsmb: start encryption as soon as possible after the session setup
For the SMB1 UNIX CIFS extensions we create a temporary IPC$ tcon,
if there's no tcon yet.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14793
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit 21302649c46441ea325c66457294225ddb1d6235)
| -rw-r--r-- | source3/libsmb/clidfs.c | 56 |
1 files changed, 40 insertions, 16 deletions
diff --git a/source3/libsmb/clidfs.c b/source3/libsmb/clidfs.c index 040b957e6f8..5b64858ca33 100644 --- a/source3/libsmb/clidfs.c +++ b/source3/libsmb/clidfs.c @@ -50,6 +50,7 @@ static NTSTATUS cli_cm_force_encryption_creds(struct cli_state *c, uint16_t major, minor; uint32_t caplow, caphigh; NTSTATUS status; + bool temp_ipc = false; if (smbXcli_conn_protocol(c->conn) >= PROTOCOL_SMB2_02) { status = smb2cli_session_encryption_on(c->smb2.session); @@ -72,12 +73,26 @@ static NTSTATUS cli_cm_force_encryption_creds(struct cli_state *c, return NT_STATUS_NOT_SUPPORTED; } + if (c->smb1.tcon == NULL) { + status = cli_tree_connect_creds(c, "IPC$", "IPC", creds); + if (!NT_STATUS_IS_OK(status)) { + d_printf("Encryption required and " + "can't connect to IPC$ to check " + "UNIX CIFS extensions.\n"); + return NT_STATUS_UNKNOWN_REVISION; + } + temp_ipc = true; + } + status = cli_unix_extensions_version(c, &major, &minor, &caplow, &caphigh); if (!NT_STATUS_IS_OK(status)) { d_printf("Encryption required and " "can't get UNIX CIFS extensions " "version from server.\n"); + if (temp_ipc) { + cli_tdis(c); + } return NT_STATUS_UNKNOWN_REVISION; } @@ -85,6 +100,9 @@ static NTSTATUS cli_cm_force_encryption_creds(struct cli_state *c, d_printf("Encryption required and " "share %s doesn't support " "encryption.\n", sharename); + if (temp_ipc) { + cli_tdis(c); + } return NT_STATUS_UNSUPPORTED_COMPRESSION; } @@ -93,9 +111,15 @@ static NTSTATUS cli_cm_force_encryption_creds(struct cli_state *c, d_printf("Encryption required and " "setup failed with error %s.\n", nt_errstr(status)); + if (temp_ipc) { + cli_tdis(c); + } return status; } + if (temp_ipc) { + cli_tdis(c); + } return NT_STATUS_OK; } @@ -217,6 +241,22 @@ static NTSTATUS do_connect(TALLOC_CTX *ctx, DEBUG(4,(" session setup ok\n")); + if (encryption_state >= SMB_ENCRYPTION_DESIRED) { + status = cli_cm_force_encryption_creds(c, + creds, + sharename); + if (!NT_STATUS_IS_OK(status)) { + switch (encryption_state) { + case SMB_ENCRYPTION_DESIRED: + break; + case SMB_ENCRYPTION_REQUIRED: + default: + cli_shutdown(c); + return status; + } + } + } + /* here's the fun part....to support 'msdfs proxy' shares (on Samba or windows) we have to issues a TRANS_GET_DFS_REFERRAL here before trying to connect to the original share. @@ -241,22 +281,6 @@ static NTSTATUS do_connect(TALLOC_CTX *ctx, return status; } - if (encryption_state >= SMB_ENCRYPTION_DESIRED) { - status = cli_cm_force_encryption_creds(c, - creds, - sharename); - if (!NT_STATUS_IS_OK(status)) { - switch (encryption_state) { - case SMB_ENCRYPTION_DESIRED: - break; - case SMB_ENCRYPTION_REQUIRED: - default: - cli_shutdown(c); - return status; - } - } - } - DEBUG(4,(" tconx ok\n")); *pcli = c; return NT_STATUS_OK; |