7 files changed, 170 insertions, 52 deletions
diff --git a/source3/utils/net.c b/source3/utils/net.c
index bf70d08d8b..586ea2fdb6 100644
--- a/source3/utils/net.c
+++ b/source3/utils/net.c
@@ -88,6 +88,7 @@ int opt_testmode = False;
 
 int opt_have_ip = False;
 struct sockaddr_storage opt_dest_ip;
+bool smb_encrypt;
 
 extern bool AllowDebugChange;
 
@@ -178,9 +179,7 @@ NTSTATUS connect_to_service(struct cli_state **c,
 					service_name, service_type,
 					opt_user_name, opt_workgroup,
 					opt_password, 0, Undefined, NULL);
-	if (NT_STATUS_IS_OK(nt_status)) {
-		return nt_status;
-	} else {
+	if (!NT_STATUS_IS_OK(nt_status)) {
 		d_fprintf(stderr, "Could not connect to server %s\n", server_name);
 
 		/* Display a nicer message depending on the result */
@@ -196,9 +195,40 @@ NTSTATUS connect_to_service(struct cli_state **c,
 		if (NT_STATUS_V(nt_status) ==
 		    NT_STATUS_V(NT_STATUS_ACCOUNT_DISABLED))
 			d_fprintf(stderr, "The account was disabled.\n");
-
 		return nt_status;
 	}
+
+	if (smb_encrypt) {
+		nt_status = cli_force_encryption(*c,
+					opt_user_name,
+					opt_password,
+					opt_workgroup);
+
+		if (NT_STATUS_EQUAL(nt_status,NT_STATUS_NOT_SUPPORTED)) {
+			d_printf("Encryption required and "
+				"server that doesn't support "
+				"UNIX extensions - failing connect\n");
+		} else if (NT_STATUS_EQUAL(nt_status,NT_STATUS_UNKNOWN_REVISION)) {
+			d_printf("Encryption required and "
+				"can't get UNIX CIFS extensions "
+				"version from server.\n");
+		} else if (NT_STATUS_EQUAL(nt_status,NT_STATUS_UNSUPPORTED_COMPRESSION)) {
+			d_printf("Encryption required and "
+				"share %s doesn't support "
+				"encryption.\n", service_name);
+		} else if (!NT_STATUS_IS_OK(nt_status)) {
+			d_printf("Encryption required and "
+				"setup failed with error %s.\n",
+				nt_errstr(nt_status));
+		}
+
+		if (!NT_STATUS_IS_OK(nt_status)) {
+			cli_shutdown(*c);
+			*c = NULL;
+		}
+	}
+
+	return nt_status;
 }
 
 /****************************************************************************
@@ -287,12 +317,24 @@ NTSTATUS connect_to_ipc_krb5(struct cli_state **c,
 
 	SAFE_FREE(user_and_realm);
 
-	if (NT_STATUS_IS_OK(nt_status)) {
-		return nt_status;
-	} else {
+	if (!NT_STATUS_IS_OK(nt_status)) {
 		DEBUG(1,("Cannot connect to server using kerberos.  Error was %s\n", nt_errstr(nt_status)));
 		return nt_status;
 	}
+
+        if (smb_encrypt) {
+		nt_status = cli_cm_force_encryption(*c,
+					user_and_realm,
+					opt_password,
+					opt_workgroup,
+                                        "IPC$");
+		if (!NT_STATUS_IS_OK(nt_status)) {
+			cli_shutdown(*c);
+			*c = NULL;
+		}
+	}
+
+	return nt_status;
 }
 
 /**
@@ -988,6 +1030,7 @@ static struct functable net_func[] = {
 		{"port",	'p', POPT_ARG_INT,    &opt_port},
 		{"myname",	'n', POPT_ARG_STRING, &opt_requester_name},
 		{"server",	'S', POPT_ARG_STRING, &opt_host},
+		{"encrypt",	'e', POPT_ARG_NONE,   NULL, 'e', "Encrypt SMB transport (UNIX extended servers only)" },
 		{"container",	'c', POPT_ARG_STRING, &opt_container},
 		{"comment",	'C', POPT_ARG_STRING, &opt_comment},
 		{"maxusers",	'M', POPT_ARG_INT,    &opt_maxusers},
@@ -1010,7 +1053,7 @@ static struct functable net_func[] = {
 		{"acls",	0, POPT_ARG_NONE,     &opt_acls},
 		{"attrs",	0, POPT_ARG_NONE,     &opt_attrs},
 		{"timestamps",	0, POPT_ARG_NONE,     &opt_timestamps},
-		{"exclude",	'e', POPT_ARG_STRING, &opt_exclude},
+		{"exclude",	'X', POPT_ARG_STRING, &opt_exclude},
 		{"destination",	0, POPT_ARG_STRING,   &opt_destination},
 		{"tallocreport", 0, POPT_ARG_NONE, &do_talloc_report},
 
@@ -1037,6 +1080,9 @@ static struct functable net_func[] = {
 			net_help(argc, argv);
 			exit(0);
 			break;
+		case 'e':
+			smb_encrypt=true;
+			break;
 		case 'I':
 			if (!interpret_string_addr(&opt_dest_ip,
 						poptGetOptArg(pc), 0)) {
diff --git a/source3/utils/net_conf.c b/source3/utils/net_conf.c
index a758391630..38cdeacc11 100644
--- a/source3/utils/net_conf.c
+++ b/source3/utils/net_conf.c
@@ -19,9 +19,12 @@
  */
 
 /*
- * This is an interface to the configuration stored inside the
- * samba registry. In the future there might be support for other
- * configuration backends as well.
+ * This is an interface to Samba's configuration as made available
+ * by the libnet_conf interface (source/libnet/libnet_conf.c).
+ *
+ * This currently supports local interaction with the configuration
+ * stored in the registry. But other backends and remote access via
+ * rpc might get implemented in the future.
  */
 
 #include "includes.h"
@@ -43,9 +46,9 @@ static int net_conf_import_usage(int argc, const char**argv)
 	d_printf("USAGE: net conf import [--test|-T] <filename> "
 		 "[<servicename>]\n"
 		 "\t[--test|-T]    testmode - do not act, just print "
-		                   "what would be done\n"
+			"what would be done\n"
 		 "\t<servicename>  only import service <servicename>, "
-		                   "ignore the rest\n");
+			"ignore the rest\n");
 	return -1;
 }
 
@@ -136,14 +139,14 @@ static char *parm_valstr(TALLOC_CTX *ctx, struct parm_struct *parm,
 		valstr = talloc_asprintf(ctx, "%s", BOOLSTR(!*(bool *)ptr));
 		break;
 	case P_ENUM:
-        	for (i = 0; parm->enum_list[i].name; i++) {
-        	        if (*(int *)ptr == parm->enum_list[i].value)
+		for (i = 0; parm->enum_list[i].name; i++) {
+			if (*(int *)ptr == parm->enum_list[i].value)
 			{
 				valstr = talloc_asprintf(ctx, "%s",
-        	                         parm->enum_list[i].name);
-        	                break;
-        	        }
-        	}
+					parm->enum_list[i].name);
+				break;
+			}
+		}
 		break;
 	case P_OCTAL: {
 		char *o = octal_string(*(int *)ptr);
@@ -719,6 +722,15 @@ static int net_conf_setparm(int argc, const char **argv)
 	param = strdup_lower(argv[1]);
 	value_str = argv[2];
 
+	if (!libnet_conf_share_exists(service)) {
+		werr = libnet_conf_create_share(service);
+		if (!W_ERROR_IS_OK(werr)) {
+			d_fprintf(stderr, "Error creating share '%s': %s\n",
+				  service, dos_errstr(werr));
+			goto done;
+		}
+	}
+
 	werr = libnet_conf_set_parameter(service, param, value_str);
 
 	if (!W_ERROR_IS_OK(werr)) {
@@ -834,15 +846,15 @@ int net_conf(int argc, const char **argv)
 		{"import", net_conf_import,
 		 "Import configuration from file in smb.conf format."},
 		{"listshares", net_conf_listshares,
-		 "List the registry shares."},
+		 "List the share names."},
 		{"drop", net_conf_drop,
-		 "Delete the complete configuration from registry."},
+		 "Delete the complete configuration."},
 		{"showshare", net_conf_showshare,
-		 "Show the definition of a registry share."},
+		 "Show the definition of a share."},
 		{"addshare", net_conf_addshare,
-		 "Create a new registry share."},
+		 "Create a new share."},
 		{"delshare", net_conf_delshare,
-		 "Delete a registry share."},
+		 "Delete a share."},
 		{"setparm", net_conf_setparm,
 		 "Store a parameter."},
 		{"getparm", net_conf_getparm,
@@ -854,9 +866,6 @@ int net_conf(int argc, const char **argv)
 
 	ret = net_run_function2(argc, argv, "net conf", func);
 
-	regdb_close();
-
-done:
 	return ret;
 }
 
diff --git a/source3/utils/net_help.c b/source3/utils/net_help.c
index 2cb601f917..908be0512a 100644
--- a/source3/utils/net_help.c
+++ b/source3/utils/net_help.c
@@ -48,6 +48,7 @@ int net_common_flags_usage(int argc, const char **argv)
 	d_printf("\t-l or --long\t\t\tDisplay full information\n");
 	d_printf("\t-V or --version\t\t\tPrint samba version information\n");
 	d_printf("\t-P or --machine-pass\t\tAuthenticate as machine account\n");
+	d_printf("\t-e or --encrypt\t\tEncrypt SMB transport (UNIX extended servers only)\n");
 	return -1;
 }
 
diff --git a/source3/utils/smbcacls.c b/source3/utils/smbcacls.c
index 958f8e255e..134f561760 100644
--- a/source3/utils/smbcacls.c
+++ b/source3/utils/smbcacls.c
@@ -822,7 +822,7 @@ static int cacl_set(struct cli_state *cli, char *filename,
 *******************************************************/
 static struct cli_state *connect_one(const char *server, const char *share)
 {
-	struct cli_state *c;
+	struct cli_state *c = NULL;
 	struct sockaddr_storage ss;
 	NTSTATUS nt_status;
 	zero_addr(&ss);
@@ -834,20 +834,33 @@ static struct cli_state *connect_one(const char *server, const char *share)
 		}
 	}
 
-	if (NT_STATUS_IS_OK(nt_status = cli_full_connection(&c, global_myname(), server, 
-							    &ss, 0,
-							    share, "?????",
-							    get_cmdline_auth_info_username(),
-							    lp_workgroup(),
-							    get_cmdline_auth_info_password(),
-							    0,
-							    get_cmdline_auth_info_signing_state(),
-							    NULL))) {
-		return c;
-	} else {
+	nt_status = cli_full_connection(&c, global_myname(), server, 
+				&ss, 0,
+				share, "?????",
+				get_cmdline_auth_info_username(),
+				lp_workgroup(),
+				get_cmdline_auth_info_password(),
+				get_cmdline_auth_info_use_kerberos() ? CLI_FULL_CONNECTION_USE_KERBEROS : 0,
+				get_cmdline_auth_info_signing_state(),
+				NULL);
+	if (!NT_STATUS_IS_OK(nt_status)) {
 		DEBUG(0,("cli_full_connection failed! (%s)\n", nt_errstr(nt_status)));
 		return NULL;
 	}
+
+	if (get_cmdline_auth_info_smb_encrypt()) {
+		nt_status = cli_cm_force_encryption(c,
+					get_cmdline_auth_info_username(),
+					get_cmdline_auth_info_password(),
+					lp_workgroup(),
+					share);
+                if (!NT_STATUS_IS_OK(nt_status)) {
+			cli_shutdown(c);
+			c = NULL;
+                }
+	}
+
+	return c;
 }
 
 /****************************************************************************
diff --git a/source3/utils/smbcquotas.c b/source3/utils/smbcquotas.c
index e6aa5e86cf..508a2dc8ca 100644
--- a/source3/utils/smbcquotas.c
+++ b/source3/utils/smbcquotas.c
@@ -380,20 +380,33 @@ static struct cli_state *connect_one(const char *share)
 		}
 	}
 
-	if (NT_STATUS_IS_OK(nt_status = cli_full_connection(&c, global_myname(), server, 
-						    &ss, 0,
-						    share, "?????",
-						    get_cmdline_auth_info_username(),
-						    lp_workgroup(),
-						    get_cmdline_auth_info_password(),
-						    0,
-						    get_cmdline_auth_info_signing_state(),
-						    NULL))) {
-		return c;
-	} else {
+	nt_status = cli_full_connection(&c, global_myname(), server, 
+					    &ss, 0,
+					    share, "?????",
+					    get_cmdline_auth_info_username(),
+					    lp_workgroup(),
+					    get_cmdline_auth_info_password(),
+					    0,
+					    get_cmdline_auth_info_signing_state(),
+					    NULL);
+	if (!NT_STATUS_IS_OK(nt_status)) {
 		DEBUG(0,("cli_full_connection failed! (%s)\n", nt_errstr(nt_status)));
 		return NULL;
 	}
+
+	if (get_cmdline_auth_info_smb_encrypt()) {
+		nt_status = cli_cm_force_encryption(c,
+					get_cmdline_auth_info_username(),
+					get_cmdline_auth_info_password(),
+					lp_workgroup(),
+					share);
+		if (!NT_STATUS_IS_OK(nt_status)) {
+			cli_shutdown(c);
+			return NULL;
+		}
+	}
+
+	return c;
 }
 
 /****************************************************************************
diff --git a/source3/utils/smbfilter.c b/source3/utils/smbfilter.c
index 912d575c60..8db969722a 100644
--- a/source3/utils/smbfilter.c
+++ b/source3/utils/smbfilter.c
@@ -114,6 +114,30 @@ static void filter_request(char *buf)
 
 }
 
+/****************************************************************************
+ Send an smb to a fd.
+****************************************************************************/
+
+static bool send_smb(int fd, char *buffer)
+{
+	size_t len;
+	size_t nwritten=0;
+	ssize_t ret;
+
+        len = smb_len(buffer) + 4;
+
+	while (nwritten < len) {
+		ret = write_data(fd,buffer+nwritten,len - nwritten);
+		if (ret <= 0) {
+			DEBUG(0,("Error writing %d bytes to client. %d. (%s)\n",
+				(int)len,(int)ret, strerror(errno) ));
+			return false;
+		}
+		nwritten += ret;
+	}
+
+	return true;
+}
 
 static void filter_child(int c, struct sockaddr_storage *dest_ss)
 {
@@ -145,7 +169,7 @@ static void filter_child(int c, struct sockaddr_storage *dest_ss)
 		if (num <= 0) continue;
 		
 		if (c != -1 && FD_ISSET(c, &fds)) {
-			if (!receive_smb(c, packet, 0, NULL)) {
+			if (!receive_smb_raw(c, packet, 0, 0, NULL)) {
 				d_printf("client closed connection\n");
 				exit(0);
 			}
@@ -156,7 +180,7 @@ static void filter_child(int c, struct sockaddr_storage *dest_ss)
 			}			
 		}
 		if (s != -1 && FD_ISSET(s, &fds)) {
-			if (!receive_smb(s, packet, 0, NULL)) {
+			if (!receive_smb_raw(s, packet, 0, 0, NULL)) {
 				d_printf("server closed connection\n");
 				exit(0);
 			}
diff --git a/source3/utils/smbget.c b/source3/utils/smbget.c
index ac662e6ace..63b7f48626 100644
--- a/source3/utils/smbget.c
+++ b/source3/utils/smbget.c
@@ -521,9 +521,11 @@ int main(int argc, const char **argv)
 	int c = 0;
 	const char *file = NULL;
 	char *rcfile = NULL;
+	bool smb_encrypt = false;
 	TALLOC_CTX *frame = talloc_stackframe();
 	struct poptOption long_options[] = {
 		{"guest", 'a', POPT_ARG_NONE, NULL, 'a', "Work as user guest" },	
+		{"encrypt", 'e', POPT_ARG_NONE, NULL, 'e', "Encrypt SMB transport (UNIX extended servers only)" },	
 		{"resume", 'r', POPT_ARG_NONE, &_resume, 0, "Automatically resume aborted files" },
 		{"recursive", 'R',  POPT_ARG_NONE, &_recursive, 0, "Recursively download files" },
 		{"username", 'u', POPT_ARG_STRING, &username, 'u', "Username to use" },
@@ -568,6 +570,9 @@ int main(int argc, const char **argv)
 		case 'a':
 			username = ""; password = "";
 			break;
+		case 'e':
+			smb_encrypt = true;
+			break;
 		}
 	}
 
@@ -586,6 +591,13 @@ int main(int argc, const char **argv)
 		return 1;
 	}
 
+	if (smb_encrypt) {
+		SMBCCTX *smb_ctx = smbc_set_context(NULL);
+		smbc_option_set(smb_ctx,
+			CONST_DISCARD(char *, "smb_encrypt_level"),
+			"require");
+	}
+	
 	columns = get_num_cols();
 
 	total_start_time = time(NULL);