From 7f1fbf7c1e0d23df95e8fd5ef24e43cb429b765c Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Fri, 16 Aug 2013 11:45:43 -0700 Subject: [PATCH 01/11] Remove restrictions on setting iosize inside smbclient for SMB2 connections. Signed-off-by: Jeremy Allison --- source3/client/client.c | 40 +++++++++++++++++++++++----------------- 1 file changed, 23 insertions(+), 17 deletions(-) diff --git a/source3/client/client.c b/source3/client/client.c index d302d43..ad4a875 100644 --- a/source3/client/client.c +++ b/source3/client/client.c @@ -4528,29 +4528,35 @@ int cmd_iosize(void) int iosize; if (!next_token_talloc(ctx, &cmd_ptr,&buf,NULL)) { - if (!smb_encrypt) { - d_printf("iosize or iosize 0x. " - "Minimum is 16384 (0x4000), " - "max is 16776960 (0xFFFF00)\n"); + if (smbXcli_conn_protocol(cli->conn) < PROTOCOL_SMB2_02) { + if (!smb_encrypt) { + d_printf("iosize or iosize 0x. " + "Minimum is 0 (default), " + "max is 16776960 (0xFFFF00)\n"); + } else { + d_printf("iosize or iosize 0x. " + "(Encrypted connection) ," + "Minimum is 0 (default), " + "max is 130048 (0x1FC00)\n"); + } } else { - d_printf("iosize or iosize 0x. " - "(Encrypted connection) ," - "Minimum is 16384 (0x4000), " - "max is 130048 (0x1FC00)\n"); + d_printf("iosize or iosize 0x.\n"); } return 1; } iosize = strtol(buf,NULL,0); - if (smb_encrypt && (iosize < 0x4000 || iosize > 0xFC00)) { - d_printf("iosize out of range for encrypted " - "connection (min = 16384 (0x4000), " - "max = 130048 (0x1FC00)"); - return 1; - } else if (!smb_encrypt && (iosize < 0x4000 || iosize > 0xFFFF00)) { - d_printf("iosize out of range (min = 16384 (0x4000), " - "max = 16776960 (0xFFFF00)"); - return 1; + if (smbXcli_conn_protocol(cli->conn) < PROTOCOL_SMB2_02) { + if (smb_encrypt && (iosize < 0 || iosize > 0xFC00)) { + d_printf("iosize out of range for encrypted " + "connection (min = 0 (default), " + "max = 130048 (0x1FC00)"); + return 1; + } else if (!smb_encrypt && (iosize < 0 || iosize > 0xFFFF00)) { + d_printf("iosize out of range (min = 0 (default), " + "max = 16776960 (0xFFFF00)"); + return 1; + } } io_bufsize = iosize; -- 1.8.1.2 From ec163f1a377d0df2e68b94de0da1d0d80b6dc75c Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Fri, 16 Aug 2013 10:44:34 -0700 Subject: [PATCH 02/11] As SMB3 has transport level encryption, allow smbclient -e to force encryted SMB3 transport. Signed-off-by: Jeremy Allison --- libcli/smb/smbXcli_base.c | 21 +++++++++++++++++++++ libcli/smb/smbXcli_base.h | 1 + source3/libsmb/clidfs.c | 18 +++++++++++++++++- 3 files changed, 39 insertions(+), 1 deletion(-) diff --git a/libcli/smb/smbXcli_base.c b/libcli/smb/smbXcli_base.c index 1176bb8..8cbf27a 100644 --- a/libcli/smb/smbXcli_base.c +++ b/libcli/smb/smbXcli_base.c @@ -4949,6 +4949,27 @@ NTSTATUS smb2cli_session_set_channel_key(struct smbXcli_session *session, return NT_STATUS_OK; } +NTSTATUS smb2cli_session_encryption_on(struct smbXcli_session *session) +{ + if (session->smb2->should_encrypt) { + return NT_STATUS_OK; + } + + if (session->conn->protocol < PROTOCOL_SMB2_24) { + return NT_STATUS_NOT_SUPPORTED; + } + + if (!(session->conn->smb2.server.capabilities & SMB2_CAP_ENCRYPTION)) { + return NT_STATUS_NOT_SUPPORTED; + } + + if (session->smb2->signing_key.data == NULL) { + return NT_STATUS_NOT_SUPPORTED; + } + session->smb2->should_encrypt = true; + return NT_STATUS_OK; +} + struct smbXcli_tcon *smbXcli_tcon_create(TALLOC_CTX *mem_ctx) { struct smbXcli_tcon *tcon; diff --git a/libcli/smb/smbXcli_base.h b/libcli/smb/smbXcli_base.h index a7cfcc3..3d93427 100644 --- a/libcli/smb/smbXcli_base.h +++ b/libcli/smb/smbXcli_base.h @@ -294,6 +294,7 @@ NTSTATUS smb2cli_session_create_channel(TALLOC_CTX *mem_ctx, NTSTATUS smb2cli_session_set_channel_key(struct smbXcli_session *session, const DATA_BLOB channel_key, const struct iovec *recv_iov); +NTSTATUS smb2cli_session_encryption_on(struct smbXcli_session *session); struct smbXcli_tcon *smbXcli_tcon_create(TALLOC_CTX *mem_ctx); uint16_t smb1cli_tcon_current_id(struct smbXcli_tcon *tcon); diff --git a/source3/libsmb/clidfs.c b/source3/libsmb/clidfs.c index 1d92843..57126e6 100644 --- a/source3/libsmb/clidfs.c +++ b/source3/libsmb/clidfs.c @@ -48,7 +48,23 @@ NTSTATUS cli_cm_force_encryption(struct cli_state *c, const char *domain, const char *sharename) { - NTSTATUS status = cli_force_encryption(c, + NTSTATUS status; + + if (smbXcli_conn_protocol(c->conn) >= PROTOCOL_SMB2_02) { + status = smb2cli_session_encryption_on(c->smb2.session); + if (NT_STATUS_EQUAL(status,NT_STATUS_NOT_SUPPORTED)) { + d_printf("Encryption required and " + "server doesn't support " + "SMB3 encryption - failing connect\n"); + } else if (!NT_STATUS_IS_OK(status)) { + d_printf("Encryption required and " + "setup failed with error %s.\n", + nt_errstr(status)); + } + return status; + } + + status = cli_force_encryption(c, username, password, domain); -- 1.8.1.2 From a7b00ff7f9a3bd476d203c29de21d3b48b0bdd63 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Fri, 16 Aug 2013 13:49:39 -0700 Subject: [PATCH 03/11] Add new "timeout" command and -t option to smbclient to set the per-operation timeout. This is needed as once SMB3 encryption is selected the server response time can be very slow when requesting large numbers (256) of large encrypted packets (1MB) from a Windows 2012 virtual machine. This allows clients to tune their allowable wait time. Signed-off-by: Jeremy Allison --- source3/client/client.c | 35 +++++++++++++++++++++++++++++++++++ 1 file changed, 35 insertions(+) diff --git a/source3/client/client.c b/source3/client/client.c index ad4a875..581b9c6 100644 --- a/source3/client/client.c +++ b/source3/client/client.c @@ -56,6 +56,7 @@ static char *cmdstr = NULL; const char *cmd_ptr = NULL; static int io_bufsize = 0; /* we use the default size */ +static int io_timeout = (CLIENT_TIMEOUT/1000); /* Per operation timeout (in seconds). */ static int name_type = 0x20; static int max_protocol = -1; @@ -4565,6 +4566,31 @@ int cmd_iosize(void) } /**************************************************************************** + timeout command +***************************************************************************/ + +static int cmd_timeout(void) +{ + TALLOC_CTX *ctx = talloc_tos(); + char *buf; + + if (!next_token_talloc(ctx, &cmd_ptr,&buf,NULL)) { + unsigned int old_timeout = cli_set_timeout(cli, 0); + cli_set_timeout(cli, old_timeout); + d_printf("timeout (per-operation timeout " + "in seconds - currently %u).\n", + old_timeout/1000); + return 1; + } + + io_timeout = strtol(buf,NULL,0); + cli_set_timeout(cli, io_timeout*1000); + d_printf("io_timeout per operation is now %d\n", io_timeout); + return 0; +} + + +/**************************************************************************** history ****************************************************************************/ static int cmd_history(void) @@ -4672,6 +4698,7 @@ static struct { {"symlink",cmd_symlink," create a UNIX symlink",{COMPL_REMOTE,COMPL_REMOTE}}, {"tar",cmd_tar,"tar [IXFqbgNan] current directory to/from ",{COMPL_NONE,COMPL_NONE}}, {"tarmode",cmd_tarmode," tar's behaviour towards archive bits",{COMPL_NONE,COMPL_NONE}}, + {"timeout",cmd_timeout,"timeout - set the per-operation timeout in seconds (default 20)",{COMPL_NONE,COMPL_NONE}}, {"translate",cmd_translate,"toggle text translation for printing",{COMPL_NONE,COMPL_NONE}}, {"unlock",cmd_unlock,"unlock : remove a POSIX lock",{COMPL_REMOTE,COMPL_REMOTE}}, {"volume",cmd_volume,"print the volume name",{COMPL_NONE,COMPL_NONE}}, @@ -4775,6 +4802,7 @@ static int process_command_string(const char *cmd_in) if (!NT_STATUS_IS_OK(status)) { return 1; } + cli_set_timeout(cli, io_timeout*1000); } while (cmd[0] != '\0') { @@ -5202,6 +5230,8 @@ static int process(const char *base_directory) return 1; } + cli_set_timeout(cli, io_timeout*1000); + if (base_directory && *base_directory) { rc = do_cd(base_directory); if (rc) { @@ -5236,6 +5266,7 @@ static int do_host_query(const char *query_host) return 1; } + cli_set_timeout(cli, io_timeout*1000); browse_host(true); /* Ensure that the host can do IPv4 */ @@ -5271,6 +5302,7 @@ static int do_host_query(const char *query_host) return 1; } + cli_set_timeout(cli, io_timeout*1000); list_servers(lp_workgroup()); cli_shutdown(cli); @@ -5297,6 +5329,7 @@ static int do_tar_op(const char *base_directory) if (!NT_STATUS_IS_OK(status)) { return 1; } + cli_set_timeout(cli, io_timeout*1000); } recurse=true; @@ -5332,6 +5365,7 @@ static int do_message_op(struct user_auth_info *a_info) return 1; } + cli_set_timeout(cli, io_timeout*1000); send_message(get_cmdline_auth_info_username(a_info)); cli_shutdown(cli); @@ -5368,6 +5402,7 @@ static int do_message_op(struct user_auth_info *a_info) { "directory", 'D', POPT_ARG_STRING, NULL, 'D', "Start from directory", "DIR" }, { "command", 'c', POPT_ARG_STRING, &cmdstr, 'c', "Execute semicolon separated commands" }, { "send-buffer", 'b', POPT_ARG_INT, &io_bufsize, 'b', "Changes the transmit/send buffer", "BYTES" }, + { "timeout", 't', POPT_ARG_INT, &io_timeout, 'b', "Changes the per-operation timeout", "SECONDS" }, { "port", 'p', POPT_ARG_INT, &port, 'p', "Port to connect to", "PORT" }, { "grepable", 'g', POPT_ARG_NONE, NULL, 'g', "Produce grepable output" }, { "browse", 'B', POPT_ARG_NONE, NULL, 'B', "Browse SMB servers using DNS" }, -- 1.8.1.2 From c89f9d57da8e316892aeb674a736e25f9e06d0ba Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Fri, 16 Aug 2013 16:44:14 -0700 Subject: [PATCH 04/11] Add "max protocol" command line documentation for smbcacls. Signed-off-by: Jeremy Allison --- docs-xml/manpages/smbcacls.1.xml | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/docs-xml/manpages/smbcacls.1.xml b/docs-xml/manpages/smbcacls.1.xml index a292368..39815a0 100644 --- a/docs-xml/manpages/smbcacls.1.xml +++ b/docs-xml/manpages/smbcacls.1.xml @@ -33,6 +33,7 @@ -U username -h -d + -m|--max-protocol LEVEL @@ -139,6 +140,19 @@ + -m|--max-protocol PROTOCOL_NAME + This allows the user to select the + highest SMB protocol level that smbcacls will use to + connect to the server. By default this is set to + NT1, which is the highest available SMB1 protocol. + To connect using SMB2 or SMB3 protocol, use the + strings SMB2 or SMB3 respectively. Note that to connect + to a Windows 2012 server with encrypted transport selecting + a max-protocol of SMB3 is required. + + + + -t|--test-args Don't actually do anything, only validate the correctness of -- 1.8.1.2 From 1c8233af730550181ee8537b588dffa6a91ecca4 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Fri, 16 Aug 2013 16:45:26 -0700 Subject: [PATCH 05/11] Add "-e" encrypt transport command line option documentation for smbcacls. Signed-off-by: Jeremy Allison --- docs-xml/manpages/smbcacls.1.xml | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/docs-xml/manpages/smbcacls.1.xml b/docs-xml/manpages/smbcacls.1.xml index 39815a0..f8816ad 100644 --- a/docs-xml/manpages/smbcacls.1.xml +++ b/docs-xml/manpages/smbcacls.1.xml @@ -33,6 +33,7 @@ -U username -h -d + -e -m|--max-protocol LEVEL @@ -140,6 +141,18 @@ + -e + This command line parameter requires the remote + server support the UNIX extensions or that the SMB3 protocol has been selected. + Requests that the connection be encrypted. Negotiates SMB encryption using either + SMB3 or POSIX extensions via GSSAPI. Uses the given credentials for + the encryption negotiation (either kerberos or NTLMv1/v2 if given + domain/username/password triple. Fails the connection if encryption + cannot be negotiated. + + + + -m|--max-protocol PROTOCOL_NAME This allows the user to select the highest SMB protocol level that smbcacls will use to -- 1.8.1.2 From ce828c017c2f43f73992cf17c6dd1d71c067fa82 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Fri, 16 Aug 2013 16:47:13 -0700 Subject: [PATCH 06/11] Expand on the documentation of -m max-protocol for SMB2/3 for smbclient. Signed-off-by: Jeremy Allison --- docs-xml/manpages/smbclient.1.xml | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/docs-xml/manpages/smbclient.1.xml b/docs-xml/manpages/smbclient.1.xml index 5465edd..ad465b8 100644 --- a/docs-xml/manpages/smbclient.1.xml +++ b/docs-xml/manpages/smbclient.1.xml @@ -256,7 +256,14 @@ -m|--max-protocol protocol - This parameter sets the maximum protocol version announced by the client. + This allows the user to select the + highest SMB protocol level that smbclient will use to + connect to the server. By default this is set to + NT1, which is the highest available SMB1 protocol. + To connect using SMB2 or SMB3 protocol, use the + strings SMB2 or SMB3 respectively. Note that to connect + to a Windows 2012 server with encrypted transport selecting + a max-protocol of SMB3 is required. -- 1.8.1.2 From 80146802d12cefbd6c5ea75b5f9c215dfdc8af45 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Fri, 16 Aug 2013 16:48:18 -0700 Subject: [PATCH 07/11] Fix the documentation for --send-buffersize for the new default value of zero for smbclient. Signed-off-by: Jeremy Allison --- docs-xml/manpages/smbclient.1.xml | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/docs-xml/manpages/smbclient.1.xml b/docs-xml/manpages/smbclient.1.xml index ad465b8..2a8b5ea 100644 --- a/docs-xml/manpages/smbclient.1.xml +++ b/docs-xml/manpages/smbclient.1.xml @@ -316,10 +316,16 @@ -b|--send-buffer buffersize - This option changes the transmit/send buffer - size when getting or putting a file from/to the server. The default - is 65520 bytes. Setting this value smaller (to 1200 bytes) has been - observed to speed up file transfers to and from a Win9x server. + + When sending or receiving files, smbclient uses an + internal buffer sized by the maximum number of allowed requests + to the connected server. This command allows this size to be set to any + range between 0 (which means use the default server controlled size) bytes + and 16776960 (0xFFFF00) bytes. Using the server controlled size is the + most efficient as smbclient will pipeline as many simultaneous reads or + writes needed to keep the server as busy as possible. Setting this to + any other size will slow down the transfer. This can also be set + using the iosize command inside smbclient. -- 1.8.1.2 From 488fbd653656de98cf4f5caab3bc980a19ab5a4b Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Fri, 16 Aug 2013 16:49:41 -0700 Subject: [PATCH 08/11] Fix the documentation of the iosize command to explain the new zero default for smbclient. Signed-off-by: Jeremy Allison --- docs-xml/manpages/smbclient.1.xml | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/docs-xml/manpages/smbclient.1.xml b/docs-xml/manpages/smbclient.1.xml index 2a8b5ea..3a3c4df 100644 --- a/docs-xml/manpages/smbclient.1.xml +++ b/docs-xml/manpages/smbclient.1.xml @@ -707,12 +707,15 @@ iosize <bytes> - When sending or receiving files, smbclient uses an - internal memory buffer by default of size 64512 bytes. This command - allows this size to be set to any range between 16384 (0x4000) bytes - and 16776960 (0xFFFF00) bytes. Larger sizes may mean more efficient - data transfer as smbclient will try and use the most efficient - read and write calls for the connected server. + + When sending or receiving files, smbclient uses an + internal buffer sized by the maximum number of allowed requests + to the connected server. This command allows this size to be set to any + range between 0 (which means use the default server controlled size) bytes + and 16776960 (0xFFFF00) bytes. Using the server controlled size is the + most efficient as smbclient will pipeline as many simultaneous reads or + writes needed to keep the server as busy as possible. Setting this to + any other size will slow down the transfer. -- 1.8.1.2 From 1e54a2264bb657d4334b6a2ecf5139e59f10a4c1 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Fri, 16 Aug 2013 16:53:45 -0700 Subject: [PATCH 09/11] Fix the documentation of --encrypt to explain SMB3 encryption for smbclient. Signed-off-by: Jeremy Allison --- docs-xml/manpages/smbclient.1.xml | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/docs-xml/manpages/smbclient.1.xml b/docs-xml/manpages/smbclient.1.xml index 3a3c4df..c3fe1d7 100644 --- a/docs-xml/manpages/smbclient.1.xml +++ b/docs-xml/manpages/smbclient.1.xml @@ -331,13 +331,14 @@ -e|--encrypt - This command line parameter requires the remote - server support the UNIX extensions. Request that the connection be - encrypted. This is new for Samba 3.2 and will only work with Samba - 3.2 or above servers. Negotiates SMB encryption using GSSAPI. Uses - the given credentials for the encryption negotiation (either kerberos - or NTLMv1/v2 if given domain/username/password triple. Fails the - connection if encryption cannot be negotiated. + + This command line parameter requires the remote + server support the UNIX extensions or that the SMB3 protocol has been selected. + Requests that the connection be encrypted. Negotiates SMB encryption using either + SMB3 or POSIX extensions via GSSAPI. Uses the given credentials for + the encryption negotiation (either kerberos or NTLMv1/v2 if given + domain/username/password triple. Fails the connection if encryption + cannot be negotiated. -- 1.8.1.2 From 84b66bf481f1d8c97d63e87629c54ed65ca20524 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Fri, 16 Aug 2013 16:56:22 -0700 Subject: [PATCH 10/11] Add documentation for the new -t parameter in smbclient. Signed-off-by: Jeremy Allison --- docs-xml/manpages/smbclient.1.xml | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/docs-xml/manpages/smbclient.1.xml b/docs-xml/manpages/smbclient.1.xml index c3fe1d7..06ca817 100644 --- a/docs-xml/manpages/smbclient.1.xml +++ b/docs-xml/manpages/smbclient.1.xml @@ -37,6 +37,7 @@ -p port -R <name resolve order> -s <smb config file> + -t <per-operation timeout in seconds> -k -P -c <command> @@ -67,6 +68,7 @@ -p port -R <name resolve order> -s <smb config file> + -t <per-operation timeout in seconds> -T<c|x>IXFqgbNan -k @@ -348,6 +350,18 @@ &popt.common.connection; + -t|--timeout <timeout-seconds> + This allows the user to tune the default + timeout used for each SMB request. The default setting is + 20 seconds. Increase it if requests to the server sometimes + time out. This can happen when SMB3 encryption is selected + and smbclient is overwhelming the server with requests. + This can also be set using the timeout + command inside smbclient. + + + + -T|--tar tar options smbclient may be used to create tar(1) compatible backups of all the files on an SMB/CIFS -- 1.8.1.2 From f1f72eb153d574193525f6f2e6e50ee67ca20ae4 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Fri, 16 Aug 2013 16:57:34 -0700 Subject: [PATCH 11/11] Add documentation for the new internal command timeout to smbclient. Signed-off-by: Jeremy Allison --- docs-xml/manpages/smbclient.1.xml | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/docs-xml/manpages/smbclient.1.xml b/docs-xml/manpages/smbclient.1.xml index 06ca817..b9e55e9 100644 --- a/docs-xml/manpages/smbclient.1.xml +++ b/docs-xml/manpages/smbclient.1.xml @@ -1072,6 +1072,16 @@ + timeout <per-operation timeout in seconds> + This allows the user to tune the default + timeout used for each SMB request. The default setting is + 20 seconds. Increase it if requests to the server sometimes + time out. This can happen when SMB3 encryption is selected + and smbclient is overwhelming the server with requests. + + + + unlock <filenum> <hex-start> <hex-len> This command depends on the server supporting the CIFS UNIX extensions and will fail if the server does not. Tries to unlock a POSIX -- 1.8.1.2