From 29ca70cd34d3ba927ea1a9915ebd247f64965bd5 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Wed, 30 Jul 2003 23:49:29 +0000 Subject: Add a command line option (-S on|off|required) to enable signing on client connections. Overrides smb.conf parameter if set. Jeremy. (This used to be commit 879309671df6b530e0bff69559422a417da4a307) --- source3/auth/auth_domain.c | 2 +- source3/client/client.c | 2 ++ source3/client/smbspool.c | 2 +- source3/include/popt_common.h | 1 + source3/include/smb.h | 1 + source3/lib/popt_common.c | 25 ++++++++++++++++++++++--- source3/libsmb/cliconnect.c | 9 ++++++--- source3/libsmb/clientgen.c | 21 +++++++++++++++++++++ source3/libsmb/trusts_util.c | 2 +- source3/nsswitch/winbindd_cm.c | 3 ++- source3/python/py_common.c | 2 +- source3/rpcclient/rpcclient.c | 3 ++- source3/smbd/change_trust_pw.c | 2 +- source3/torture/locktest2.c | 2 +- source3/torture/torture.c | 4 ++-- source3/utils/net.c | 4 ++-- source3/utils/net_ads.c | 2 +- source3/utils/smbcacls.c | 3 ++- source3/utils/smbcquotas.c | 3 ++- 19 files changed, 72 insertions(+), 21 deletions(-) (limited to 'source3') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index e2fc273479..aacea261fe 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -69,7 +69,7 @@ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli, /* Attempt connection */ *retry = True; result = cli_full_connection(cli, global_myname(), dc_name, &dc_ip, 0, - "IPC$", "IPC", "", "", "", 0, retry); + "IPC$", "IPC", "", "", "", 0, Undefined, retry); if (!NT_STATUS_IS_OK(result)) { /* map to something more useful */ diff --git a/source3/client/client.c b/source3/client/client.c index 5319a5ebf5..e17ae82c0a 100644 --- a/source3/client/client.c +++ b/source3/client/client.c @@ -2529,6 +2529,8 @@ static struct cli_state *do_connect(const char *server, const char *share) c->protocol = max_protocol; c->use_kerberos = use_kerberos; + cli_setup_signing_state(c, cmdline_auth_info.signing_state); + if (!cli_session_request(c, &calling, &called)) { char *p; diff --git a/source3/client/smbspool.c b/source3/client/smbspool.c index 68165792da..5daefec5a5 100644 --- a/source3/client/smbspool.c +++ b/source3/client/smbspool.c @@ -282,7 +282,7 @@ smb_connect(const char *workgroup, /* I - Workgroup */ get_myname(myname); nt_status = cli_full_connection(&c, myname, server, NULL, 0, share, "?????", - username, workgroup, password, 0, NULL); + username, workgroup, password, 0, Undefined, NULL); if (!NT_STATUS_IS_OK(nt_status)) { fprintf(stderr, "ERROR: Connection failed with error %s\n", nt_errstr(nt_status)); diff --git a/source3/include/popt_common.h b/source3/include/popt_common.h index 57850bf682..6db30fbc0a 100644 --- a/source3/include/popt_common.h +++ b/source3/include/popt_common.h @@ -41,6 +41,7 @@ struct user_auth_info { pstring password; BOOL got_pass; BOOL use_kerberos; + int signing_state; }; extern struct user_auth_info cmdline_auth_info; diff --git a/source3/include/smb.h b/source3/include/smb.h index 6a1d816898..deeb61034d 100644 --- a/source3/include/smb.h +++ b/source3/include/smb.h @@ -42,6 +42,7 @@ #define SMB_PORT2 139 #define SMB_PORTS "445 139" +#define Undefined (-1) #define False (0) #define True (1) #define Auto (2) diff --git a/source3/lib/popt_common.c b/source3/lib/popt_common.c index b8e77b2d9e..af1cbcfe80 100644 --- a/source3/lib/popt_common.c +++ b/source3/lib/popt_common.c @@ -258,19 +258,21 @@ static void get_credentials_file(const char *file, struct user_auth_info *info) * -A,--authentication-file * -k,--use-kerberos * -N,--no-pass + * -S,--signing */ static void popt_common_credentials_callback(poptContext con, - enum poptCallbackReason reason, - const struct poptOption *opt, - const char *arg, const void *data) + enum poptCallbackReason reason, + const struct poptOption *opt, + const char *arg, const void *data) { char *p; if (reason == POPT_CALLBACK_REASON_PRE) { cmdline_auth_info.use_kerberos = False; cmdline_auth_info.got_pass = False; + cmdline_auth_info.signing_state = Undefined; pstrcpy(cmdline_auth_info.username, "GUEST"); if (getenv("LOGNAME"))pstrcpy(cmdline_auth_info.username,getenv("LOGNAME")); @@ -327,6 +329,22 @@ static void popt_common_credentials_callback(poptContext con, cmdline_auth_info.got_pass = True; #endif break; + + case 'S': + { + cmdline_auth_info.signing_state = -1; + if (strequal(arg, "off") || strequal(arg, "no") || strequal(arg, "false")) + cmdline_auth_info.signing_state = False; + else if (strequal(arg, "on") || strequal(arg, "yes") || strequal(arg, "true")) + cmdline_auth_info.signing_state = True; + else if (strequal(arg, "force") || strequal(arg, "required") || strequal(arg, "forced")) + cmdline_auth_info.signing_state = Required; + else { + fprintf(stderr, "Unknown signing option %s\n", arg ); + exit(1); + } + } + break; } } @@ -338,5 +356,6 @@ struct poptOption popt_common_credentials[] = { { "no-pass", 'N', POPT_ARG_NONE, &cmdline_auth_info.got_pass, 0, "Don't ask for a password" }, { "kerberos", 'k', POPT_ARG_NONE, &cmdline_auth_info.use_kerberos, 'k', "Use kerberos (active directory) authentication" }, { "authentication-file", 'A', POPT_ARG_STRING, NULL, 'A', "Get the credentials from a file", "FILE" }, + { "signing", 'S', POPT_ARG_STRING, NULL, 'S', "Set the client signing state", "on|off|required" }, POPT_TABLEEND }; diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 8873c1fdc8..94fe04a480 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -995,7 +995,7 @@ BOOL cli_negprot(struct cli_state *cli) cli->protocol = prots[SVAL(cli->inbuf,smb_vwv0)].prot; - if ((cli->protocol < PROTOCOL_NT1) && (lp_client_signing() == Required)) { + if ((cli->protocol < PROTOCOL_NT1) && cli->sign_info.mandatory_signing) { DEBUG(1,("cli_negprot: SMB signing is mandatory and the selected protocol level doesn't support it.\n")); return False; } @@ -1026,7 +1026,7 @@ BOOL cli_negprot(struct cli_state *cli) if ((cli->sec_mode & NEGOTIATE_SECURITY_SIGNATURES_REQUIRED)) { /* Fail if signing is mandatory and we don't want to support it. */ - if (!lp_client_signing()) { + if (!cli->sign_info.allow_smb_signing) { DEBUG(1,("cli_negprot: SMB signing is mandatory and we have disabled it.\n")); return False; } @@ -1259,6 +1259,7 @@ NTSTATUS cli_full_connection(struct cli_state **output_cli, const char *service, const char *service_type, const char *user, const char *domain, const char *password, int flags, + int signing_state, BOOL *retry) { struct ntuser_creds creds; @@ -1321,6 +1322,8 @@ again: return NT_STATUS_UNSUCCESSFUL; } + cli_setup_signing_state(cli, signing_state); + if (flags & CLI_FULL_CONNECTION_DONT_SPNEGO) cli->use_spnego = False; else if (flags & CLI_FULL_CONNECTION_USE_KERBEROS) @@ -1491,7 +1494,7 @@ struct cli_state *get_ipc_connect(char *server, struct in_addr *server_ip, nt_status = cli_full_connection(&cli, myname, server, server_ip, 0, "IPC$", "IPC", user_info->username, lp_workgroup(), user_info->password, - CLI_FULL_CONNECTION_ANNONYMOUS_FALLBACK, NULL); + CLI_FULL_CONNECTION_ANNONYMOUS_FALLBACK, Undefined, NULL); if (NT_STATUS_IS_OK(nt_status)) { return cli; diff --git a/source3/libsmb/clientgen.c b/source3/libsmb/clientgen.c index cd9edb1cc9..cdda2eb224 100644 --- a/source3/libsmb/clientgen.c +++ b/source3/libsmb/clientgen.c @@ -208,6 +208,27 @@ void cli_init_creds(struct cli_state *cli, const struct ntuser_creds *usr) cli->user_name, cli->domain)); } +/**************************************************************************** + Set the signing state (used from the command line). +****************************************************************************/ + +void cli_setup_signing_state(struct cli_state *cli, int signing_state) +{ + if (signing_state == Undefined) + return; + + if (signing_state == False) { + cli->sign_info.allow_smb_signing = False; + cli->sign_info.mandatory_signing = False; + return; + } + + cli->sign_info.allow_smb_signing = True; + + if (signing_state == Required) + cli->sign_info.mandatory_signing = True; +} + /**************************************************************************** Initialise a client structure. ****************************************************************************/ diff --git a/source3/libsmb/trusts_util.c b/source3/libsmb/trusts_util.c index 77e63709aa..610f4b3c03 100644 --- a/source3/libsmb/trusts_util.c +++ b/source3/libsmb/trusts_util.c @@ -154,7 +154,7 @@ BOOL enumerate_domain_trusts( TALLOC_CTX *mem_ctx, const char *domain, /* setup the anonymous connection */ result = cli_full_connection( &cli, global_myname(), dc_name, &dc_ip, 0, "IPC$", "IPC", - "", "", "", 0, &retry); + "", "", "", 0, Undefined, &retry); if ( !NT_STATUS_IS_OK(result) ) goto done; diff --git a/source3/nsswitch/winbindd_cm.c b/source3/nsswitch/winbindd_cm.c index f9da38660d..dbc3062edd 100644 --- a/source3/nsswitch/winbindd_cm.c +++ b/source3/nsswitch/winbindd_cm.c @@ -152,7 +152,8 @@ static NTSTATUS cm_open_connection(const char *domain, const int pipe_index, result = cli_full_connection(&new_conn->cli, global_myname(), new_conn->controller, &dc_ip, 0, "IPC$", "IPC", ipc_username, ipc_domain, - ipc_password, CLI_FULL_CONNECTION_ANNONYMOUS_FALLBACK, &retry); + ipc_password, CLI_FULL_CONNECTION_ANNONYMOUS_FALLBACK, + Undefined, &retry); secrets_named_mutex_release(new_conn->controller); diff --git a/source3/python/py_common.c b/source3/python/py_common.c index ea092d9370..02d22bbdab 100644 --- a/source3/python/py_common.c +++ b/source3/python/py_common.c @@ -223,7 +223,7 @@ struct cli_state *open_pipe_creds(char *server, PyObject *creds, result = cli_full_connection( &cli, NULL, server, NULL, 0, "IPC$", "IPC", - username, domain, password, 0, NULL); + username, domain, password, 0, Undefined, NULL); if (!NT_STATUS_IS_OK(result)) { *errstr = strdup("error connecting to IPC$ pipe"); diff --git a/source3/rpcclient/rpcclient.c b/source3/rpcclient/rpcclient.c index b4c4d2a9cb..831d2beaa4 100644 --- a/source3/rpcclient/rpcclient.c +++ b/source3/rpcclient/rpcclient.c @@ -726,7 +726,8 @@ out_free: opt_ipaddr ? &server_ip : NULL, 0, "IPC$", "IPC", cmdline_auth_info.username, lp_workgroup(), - cmdline_auth_info.password, 0, NULL); + cmdline_auth_info.password, 0, + cmdline_auth_info.signing_state,NULL); if (!NT_STATUS_IS_OK(nt_status)) { DEBUG(0,("Cannot connect to server. Error was %s\n", nt_errstr(nt_status))); diff --git a/source3/smbd/change_trust_pw.c b/source3/smbd/change_trust_pw.c index 4993e285ca..2eff77b1f7 100644 --- a/source3/smbd/change_trust_pw.c +++ b/source3/smbd/change_trust_pw.c @@ -58,7 +58,7 @@ NTSTATUS change_trust_account_password( const char *domain, const char *remote_m NULL, 0, "IPC$", "IPC", "", "", - "", 0, NULL))) + "", 0, Undefined, NULL))) { DEBUG(0,("modify_trust_password: Connection to %s failed!\n", remote_machine)); nt_status = NT_STATUS_UNSUCCESSFUL; diff --git a/source3/torture/locktest2.c b/source3/torture/locktest2.c index 29b3c7c4b2..5fbaf9ec58 100644 --- a/source3/torture/locktest2.c +++ b/source3/torture/locktest2.c @@ -177,7 +177,7 @@ static struct cli_state *connect_one(char *share) nt_status = cli_full_connection(&c, myname, server_n, NULL, 0, share, "?????", username, lp_workgroup(), password, 0, - NULL); + Undefined, NULL); if (!NT_STATUS_IS_OK(nt_status)) { DEBUG(0, ("cli_full_connection failed with error %s\n", nt_errstr(nt_status))); diff --git a/source3/torture/torture.c b/source3/torture/torture.c index 0be79d04a9..d20c48d645 100644 --- a/source3/torture/torture.c +++ b/source3/torture/torture.c @@ -159,7 +159,7 @@ BOOL torture_open_connection(struct cli_state **c) host, NULL, port_to_use, share, "?????", username, workgroup, - password, flags, &retry); + password, flags, Undefined, &retry); if (!NT_STATUS_IS_OK(status)) { return False; } @@ -1128,7 +1128,7 @@ static BOOL run_tcon_devtype_test(int dummy) host, NULL, port_to_use, NULL, NULL, username, workgroup, - password, flags, &retry); + password, flags, Undefined, &retry); if (!NT_STATUS_IS_OK(status)) { printf("could not open connection\n"); diff --git a/source3/utils/net.c b/source3/utils/net.c index a22d34a720..8f6b09a3fa 100644 --- a/source3/utils/net.c +++ b/source3/utils/net.c @@ -141,7 +141,7 @@ NTSTATUS connect_to_ipc(struct cli_state **c, struct in_addr *server_ip, server_ip, opt_port, "IPC$", "IPC", opt_user_name, opt_workgroup, - opt_password, 0, NULL); + opt_password, 0, Undefined, NULL); if (NT_STATUS_IS_OK(nt_status)) { return nt_status; @@ -171,7 +171,7 @@ NTSTATUS connect_to_ipc_anonymous(struct cli_state **c, server_ip, opt_port, "IPC$", "IPC", "", "", - "", 0, NULL); + "", 0, Undefined, NULL); if (NT_STATUS_IS_OK(nt_status)) { return nt_status; diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c index edf5ec37c2..631e235127 100644 --- a/source3/utils/net_ads.c +++ b/source3/utils/net_ads.c @@ -848,7 +848,7 @@ static int net_ads_printer_publish(int argc, const char **argv) opt_user_name, opt_workgroup, opt_password ? opt_password : "", CLI_FULL_CONNECTION_USE_KERBEROS, - NULL); + Undefined, NULL); if (NT_STATUS_IS_ERR(nt_status)) { d_printf("Unable to open a connnection to %s to obtain data " diff --git a/source3/utils/smbcacls.c b/source3/utils/smbcacls.c index 69dc2dd47a..c90c042106 100644 --- a/source3/utils/smbcacls.c +++ b/source3/utils/smbcacls.c @@ -724,7 +724,8 @@ static struct cli_state *connect_one(const char *share) &ip, 0, share, "?????", cmdline_auth_info.username, lp_workgroup(), - cmdline_auth_info.password, 0, NULL))) { + cmdline_auth_info.password, 0, + cmdline_auth_info.signing_state, NULL))) { return c; } else { DEBUG(0,("cli_full_connection failed! (%s)\n", nt_errstr(nt_status))); diff --git a/source3/utils/smbcquotas.c b/source3/utils/smbcquotas.c index 9c7379ca2a..64321d5bfc 100644 --- a/source3/utils/smbcquotas.c +++ b/source3/utils/smbcquotas.c @@ -371,7 +371,8 @@ static struct cli_state *connect_one(const char *share) &ip, 0, share, "?????", cmdline_auth_info.username, lp_workgroup(), - cmdline_auth_info.password, 0, NULL))) { + cmdline_auth_info.password, 0, + cmdline_auth_info.signing_state, NULL))) { return c; } else { DEBUG(0,("cli_full_connection failed! (%s)\n", nt_errstr(nt_status))); -- cgit