Re: [SCM] Samba Shared Repository - branch v4-0-test updated- release-4-0-0alpha4-42-g8e96f2e - Samba

This is a discussion on Re: [SCM] Samba Shared Repository - branch v4-0-test updated- release-4-0-0alpha4-42-g8e96f2e - Samba ; Hi Tridge, > + /* supporting signing is mandatory in SMB2, and is per-packet. So we > + should check the signature on any incoming packet that is signed, and > + should give a signed reply to any signed ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: Re: [SCM] Samba Shared Repository - branch v4-0-test updated- release-4-0-0alpha4-42-g8e96f2e

  1. Re: [SCM] Samba Shared Repository - branch v4-0-test updated- release-4-0-0alpha4-42-g8e96f2e

    Hi Tridge,

    > + /* supporting signing is mandatory in SMB2, and is per-packet. So we
    > + should check the signature on any incoming packet that is signed, and
    > + should give a signed reply to any signed request */


    shouldn't we reject a request with a session but without signing,
    if signing is negotiated as mendatory?

    > + if (flags & SMB2_HDR_FLAG_SIGNED) {
    > + NTSTATUS status;
    > + if (req->session == NULL) {
    > + /* we can't check signing with no session */
    > + smb2srv_send_error(req, NT_STATUS_ACCESS_DENIED);


    I think windows gives NT_STATUS_USER_SESSION_DELETED here...

    Can you also change the client back to allow per smb2_session signing,
    and we should only sign packets, which belong to a session.

    We also need to take care of Oplocks breaks, from the server to the
    client...

    metze



    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.5 (GNU/Linux)
    Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org

    iD8DBQFISjlvm70gjA5TCD8RAuP2AJ4+Run+NpEIzqp3SYPz/j1VO2eMjwCffghQ
    UmwByVKUkkKEgjnJSiIkHQw=
    =crrO
    -----END PGP SIGNATURE-----


  2. Re: [SCM] Samba Shared Repository - branch v4-0-test updated- release-4-0-0alpha4-42-g8e96f2e

    Hi Metze,

    > shouldn't we reject a request with a session but without signing,
    > if signing is negotiated as mendatory?


    yep, fixed now thanks

    > Can you also change the client back to allow per smb2_session signing,
    > and we should only sign packets, which belong to a session.


    done

    > We also need to take care of Oplocks breaks, from the server to the
    > client...


    I still need to look into these :-)

    Cheers, Tridge


+ Reply to Thread