Bug: Failure to verify incoming message in unencrypted SMB2 connection

[naccib]

Describe the bug
We're successfully connecting to an unencrypted SMB2 server hosted by a third party. We can create files successfully, however watching a directory will:

1. Timeout when no event happens in 10 seconds. This I think is intended behavior as the default timeout is 10 seconds.
2. Result in a "Failed to verify incoming message" TransformError when an event happens

I've patched it locally with an extremely simplistic and insecure approach. In verify_plain_incoming I simply skip verification for unencrypted messages by setting form.signed to true and returning an Ok(()). This fixes the issue.

I'm sure you have a good reasons for the verification, but is it possible that this is not behaving correctly as it stands?

To Reproduce
I've copied the code from the notify test from this repository and made minimal modifications to run on my already-setup tokio executor.

Desktop (please complete the following information):

• OS, architecture & version: [e.g. macOS 15.2, arm64]: Ubuntu 22 LTS, x86
• Version [e.g. 0.8.1]: 0.9.0

Additional context
The host is definitely an unencrypted SMB2 share (can't tell which subversion specifically).

[afiffon]

Hi @naccib!

For some additional context:

• What server are you running against?
• Are you using username + password for authentication? Or is there any chance this is a guest authentication?
• What exact function call/event triggers the error?

Can you provide debug logs of your session?

Thanks!

[naccib]

Thank you for the reply.

I can't attest which server we're running it against as it is provided by a third party. We inferred it is an unencrypted SMB2 server by testing different client connection configs against it.

We are using username and password for auth. The error is triggered by copying a file in the watched directory while Directory.watch is running.

Here are the relevant logs:

thread 'tokio-runtime-worker' panicked at src/samba.rs:159:76:
called `Result::unwrap()` on an `Err` value: TranformFailed(TransformError { outgoing: false, phase: SignVerify, session_id: Some(361932510884655105), why: "Failed to verify incoming message!", msg_id: Some(6) })
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
ERROR Error: task 31 panicked with message "called `Result::unwrap()` on an `Err` value: TranformFailed(TransformError { outgoing: false, phase: SignVerify, session_id: Some(361932510884655105), why: \"Failed to verify incoming message!\", msg_id: Some(6) })"

The directory is acquired in the same exact way as the notify test. This is how I call the watch function:

let filter = NotifyFilter::new()
        .with_file_name(true)
        .with_dir_name(true)
        .with_attributes(true)
        .with_last_write(true)
        .with_last_access(true);

for notification in directory_handle.watch(filter, true).await.unwrap() {
        event!(
            Level::INFO,
            "New samba event: file_name={:?} action={:?}",
            notification.file_name,
            notification.action
        );
}

[afiffon]

How do you log in your application? Is there any possibility you can try outputting smb logs in TRACE level? This will allow seeing the client's communications properly.

• Did you try doing the same with the Windows client instead? (i.e. open up explorer.exe in the network path, add a file and wait for it to be shown - just to make sure it's not the server's fault

[naccib]

Of course. I'm out of the office and thus can't access the machine where the bug is produced. Will log at TRACE level once back.

Just to clarify, the client machine is running Ubuntu. I can mount, list, create, modify and remove files normally.

[naccib]

Could I please get your email in order to send these logs?

[naccib]

Hi, I am happy to provide the logs via other means if you're not comfortable with me sending them via email.

[afiffon]

Of course! avivnaaman04@gmail.com. Sorry for the late response, not working on this project full-time.

[naccib]

No problem. I'll send you an email in a few.