Fix SMB negotiate: cipher_count=1 and username case sensitivity

2026-06-24 22:22:42 +08:00
parent dc217e8903
commit 6f223c9232
3 changed files with 10 additions and 9 deletions
--- a/vendor/smb-server/src/builder.rs
+++ b/vendor/smb-server/src/builder.rs
@@ -75,9 +75,10 @@ impl Share {
    }

    /// Grant `access` to the given (already-registered) user. Multiple calls
-    /// accumulate.
+    /// accumulate. Username is normalized to lowercase for SMB case-insensitive
+    /// matching.
    pub fn user(mut self, name: impl Into<String>, access: Access) -> Self {
-        self.users.insert(name.into(), access);
+        self.users.insert(name.into().to_lowercase(), access);
        self
    }

@@ -163,7 +164,7 @@ impl SmbServerBuilder {
    }

    pub fn user(mut self, name: impl Into<String>, password: impl Into<String>) -> Self {
-        let n = name.into();
+        let n = name.into().to_lowercase();
        if !self.users.contains_key(&n) {
            self.user_order.push(n.clone());
        }
--- a/vendor/smb-server/src/handlers/negotiate.rs
+++ b/vendor/smb-server/src/handlers/negotiate.rs
@@ -118,13 +118,13 @@ pub async fn handle(
            data: signing_data,
        };

-        // ENCRYPTION_CAPABILITIES — advertise AES-128-GCM and AES-128-CCM.
-        // GCM is preferred (SMB 3.1.1+), CCM is for Windows 8 compat (SMB 3.0).
+        // ENCRYPTION_CAPABILITIES — advertise a single cipher (AES-128-GCM).
+        // Samba smbclient enforces cipher_count == 1 in the response
+        // (smbXcli_negprot_smb2_done: cipher_count != 1 → INVALID_NETWORK_RESPONSE).
        let encryption_caps = EncryptionCapabilities {
-            cipher_count: 2,
+            cipher_count: 1,
            ciphers: vec![
                EncryptionCapabilities::CIPHER_AES_128_GCM,
-                EncryptionCapabilities::CIPHER_AES_128_CCM,
            ],
        };
        let encryption_data = {
--- a/vendor/smb-server/src/proto/auth/ntlm.rs
+++ b/vendor/smb-server/src/proto/auth/ntlm.rs
@@ -743,7 +743,7 @@ impl NtlmServer {

        Ok(AuthOutcome {
            identity: Identity::User {
-                user: auth.user.clone(),
+                user: auth.user.to_lowercase(),
                domain: auth.domain.clone(),
            },
            session_key,
@@ -1008,7 +1008,7 @@ mod tests {
        assert_eq!(
            outcome.identity,
            Identity::User {
-                user: "User".to_string(),
+                user: "user".to_string(),  // lowercase per SMB case-insensitive matching
                domain: "Domain".to_string()
            }
        );