Non-encrypted case should be negotiated consistently when using dialect 3.1.1 #747
Comments
|
Unfortunately it seems that NetApp is inconsistent in the implementation of the MS-SMB2 spec. The reason it's implemented as it is now stems from these lines in the specification for the 3.1.1 dialect: So, though I understand the confusion, this is actually pretty well specced out, and is in line with how it should behave. I think the error here is on the server side, as that specifies the following behaviour: SMBJ will correctly interprete a |
|
@hierynomus Thanks for your detailed answer and also for the pointers to the related sections of the SMB specification (I read it carefully). However, I still have a question regarding |
|
Let me check, I don't think we should indeed if that's the case. |
|
@turcsanyip Finally had some time to do some work on the lib again! Could you check whether the version from branch #752 works correctly for you? |
|
@hierynomus The fix from your branch seems to be working. I tested it with an on-premise NetApp. private static final SmbConfig cfg = SmbConfig
.builder()
.withDialects(SMB2Dialect.SMB_3_1_1)
.withEncryptData(false)
.build();With the current main branch I get: But on the feature branch I do not get any exceptions and connecting is successful. |
|
Thanks @hierynomus ! |
* Ignore VSCode * Add NtStatus.STATUS_UNSUCCESSFUL * Add NtStatus.STATUS_INSUFF_SERVER_RESOURCES (#611) * Add NtStatus.STATUS_IO_REPARSE_TAG_NOT_HANDLED (#514) * Update gradle build * Update release plugin * Release version: 0.11.0 * Fix signing task dependency * Release version: 0.11.1 * Use BCSecurityProvider by default for SMB3 compatibility (Fixes #638) * Ensure DFS Path Referral times out after transactTimeout (Fixes #578) * Only add DFSPathResolver if both client and server support DFS (#640) * Only add DFSPathResolver if both client and server support DFS * Fix indentation problems * Fix incorrectly reformatted javadoc * Format using java formatter * One more indentation fix * Upgrade Bouncy Castle to 1.68 to fix vulnerability report (#641) * address issue #604 - stop closing the dfs share connection immediately. (#609) * stop closing the dfs share connection immediately. * Add explanatory comment Co-authored-by: Jeroen van Erp <[email protected]> * Add support for unregistering server from serverlist (Fixes #644) (#647) * Add support for unregistering server from serverlist (Fixes #644) * Fix indentation * Reducing logging for smb3 (#650) For each smb3 packet there's an info log message which produces a tremendous amount of output. I would suggest to reduce log level to debug (or trace; similarly as in one of the other packet reciever classes). * Consolidate SMBv1 error messages * Upgrade BouncyCastle to 1.69 * Release version: 0.11.2 * Ensure artifact is signed * Release version: 0.11.3 * Fix #665: Allow JCE KDF to work (#666) * Fix #665: Allow JCE KDF to work * Add header * Add KDF unit test * Use correct maxPayloadSize for encrypted packets (Fixes #668) (#683) * Read fileId as long (#693) * Read fileId of FileIdBothDirectoryInformation into a long * Read fileId of FileIdFullDirectoryInformation into a long * File the issue that nested folder creation throw NAME EXIST error. (#685) * File the issue that nested folder creation throw NAME EXIST error. * formatting * Updated build status badges (#684) - Added GitHub badge for Build SMBJ - Corrected Codacy badge link - Removed bintray badge link - Removed Travis CI badge and configuration - Removed Java profiler link - Removed CircleCI configuration - Removed unused github-ci configuration * Use AceSize field when reading ACEs (#696) Fixes issue seen in the wild where unnecessary padding at the end of an ACE confused Smbj (but not Windows). * Ensure that enough bytes are cached from InputStream to get a correct bytesLeft count for SMB2Write (fixes #669) * GzipOutputStream integration test * Ensure that enough bytes are cached from InputStream to get a correct bytesLeft count for SMB2Write Co-authored-by: Stanislav Kardashov <[email protected]> Co-authored-by: Jeroen van Erp <[email protected]> * Add GH workflow for publishing * Update dependencies and build file * Rename test class to *Spec * Release version: 0.11.5 * Use the hostname part of the TargetHint for DFS step 9 (fixes \#419) (#722) * Slightly reduce the locking in Connection.send and DirectTcpTransport (fixes \#732) * Fixed indentation * Converting bytes written to long (Fixes #740) Signed-off-by: Jeroen van Erp <[email protected]> * Upgrading gradle to 8.0.2 Signed-off-by: Jeroen van Erp <[email protected]> * Add Implementation manifest attributes (Fixes #743) * Revert accidental comment of integration docker tasks * Do not send SMB2EncryptionCapabilities NegotiationContext is !isEncry… (#752) * Do not send SMB2EncryptionCapabilities NegotiationContext is !isEncryptionSupported (Fixes #747) * Add test for SMB2EncryptionCapabilities * Add preliminary changelog for new release * Ensure we call flip() on Buffer to avoid Java8 problems (Fixes #705) Signed-off-by: Jeroen van Erp <[email protected]> * Ensure path is set for rmdir to prevent accidents (Fixes #756) Signed-off-by: Jeroen van Erp <[email protected]> * Add support for reading / writing NIO ByteBuffers (#759) * Add support for reading / writing NIO ByteBuffers Currently one can transfer data using streams or array, but it would be great to have the opportunity to use NIO buffers. This adds two new method to the File class that accept a NIO ByteBuffer. * Implemented ByteBuffer write using ByteChunkProvider Signed-off-by: Jeroen van Erp <[email protected]> --------- Signed-off-by: Jeroen van Erp <[email protected]> Co-authored-by: Christoph Läubrich <[email protected]> Co-authored-by: Jeroen van Erp <[email protected]> * Fix some sonatype warnings * resolve conflict with master * Ignore non-semver tags for release workflow * Small warning cleanup Signed-off-by: Jeroen van Erp <[email protected]> * Setup ConnectionContext and AuthenticationContext for NTLM improvements Signed-off-by: Jeroen van Erp <[email protected]> * Refactor TargetInfo/AvPairs * Added null check and rename field * Refactor NtlmFunctions * Change hierarchy of Ntlm messages Signed-off-by: Jeroen van Erp <[email protected]> * Next step of NTLM refactor * NtlmNegotiate sends Domain/Workstation/Version fields * Filter negotiateflags and use clientTargetInfo * Rework keys in NtlmAuthenticator Signed-off-by: Jeroen van Erp <[email protected]> * Change to structure of NtlmAuthenticate Signed-off-by: Jeroen van Erp <[email protected]> * Added last changes Required to put withIntegrity = false still, due to missing mechListMIC Signed-off-by: Jeroen van Erp <[email protected]> --------- Signed-off-by: Jeroen van Erp <[email protected]> Co-authored-by: Nicholas DiPiazza <[email protected]> Co-authored-by: ndimitry <[email protected]> Co-authored-by: Patrick Boyd <[email protected]> Co-authored-by: Hannes <[email protected]> Co-authored-by: pyzhou <[email protected]> Co-authored-by: exceptionfactory <[email protected]> Co-authored-by: Chris Pacejo <[email protected]> Co-authored-by: Stanislav Kardashov <[email protected]> Co-authored-by: Stanislav Kardashov <[email protected]> Co-authored-by: Christoph Läubrich <[email protected]> Co-authored-by: Christoph Läubrich <[email protected]>
This is a backport of hierynomus#747
This is a backport of hierynomus#747
This is a backport of hierynomus#747
This is a backport of hierynomus#747
This is a backport of hierynomus#747
This is a backport of hierynomus#747
This is a backport of hierynomus#747
This is a backport of hierynomus#747
This is a backport of hierynomus#747
This is a backport of hierynomus#747
This is a backport of hierynomus#747
This is a backport of hierynomus#747
This is a backport of hierynomus#747
This is a backport of hierynomus#747
|
If we enable encryption on the SMBJ client side by setting .withEncryptData(true). At the same time on the server side executing "Get-SmbServerConfiguration" tells that EncryptData : False means server has not enabled encryption. I tried this configuration and while debugging I found out that during client - server negotiation, even if the server side encryption is off it was sending the encryption key and during the negotiation client -server were successfully able to negotiate encryption. I want to know will this be true for all use cases if the server supports SMB3.0 ? |
SMBJ 0.11.x introduced SMB 3.x support with (optionally enabled) encryption feature, configurable via SmbConfig.Builder.withEncryptData(boolean).
When using
3.0dialect, the encryption is negotiated properly with the server:withEncryptDatais set totrue, the library sendsSMB2_GLOBAL_CAP_ENCRYPTIONcapability in the negotiate request to the server, and if the server also supports encryption (answers with the same capability), the client will use encryptionwithEncryptDatais set tofalse(default), the library does not send the encryption capability and will not use encryption (regardless of the server's response)So the library uses encryption only if both sides claimed that they support encryption during the protocol negotiation, which I believe the proper behaviour.
In case of
3.1.1dialect, the library decides based on the servers response only and does not take into account whether the encryption was set viawithEncryptData(true)and the capability was sent to the server, or not.It works for the
withEncryptData(true)case but leads to inconsistent behaviour with some servers whenwithEncryptData(false)(and therefore no encryption capability was sent from the client side):smbjwill not use encryptionsmbjwill turn on encryption (and the communication will be successful)smbjwill turn on encryption but the communication will fail (it seems NetApp Files does not tolerate that the client does not claim encryption capability but then tries to use encryption, which sounds reasonable from the server's perspective)The first 2 cases are just inconsistent but the 3rd one is a concrete failure in the communication between the client and the server.
For these reasons, I would suggest taking into account also the client side encryption setting (not just the server's response) when encryption is determined in case of 3.1.1 (similar to 3.0):
ConnectionContext. supportsEncryption()
Error stack trace (no useful info related to the root cause though):
The text was updated successfully, but these errors were encountered: