Project

General

Profile

Bug #11774

SMB2 does not support reauthentication

Added by Andrew Stormont 13 days ago. Updated 3 days ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Difficulty:
Medium
Tags:

Description

This cause the Windows Protocol Test Suites BVT_SessionMgmt_Reauthentication test to fail.

History

#1

Updated by Gordon Ross 3 days ago

In the real world (real clients, not the test suite) re-authentication normally happens after the server expires a session.

See [MS-SMB2] 3.2.5.1.6 Handling Session Expiration

If the Status field in the SMB2 header is STATUS_NETWORK_SESSION_EXPIRED, the client MUST attempt to reauthenticate the session that is identified by the SessionId in the SMB2 header, as specified in section 3.2.4.2.3. If the reauthentication attempt succeeds, the client MUST retry the request that failed with STATUS_NETWORK_SESSION_EXPIRED. If the reauthentication attempt fails, the client MUST fail the operation and terminate the session, as specified in section 3.2.4.23.

The SMB server does not currently expire sessions, so it's not actually supposed to ever get a session setup of the "reauthentication" variety.

I'd prefer that support for session setup reauthentication went in together with session expiration. Some design work remains to be completed to work out when and how sessions should be marked expired, and how we respond to SMB requests that use an expired session. The spec. has a lot to say about this. If we implement just reauthentication, I don't think it will be testable with real clients.

In no particular order, here are some of the things that will be needed to support session expiration:

  • We probably need a new state "expired" for smb_user_t objects (or maybe a flag) to be used in the test where operations on expired sessions should return STATUS_NETWORK_SESSION_EXPIRED.
  • At some pointer during re-authentication, we need to cleanup (replace) a bunch of state in the user object before smb_user_logon() fills in all that state again (to avoid leaking the old state). See: user->u_name etc, and the cred stuff in smb_user_setcred,
  • It might be simpler to create a new smb_user_t for re-authentication and retire the old one (just something to consider)

In short, implementing session expiration will take quite a bit more work than what's shown in https://www.illumos.org/rb/r/2366/ and I have doubts whether it's worth the trouble to take just the "re-authentication" part of that work without the rest.

The motivation for this change is apparently to get one more test to pass among the many test cases in the Windows Protocol Test Suite (WPTS).
In general changes to let one more WPTS test pass are not always necessarily desirable.

Our priority should be to avoid problems with real clients, and where WPTS helps with that, great.
When we see test failures, I recommend we start with documenting the issues found by failing tests, making sure we know why the test fails, and then consider whether this is something we need to fix to avoid problems with real-world clients.

Also available in: Atom PDF