Red Hat Bugzilla – Bug 1237085
SMB: smb3 encryption doesn't happen when smb encrypt is set to enabled for global and for share
Last modified: 2015-07-29 01:08:43 EDT
Description of problem: When smb encrypt is set to enabled for global as well as for share, and tried to access the share from windows 8 client which is capable of encryption , SMB3 encryption doesn't happen. Tried setting it to required/mandatory,smb3 encryption works fine. Version-Release number of selected component (if applicable): samba-4.1.17-7.el7rhgs.x86_64 How reproducible: Always Steps to Reproduce: 1.set smb encrypt = enabled in smb.conf for global option 2.Access the volume from windows 8 client which supports encryption 3.Check the wireshark traces Actual results: ************************* SMB3 encryption doesn't happen when smb encrypt is set to enabled for global as well as share. In wireshark traces ,during negotiation both server and client says we support encryption. In tree connect the client checks for a flag : if encrypted data required : false then the smb3 encryption doesn't happen. Expected results: When smb encrypt is set to enabled , SMB3 encryption should happen. Additional info:
With the latest samba build : samba-winbind-4.1.17-12.el7rhgs.x86_64 samba-client-4.1.17-12.el7rhgs.x86_64 samba-vfs-glusterfs-4.1.17-12.el7rhgs.x86_64 samba-winbind-modules-4.1.17-12.el7rhgs.x86_64 samba-common-4.1.17-12.el7rhgs.x86_64 samba-winbind-clients-4.1.17-12.el7rhgs.x86_64 samba-libs-4.1.17-12.el7rhgs.x86_64 samba-4.1.17-12.el7rhgs.x86_64 The new value "desired" has been added for smb encrypt global and share option. Verified following cases, works as expected. 1. Setting global and share to default: During negotiation : Server and client announces it supports encryption Session setup and tree connect : No SMB3 data encryption happens as expected. 2. Setting global to enabled : During negotiation : Server and client announces it supports encryption. Session setup and tree connect : No encryption happens as expected. 3. Setting global to Desired : From win 8 client During Negotiation : Server and client announces it supports encryption Session setup : The flag encryption required is TRUE and SMB3 encryption happens. From win7 client: Share is still accessible No SMB3 encryption 4. Setting global as enabled: Share 1 : desired Share 2 : default From win 8 client: For share 1 the smb3 data encryption shall happen. Result : During negotiation, both client and server announces it supports encryption During session req and response , the encryption required flag is true , so SMB3 encryption happens for share 1. For share 2 during negotiation, only announcement happens and no SMB3 data encryption. From win 7 client : Share is still accessible No SMB3 encryption 5. Setting global as desired : Share 1 : Required Share 2 : default (desired) Share 1: From Win8 client: Result: During negotiation both client and server announces it supports encryption. During session req and response , the encryption flag is set to TRUE so SMB3 encryption happens for share 1. For share 2 during negotiation , announcement happens and the encryption flag is set to true in session response, SMB3 encryption happens. From Win7 client: For share 1 : since the value is set to required, the client gets access denied. For share 2 : Client able to access , No SMB3 encryption. Moving the BZ to verified.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHSA-2015-1495.html