From: "Aurélien Aptel" <aaptel@suse.com>
To: Ronnie Sahlberg <lsahlber@redhat.com>,
linux-cifs <linux-cifs@vger.kernel.org>
Cc: Steve French <smfrench@gmail.com>,
Stable <stable@vger.kernel.org>,
Ronnie Sahlberg <lsahlber@redhat.com>
Subject: Re: [PATCH] cifs: allow guest mounts to work for smb3.11
Date: Thu, 21 Mar 2019 12:46:32 +0100 [thread overview]
Message-ID: <87imwc4fhj.fsf@suse.com> (raw)
In-Reply-To: <20190321045902.14326-1-lsahlber@redhat.com>
Ronnie Sahlberg <lsahlber@redhat.com> writes:
> Fix Guest/Anonymous sessions so that they work with SMB 3.11.
>
> In git commit 6188f28 tightened the conditions and forced signing for
> the SMB2-TreeConnect commands as per MS-SMB2.
We could add a
Fixes: 6188f28bf608 ("Tree connect for SMB3.1.1 must be signed for non-encrypted shares")
tag in the commit message.
>
> - /* 3.11 tcon req must be signed if not encrypted. See MS-SMB2 3.2.4.1.1 */
> + /*
> + * 3.11 tcon req must be signed if not encrypted. See MS-SMB2 3.2.4.1.1
> + * unless it is guest or anonymous user. See MS-SMB2 3.2.5.3.1
> + */
> if ((ses->server->dialect == SMB311_PROT_ID) &&
> - !smb3_encryption_required(tcon))
> + !smb3_encryption_required(tcon) &&
> + !(ses->session_flags & (SMB2_SESSION_FLAG_IS_GUEST|SMB2_SESSION_FLAG_IS_NULL)))
> req->sync_hdr.Flags |= SMB2_FLAGS_SIGNED;
>
> memset(&rqst, 0, sizeof(struct smb_rqst));
I suspect there might more (and/or better) places to check. If you grep for
SMB2_FLAGS_SIGNED there are a couple of other places that should be
considered:
smb2_hdr_assemble() { ...
if (tcon->ses && tcon->ses->server && tcon->ses->server->sign &&
!smb3_encryption_required(tcon))
shdr->Flags |= SMB2_FLAGS_SIGNED;
...
}
cifs_get_smb_ses() { ...
ses->sectype = volume_info->sectype;
ses->sign = volume_info->sign;
mutex_lock(&ses->session_mutex);
rc = cifs_negotiate_protocol(xid, ses);
if (!rc)
rc = cifs_setup_session(xid, ses, volume_info->local_nls);
mutex_unlock(&ses->session_mutex);
if (rc)
goto get_ses_fail;
...
}
After negprot and before sess setup we already know the protocol version so I guess there
could be some patch there as well.
See also SMB2_logoff(), SMB2_ioctl_init(), cifs_enable_signing()
Cheers,
--
Aurélien Aptel / SUSE Labs Samba Team
GPG: 1839 CB5F 9F5B FB9B AA97 8C99 03C8 A49B 521B D5D3
SUSE Linux GmbH, Maxfeldstraße 5, 90409 Nürnberg, Germany
GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nürnberg)
next prev parent reply other threads:[~2019-03-21 11:46 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-03-21 4:59 [PATCH] cifs: allow guest mounts to work for smb3.11 Ronnie Sahlberg
2019-03-21 11:46 ` Aurélien Aptel [this message]
2019-03-21 15:36 ` Steve French
2019-03-21 17:13 ` Andreas Hasenack
2019-03-21 19:54 ` ronnie sahlberg
2019-03-22 23:30 ` Steve French
2019-03-23 0:20 ` Tom Talpey
2019-03-23 0:41 ` Steve French
2019-03-23 1:27 ` Tom Talpey
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87imwc4fhj.fsf@suse.com \
--to=aaptel@suse.com \
--cc=linux-cifs@vger.kernel.org \
--cc=lsahlber@redhat.com \
--cc=smfrench@gmail.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.