Bug 1237085 - SMB: smb3 encryption doesn't happen when smb encrypt is set to enabled for global and for share
Summary: SMB: smb3 encryption doesn't happen when smb encrypt is set to enabled for gl...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Gluster Storage
Classification: Red Hat Storage
Component: samba
Version: rhgs-3.1
Hardware: Unspecified
OS: Unspecified
high
urgent
Target Milestone: ---
: RHGS 3.1.0
Assignee: Michael Adam
QA Contact: surabhi
URL:
Whiteboard:
Depends On:
Blocks: 1202842
TreeView+ depends on / blocked
 
Reported: 2015-06-30 10:41 UTC by surabhi
Modified: 2015-07-29 05:08 UTC (History)
9 users (show)

Fixed In Version: samba-4.1.17-10
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-07-29 05:08:43 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2015:1495 0 normal SHIPPED_LIVE Important: Red Hat Gluster Storage 3.1 update 2015-07-29 08:26:26 UTC
Samba Project 11372 0 None None None Never

Description surabhi 2015-06-30 10:41:49 UTC
Description of problem:

When smb encrypt is set to enabled for global as well as for share, and tried to
access the share from windows 8 client which is capable of encryption , SMB3 encryption doesn't happen.

Tried setting it to required/mandatory,smb3 encryption works fine.

Version-Release number of selected component (if applicable):
samba-4.1.17-7.el7rhgs.x86_64

How reproducible:
Always

Steps to Reproduce:
1.set smb encrypt = enabled in smb.conf for global option
2.Access the volume from windows 8 client which supports encryption
3.Check the wireshark traces 


Actual results:
*************************
SMB3 encryption doesn't happen when smb encrypt is set to enabled for global as well as share.
In wireshark traces ,during negotiation both server and client says we support encryption.
In tree connect the client checks for a flag : if encrypted data required : false then the smb3 encryption doesn't happen.


Expected results:
When smb encrypt is set to enabled , SMB3 encryption should happen.

Additional info:

Comment 4 surabhi 2015-07-11 10:42:51 UTC
With the latest samba build :
samba-winbind-4.1.17-12.el7rhgs.x86_64
samba-client-4.1.17-12.el7rhgs.x86_64
samba-vfs-glusterfs-4.1.17-12.el7rhgs.x86_64
samba-winbind-modules-4.1.17-12.el7rhgs.x86_64
samba-common-4.1.17-12.el7rhgs.x86_64
samba-winbind-clients-4.1.17-12.el7rhgs.x86_64
samba-libs-4.1.17-12.el7rhgs.x86_64
samba-4.1.17-12.el7rhgs.x86_64


The new value "desired" has been added for smb encrypt global and share option.

Verified following cases, works as expected.

1. Setting global and share to default:

During negotiation : Server and client announces it supports encryption
Session setup and tree connect : No SMB3 data encryption happens as expected.

2. Setting global to enabled :

During negotiation : Server and client announces it supports encryption.
Session setup and tree connect : No encryption happens as expected.

3. Setting global to Desired :

From win 8 client 
During Negotiation : Server and client announces it supports encryption
Session setup : The flag encryption required is TRUE and SMB3 encryption happens.

From win7 client:
Share is still accessible
No SMB3 encryption

4. Setting global as enabled:
   Share 1 : desired
   Share 2 : default

From win 8 client:
For share 1 the smb3 data encryption shall happen.
Result :  During negotiation, both client and server announces it supports encryption
          During session req and response , the encryption required flag is true , so SMB3 encryption happens for share 1.
For share 2 during negotiation, only announcement happens and no SMB3 data encryption.

From win 7 client :
Share is still accessible
No SMB3 encryption


5. Setting global as desired :
   Share 1  : Required
   Share 2 : default (desired)
   
Share 1:
From Win8 client:
Result: During negotiation both client and server announces it supports encryption.
        During session req and response , the encryption flag is set to TRUE so SMB3 encryption happens for share 1.
For share 2 during negotiation , announcement happens and the encryption flag is set to true in session response, SMB3 encryption happens.

From Win7 client:
For share 1 : since the value is set to required, the client gets access denied.
For share 2  : Client able to access , No SMB3 encryption.

Moving the BZ to verified.

Comment 5 errata-xmlrpc 2015-07-29 05:08:43 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-1495.html


Note You need to log in before you can comment on or make changes to this bug.