[SCM] Samba Shared Repository - branch v4-2-test updated

Karolin Seeger kseeger at samba.org
Thu Jul 16 12:12:11 UTC 2015


The branch, v4-2-test has been updated
       via  44fddac auth/credentials: if credentials have principal set, they are not anonymous anymore
       via  c0fb5fc ctdb-daemon: Return correct sequence number for CONTROL_GET_DB_SEQNUM
       via  ebde3fe s3-smbd: reset protocol in smbXsrv_connection_init_tables failure paths.
       via  a759cd6 s3:libsmb: Fix a bug in conversion of ea list to ea array.
       via  f33d7fa smbd:trans2: treat new SMB_SIGNING_DESIRED in case
       via  8be6d09 docs:smb.conf: explain effect of new setting 'desired' of smb encrypt
       via  9817f8c smbd:smb2: use encryption_desired in send_break
       via  90ee73b smbd:smb2: only enable encryption in tcon if desired
       via  8e06f18 smbd:smb2: only enable encryption in session if desired
       via  6cb67e5 smbd:smb2: separate between encryption required and enc desired
       via  6429747 smbXsrv: add bools encryption_desired to session and tcon
       via  872668a Introduce setting "desired" for 'smb encrypt' and 'client/server signing'
       via  b1cd2fe smbd: Make SMB3 clients use encryption with "smb encrypt = auto"
      from  274513b VERSION: Bump version up to 4.2.4...

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-2-test


- Log -----------------------------------------------------------------
commit 44fddac658ae06005cd15f507bfac63593a6bea7
Author: Alexander Bokovoy <ab at samba.org>
Date:   Thu May 7 14:12:03 2015 +0000

    auth/credentials: if credentials have principal set, they are not anonymous anymore
    
    When dealing with Kerberos, we cannot consider credentials anonymous
    if credentials were obtained properly.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=11265
    
    Signed-off-by: Alexander Bokovoy <ab at samba.org>
    Reviewed-by: Stefan (metze) Metzmacher <metze at samba.org>
    Reviewed-by: Guenther Deschner <gd at samba.org>
    
    Autobuild-User(master): Alexander Bokovoy <ab at samba.org>
    Autobuild-Date(master): Wed Jul 15 16:32:55 CEST 2015 on sn-devel-104
    
    (cherry picked from commit a0d2dd0e01618346b4ad8ea9da3f7ce4eb0364b0)
    
    Autobuild-User(v4-2-test): Karolin Seeger <kseeger at samba.org>
    Autobuild-Date(v4-2-test): Thu Jul 16 14:11:52 CEST 2015 on sn-devel-104

commit c0fb5fce16fbd19366a9c06b67c3bff534a400b2
Author: Amitay Isaacs <amitay at gmail.com>
Date:   Tue Jul 14 16:54:59 2015 +1000

    ctdb-daemon: Return correct sequence number for CONTROL_GET_DB_SEQNUM
    
    Due to the missing cast of uint64_t, CONTROL_GET_DB_SEQNUM always returned
    seqnum <= 256.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=11398
    
    Signed-off-by: Amitay Isaacs <amitay at gmail.com>
    Reviewed-by: Martin Schwenke <martin at meltin.net>
    Reviewed-by: Volker Lendecke <vl at samba.org>
    
    Autobuild-User(master): Amitay Isaacs <amitay at samba.org>
    Autobuild-Date(master): Tue Jul 14 13:03:25 CEST 2015 on sn-devel-104
    
    (cherry picked from commit 1023db2543f7785e4527a4565db91edcde4ca7f1)

commit ebde3fe887f9b679f9b3b7fea12864f4cd496caf
Author: G√ľnther Deschner <gd at samba.org>
Date:   Wed Jun 10 17:07:15 2015 +0200

    s3-smbd: reset protocol in smbXsrv_connection_init_tables failure paths.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=11373
    
    Guenther
    
    Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>
    Pair-Programmed-With: Michael Adam <obnox at samba.org>
    
    Signed-off-by: Guenther Deschner <gd at samba.org>
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Signed-off-by: Michael Adam <obnox at samba.org>
    Reviewed-by: Andreas Schneider <asn at samba.org>

commit a759cd62d34326e0268bf3a712c9330c4d767498
Author: Anubhav Rakshit <anubhav.rakshit at gmail.com>
Date:   Fri Jun 26 12:24:23 2015 +0530

    s3:libsmb: Fix a bug in conversion of ea list to ea array.
    
    Bug 11361 - Reading of EA's (Extended Attributes) fails using SMB2 and above
    protocols
    
    Tested against Win2k12r2 server.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=11361
    
    Signed-off-by: Anubhav Rakshit <anubhav.rakshit at gmail.com>
    Reviewed-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: Michael Adam <obnox at samba.org>
    (cherry picked from commit 5af2e3eed2ac309e2491fc54e03e7b04c8b118fb)

commit f33d7fa2eea91ec73780bf748ed59b42cd034358
Author: Michael Adam <obnox at samba.org>
Date:   Tue Jul 7 17:15:00 2015 +0200

    smbd:trans2: treat new SMB_SIGNING_DESIRED in case
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=11372
    
    Signed-off-by: Michael Adam <obnox at samba.org>
    Reviewed-by: Guenther Deschner <gd at samba.org>
    (cherry picked from commit 76f8d0fbada15c9466f66a2d9961bebd1425d141)

commit 8be6d0972e83cbdb0206b667739fead8bd7eaccc
Author: Michael Adam <obnox at samba.org>
Date:   Tue Jun 30 17:46:36 2015 +0200

    docs:smb.conf: explain effect of new setting 'desired' of smb encrypt
    
    Thereby clarify some details.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=11372
    
    Signed-off-by: Michael Adam <obnox at samba.org>
    Reviewed-by: Guenther Deschner <gd at samba.org>
    (cherry picked from commit 365d9d8bdfe9759ef9662d0080cf9c9a0767dbf2)

commit 9817f8c4b3e8e3d846b61e439a61f5ca2aaa3c3c
Author: Michael Adam <obnox at samba.org>
Date:   Wed Jul 1 17:41:38 2015 +0200

    smbd:smb2: use encryption_desired in send_break
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=11372
    
    Signed-off-by: Michael Adam <obnox at samba.org>
    Reviewed-by: Guenther Deschner <gd at samba.org>
    (cherry picked from commit 14357700fd69291995ce6adebb13e7340a63c209)

commit 90ee73b4406173c4f8ca1c9aeffc7ed693ca4b91
Author: Michael Adam <obnox at samba.org>
Date:   Wed Jul 1 18:07:52 2015 +0200

    smbd:smb2: only enable encryption in tcon if desired
    
    Don't enforce it but only announce DATA_ENCRYPT,
    making use of encryption_desired in tcon.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=11372
    
    Signed-off-by: Michael Adam <obnox at samba.org>
    Reviewed-by: Guenther Deschner <gd at samba.org>
    (cherry picked from commit 41cb881e775ea7eb0c59d9e0cafb6ab5531918d9)

commit 8e06f1811032f330ef13b1a02aaf1c2d4a4d9f38
Author: Michael Adam <obnox at samba.org>
Date:   Wed Jul 1 18:07:26 2015 +0200

    smbd:smb2: only enable encryption in session if desired
    
    Don't enforce it but only announce ENCRYPT_DATA, using the
    encryption_desired flag in session setup.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=11372
    
    Signed-off-by: Michael Adam <obnox at samba.org>
    Reviewed-by: Guenther Deschner <gd at samba.org>
    (cherry picked from commit fc228025d78f165815d3fa1670d51f0c27ed2091)

commit 6cb67e5aa66898b1d4bab189dd66d8e009d73f97
Author: Michael Adam <obnox at samba.org>
Date:   Wed Jul 1 17:42:58 2015 +0200

    smbd:smb2: separate between encryption required and enc desired
    
    this means we:
    - accept unencrypted requests if encryption only desired
      and not required,
    - but we always send encrypted responses in the desired
      case, not only when the request was encrypted.
    
    For this purpose, the do_encryption in the request
    structure is separated into was_encrypted and do_encryption.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=11372
    
    Signed-off-by: Michael Adam <obnox at samba.org>
    Reviewed-by: Guenther Deschner <gd at samba.org>
    (cherry picked from commit 3bb299944391633c45d87d5e8ad48c2c14428592)

commit 64297477a63cbeb7d971f0a5c0a578cc325beff6
Author: Michael Adam <obnox at samba.org>
Date:   Wed Jul 1 17:34:45 2015 +0200

    smbXsrv: add bools encryption_desired to session and tcon
    
    This is to indicate that we should sen the ENCRYPT_DATA
    flag on session or tcon replies.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=11372
    
    Signed-off-by: Michael Adam <obnox at samba.org>
    Reviewed-by: Guenther Deschner <gd at samba.org>
    (cherry picked from commit a3ea6dbef53e049701326497e684e1563344e6d8)

commit 872668aa5a8c24d0b38c2c375475c6027ec42aa2
Author: Michael Adam <obnox at samba.org>
Date:   Tue Jun 30 14:16:19 2015 +0200

    Introduce setting "desired" for 'smb encrypt' and 'client/server signing'
    
    This should trigger the behaviour where the server requires
    signing when the client supports it, but does not reject
    clients that don't support it.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=11372
    
    Signed-off-by: Michael Adam <obnox at samba.org>
    Reviewed-by: Guenther Deschner <gd at samba.org>
    (cherry picked from commit 204cbe3645c59b43175beeadad792b4a00e80da3)

commit b1cd2febd806cf4df1b04795a20c16b978e5f9db
Author: Volker Lendecke <vl at samba.org>
Date:   Wed Feb 25 16:59:26 2015 +0100

    smbd: Make SMB3 clients use encryption with "smb encrypt = auto"
    
    Signed-off-by: Volker Lendecke <vl at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=11372
    
    Autobuild-User(master): Volker Lendecke <vl at samba.org>
    Autobuild-Date(master): Tue Mar  3 10:40:42 CET 2015 on sn-devel-104
    
    (cherry picked from commit b3385f74db54bd8a07a0be5515151b633c067da4)

-----------------------------------------------------------------------

Summary of changes:
 auth/credentials/credentials.c              |  5 +++
 ctdb/server/ctdb_persistent.c               |  5 +--
 docs-xml/smbdotconf/security/smbencrypt.xml | 66 ++++++++++++++++++++---------
 lib/param/loadparm.c                        |  1 +
 lib/param/param_table.c                     |  1 +
 libcli/smb/smbXcli_base.c                   |  6 +++
 libcli/smb/smb_constants.h                  |  1 +
 source3/librpc/idl/smbXsrv.idl              |  2 +
 source3/libsmb/cli_smb2_fnum.c              |  2 +-
 source3/smbd/globals.h                      |  3 ++
 source3/smbd/process.c                      |  7 ++-
 source3/smbd/smb2_server.c                  | 22 +++++++---
 source3/smbd/smb2_sesssetup.c               |  8 +++-
 source3/smbd/smb2_tcon.c                    | 10 ++++-
 source3/smbd/trans2.c                       |  1 +
 source4/smb_server/smb2/negprot.c           |  1 +
 16 files changed, 108 insertions(+), 33 deletions(-)


Changeset truncated at 500 lines:

diff --git a/auth/credentials/credentials.c b/auth/credentials/credentials.c
index 78b5955..e988d2d 100644
--- a/auth/credentials/credentials.c
+++ b/auth/credentials/credentials.c
@@ -921,6 +921,11 @@ _PUBLIC_ bool cli_credentials_is_anonymous(struct cli_credentials *cred)
 						    cred->machine_account_pending_lp_ctx);
 	}
 
+	/* if principal is set, it's not anonymous */
+	if ((cred->principal != NULL) && cred->principal_obtained >= cred->username_obtained) {
+		return false;
+	}
+
 	username = cli_credentials_get_username(cred);
 	
 	/* Yes, it is deliberate that we die if we have a NULL pointer
diff --git a/ctdb/server/ctdb_persistent.c b/ctdb/server/ctdb_persistent.c
index e28622f..5c54b9e 100644
--- a/ctdb/server/ctdb_persistent.c
+++ b/ctdb/server/ctdb_persistent.c
@@ -369,14 +369,11 @@ int32_t ctdb_control_get_db_seqnum(struct ctdb_context *ctdb,
 	}
 
 	outdata->dsize = sizeof(uint64_t);
-	outdata->dptr = (uint8_t *)talloc_zero(outdata, uint64_t);
+	outdata->dptr = talloc_memdup(outdata, &seqnum, sizeof(uint64_t));
 	if (outdata->dptr == NULL) {
 		ret = -1;
-		goto done;
 	}
 
-	*(outdata->dptr) = seqnum;
-
 done:
 	return ret;
 }
diff --git a/docs-xml/smbdotconf/security/smbencrypt.xml b/docs-xml/smbdotconf/security/smbencrypt.xml
index 14b32c2..284fe9e 100644
--- a/docs-xml/smbdotconf/security/smbencrypt.xml
+++ b/docs-xml/smbdotconf/security/smbencrypt.xml
@@ -31,11 +31,15 @@
 	<para>
 		This parameter can be set globally and on a per-share bases.
 		Possible values are
-		<emphasis>off</emphasis> or <emphasis>disabled</emphasis>,
-		<emphasis>auto</emphasis> or <emphasis>enabled</emphasis>, and
-		<emphasis>mandatory</emphasis> or <emphasis>required</emphasis>.
+		<emphasis>off</emphasis> (or <emphasis>disabled</emphasis>),
+		<emphasis>enabled</emphasis> (or <emphasis>auto</emphasis>, or
+		<emphasis>if_required</emphasis>),
+		<emphasis>desired</emphasis>,
+		and
+		<emphasis>required</emphasis>
+		(or <emphasis>mandatory</emphasis>).
 		A special value is <emphasis>default</emphasis> which is
-		the implicit default setting.
+		the implicit default setting of <emphasis>enabled</emphasis>.
 	</para>
 
 	<variablelist>
@@ -104,7 +108,7 @@
 			<listitem>
 			<para>
 			The capability to perform SMB encryption can be
-			negotiated during prorocol negotiation.
+			negotiated during protocol negotiation.
 			</para>
 			</listitem>
 
@@ -146,8 +150,9 @@
 		<itemizedlist>
 			<listitem>
 			<para>
-			Leaving it as default or explicitly setting
-			<emphasis>default</emphasis> globally will enable
+			Leaving it as default, explicitly setting
+			<emphasis>default</emphasis>, or setting it to
+			<emphasis>enabled</emphasis> globally will enable
 			negotiation of encryption but will not turn on
 			data encryption globally or per share.
 			</para>
@@ -155,16 +160,20 @@
 
 			<listitem>
 			<para>
-			Setting it to <emphasis>enabled</emphasis> globally will
-			enable negotiation and turn on data encryption globally.
+			Setting it to <emphasis>desired</emphasis> globally
+			will enable negotiation and will turn on data encryption
+			on sessions and share connections for those clients
+			that support it.
 			</para>
 			</listitem>
 
 			<listitem>
 			<para>
 			Setting it to <emphasis>required</emphasis> globally
-			will enable negotiation and enforce data encryption
-			globally.
+			will enable negotiation and turn on data encryption
+			on sessions and share connections. Clients that do
+			not support encryption will be denied access to the
+			server.
 			</para>
 			</listitem>
 
@@ -177,9 +186,10 @@
 
 			<listitem>
 			<para>
-			Setting it to <emphasis>enabled</emphasis> on a share
-			will turn on data encryption for this share if
-			negotiation has been enabled globally.
+			Setting it to <emphasis>desired</emphasis> on a share
+			will turn on data encryption for this share for clients
+			that support encryption if negotiation has been
+			enabled globally.
 			</para>
 			</listitem>
 
@@ -187,16 +197,34 @@
 			<para>
 			Setting it to <emphasis>required</emphasis> on a share
 			will enforce data encryption for this share if
-			negotiation has been enabled globally. Note that this
-			allows enforcing to be controlled in Samba more
-			fine-grainedly than in Windows.  This is a small
-			deviation from the MS-SMB2 protocol document.
+			negotiation has been enabled globally. I.e. clients that
+			do not support encryption will be denied access to the
+			share.
+			</para>
+			<para>
+			Note that this allows per-share enforcing to be
+			controlled in Samba differently from Windows:
+			In Windows, <emphasis>RejectUnencryptedAccess</emphasis>
+			is a global setting, and if it is set, all shares with
+			data encryption turned on
+			are automatically enforcing encryption. In order to
+			achieve the same effect in Samba, one
+			has to globally set <emphasis>smb encrypt</emphasis> to
+			<emphasis>enabled</emphasis>, and then set all shares
+			that should be encrypted to
+			<emphasis>required</emphasis>.
+			Additionally, it is possible in Samba to have some
+			shares with encryption <emphasis>required</emphasis>
+			and some other shares with encryption only
+			<emphasis>desired</emphasis>, which is not possible in
+			Windows.
 			</para>
 			</listitem>
 
 			<listitem>
 			<para>
-			Setting it to <emphasis>off</emphasis> for a share has
+			Setting it to <emphasis>off</emphasis> or
+			<emphasis>enabled</emphasis> for a share has
 			no effect.
 			</para>
 			</listitem>
diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
index dff1ca9..ae60cbf 100644
--- a/lib/param/loadparm.c
+++ b/lib/param/loadparm.c
@@ -3189,6 +3189,7 @@ bool lpcfg_server_signing_allowed(struct loadparm_context *lp_ctx, bool *mandato
 	case SMB_SIGNING_REQUIRED:
 		*mandatory = true;
 		break;
+	case SMB_SIGNING_DESIRED:
 	case SMB_SIGNING_IF_REQUIRED:
 		break;
 	case SMB_SIGNING_DEFAULT:
diff --git a/lib/param/param_table.c b/lib/param/param_table.c
index 1b9656b..530d858 100644
--- a/lib/param/param_table.c
+++ b/lib/param/param_table.c
@@ -113,6 +113,7 @@ static const struct enum_list enum_smb_signing_vals[] = {
 	{SMB_SIGNING_IF_REQUIRED, "On"},
 	{SMB_SIGNING_IF_REQUIRED, "enabled"},
 	{SMB_SIGNING_IF_REQUIRED, "auto"},
+	{SMB_SIGNING_DESIRED, "desired"},
 	{SMB_SIGNING_REQUIRED, "required"},
 	{SMB_SIGNING_REQUIRED, "mandatory"},
 	{SMB_SIGNING_REQUIRED, "force"},
diff --git a/libcli/smb/smbXcli_base.c b/libcli/smb/smbXcli_base.c
index c27b317..803b6ee 100644
--- a/libcli/smb/smbXcli_base.c
+++ b/libcli/smb/smbXcli_base.c
@@ -357,6 +357,12 @@ struct smbXcli_conn *smbXcli_conn_create(TALLOC_CTX *mem_ctx,
 		conn->desire_signing = false;
 		conn->mandatory_signing = false;
 		break;
+	case SMB_SIGNING_DESIRED:
+		/* if the server desires it */
+		conn->allow_signing = true;
+		conn->desire_signing = true;
+		conn->mandatory_signing = false;
+		break;
 	case SMB_SIGNING_REQUIRED:
 		/* always */
 		conn->allow_signing = true;
diff --git a/libcli/smb/smb_constants.h b/libcli/smb/smb_constants.h
index f841ca9..9b57078 100644
--- a/libcli/smb/smb_constants.h
+++ b/libcli/smb/smb_constants.h
@@ -96,6 +96,7 @@ enum smb_signing_setting {
 	SMB_SIGNING_DEFAULT = -1,
 	SMB_SIGNING_OFF = 0,
 	SMB_SIGNING_IF_REQUIRED = 1,
+	SMB_SIGNING_DESIRED = 2,
 	SMB_SIGNING_REQUIRED = 3,
 };
 
diff --git a/source3/librpc/idl/smbXsrv.idl b/source3/librpc/idl/smbXsrv.idl
index 0035442..e32496a 100644
--- a/source3/librpc/idl/smbXsrv.idl
+++ b/source3/librpc/idl/smbXsrv.idl
@@ -190,6 +190,7 @@ interface smbXsrv
 		[ignore] gensec_security		*gensec;
 		[ignore] user_struct			*compat;
 		[ignore] smbXsrv_tcon_table		*tcon_table;
+		boolean8				encryption_desired;
 	} smbXsrv_session;
 
 	typedef union {
@@ -284,6 +285,7 @@ interface smbXsrv
 		NTSTATUS				status;
 		NTTIME					idle_time;
 		[ignore] connection_struct		*compat;
+		boolean8				encryption_desired;
 	} smbXsrv_tcon;
 
 	typedef union {
diff --git a/source3/libsmb/cli_smb2_fnum.c b/source3/libsmb/cli_smb2_fnum.c
index de4bd6f..95153ec 100644
--- a/source3/libsmb/cli_smb2_fnum.c
+++ b/source3/libsmb/cli_smb2_fnum.c
@@ -2193,7 +2193,7 @@ NTSTATUS cli_smb2_get_ea_list_path(struct cli_state *cli,
 		}
 		ea_count = 0;
 		for (eal = ea_list; eal; eal = eal->next) {
-			(*pea_array)[ea_count++] = ea_list->ea;
+			(*pea_array)[ea_count++] = eal->ea;
 		}
 		*pnum_eas = ea_count;
 	}
diff --git a/source3/smbd/globals.h b/source3/smbd/globals.h
index 2aed98e..3194b45 100644
--- a/source3/smbd/globals.h
+++ b/source3/smbd/globals.h
@@ -646,6 +646,9 @@ struct smbd_smb2_request {
 
 	int current_idx;
 	bool do_signing;
+	/* Was the request encrypted? */
+	bool was_encrypted;
+	/* Should we encrypt? */
 	bool do_encryption;
 	struct tevent_timer *async_te;
 	bool compound_related;
diff --git a/source3/smbd/process.c b/source3/smbd/process.c
index 74e7afc..d8091f3 100644
--- a/source3/smbd/process.c
+++ b/source3/smbd/process.c
@@ -3465,36 +3465,41 @@ NTSTATUS smbXsrv_connection_init_tables(struct smbXsrv_connection *conn,
 {
 	NTSTATUS status;
 
-	set_Protocol(protocol);
 	conn->protocol = protocol;
 
 	if (protocol >= PROTOCOL_SMB2_02) {
 		status = smb2srv_session_table_init(conn);
 		if (!NT_STATUS_IS_OK(status)) {
+			conn->protocol = PROTOCOL_NONE;
 			return status;
 		}
 
 		status = smb2srv_open_table_init(conn);
 		if (!NT_STATUS_IS_OK(status)) {
+			conn->protocol = PROTOCOL_NONE;
 			return status;
 		}
 	} else {
 		status = smb1srv_session_table_init(conn);
 		if (!NT_STATUS_IS_OK(status)) {
+			conn->protocol = PROTOCOL_NONE;
 			return status;
 		}
 
 		status = smb1srv_tcon_table_init(conn);
 		if (!NT_STATUS_IS_OK(status)) {
+			conn->protocol = PROTOCOL_NONE;
 			return status;
 		}
 
 		status = smb1srv_open_table_init(conn);
 		if (!NT_STATUS_IS_OK(status)) {
+			conn->protocol = PROTOCOL_NONE;
 			return status;
 		}
 	}
 
+	set_Protocol(protocol);
 	return NT_STATUS_OK;
 }
 
diff --git a/source3/smbd/smb2_server.c b/source3/smbd/smb2_server.c
index 2739734..e723f6d 100644
--- a/source3/smbd/smb2_server.c
+++ b/source3/smbd/smb2_server.c
@@ -1939,6 +1939,7 @@ NTSTATUS smbd_smb2_request_dispatch(struct smbd_smb2_request *req)
 	NTSTATUS return_value;
 	struct smbXsrv_session *x = NULL;
 	bool signing_required = false;
+	bool encryption_desired = false;
 	bool encryption_required = false;
 
 	inhdr = SMBD_SMB2_IN_HDR_PTR(req);
@@ -1984,11 +1985,13 @@ NTSTATUS smbd_smb2_request_dispatch(struct smbd_smb2_request *req)
 	x = req->session;
 	if (x != NULL) {
 		signing_required = x->global->signing_required;
+		encryption_desired = x->encryption_desired;
 		encryption_required = x->global->encryption_required;
 	}
 
 	req->do_signing = false;
 	req->do_encryption = false;
+	req->was_encrypted = false;
 	if (intf_v->iov_len == SMB2_TF_HDR_SIZE) {
 		const uint8_t *intf = SMBD_SMB2_IN_TF_PTR(req);
 		uint64_t tf_session_id = BVAL(intf, SMB2_TF_SESSION_ID);
@@ -2010,10 +2013,10 @@ NTSTATUS smbd_smb2_request_dispatch(struct smbd_smb2_request *req)
 					NT_STATUS_ACCESS_DENIED);
 		}
 
-		req->do_encryption = true;
+		req->was_encrypted = true;
 	}
 
-	if (encryption_required && !req->do_encryption) {
+	if (encryption_required && !req->was_encrypted) {
 		return smbd_smb2_request_error(req,
 				NT_STATUS_ACCESS_DENIED);
 	}
@@ -2045,7 +2048,7 @@ NTSTATUS smbd_smb2_request_dispatch(struct smbd_smb2_request *req)
 		req->compat_chain_fsp = NULL;
 	}
 
-	if (req->do_encryption) {
+	if (req->was_encrypted) {
 		signing_required = false;
 	} else if (signing_required || (flags & SMB2_HDR_FLAG_SIGNED)) {
 		DATA_BLOB signing_key = data_blob_null;
@@ -2131,15 +2134,22 @@ NTSTATUS smbd_smb2_request_dispatch(struct smbd_smb2_request *req)
 		if (!NT_STATUS_IS_OK(status)) {
 			return smbd_smb2_request_error(req, status);
 		}
+		if (req->tcon->encryption_desired) {
+			encryption_desired = true;
+		}
 		if (req->tcon->global->encryption_required) {
 			encryption_required = true;
 		}
-		if (encryption_required && !req->do_encryption) {
+		if (encryption_required && !req->was_encrypted) {
 			return smbd_smb2_request_error(req,
 				NT_STATUS_ACCESS_DENIED);
 		}
 	}
 
+	if (req->was_encrypted || encryption_desired) {
+		req->do_encryption = true;
+	}
+
 	if (call->fileid_ofs != 0) {
 		size_t needed = call->fileid_ofs + 16;
 		const uint8_t *body = SMBD_SMB2_IN_BODY_PTR(req);
@@ -2770,8 +2780,8 @@ static NTSTATUS smbd_smb2_send_break(struct smbXsrv_connection *xconn,
 
 	if (session != NULL) {
 		session_wire_id = session->global->session_wire_id;
-		do_encryption = session->global->encryption_required;
-		if (tcon->global->encryption_required) {
+		do_encryption = session->encryption_desired;
+		if (tcon->encryption_desired) {
 			do_encryption = true;
 		}
 	}
diff --git a/source3/smbd/smb2_sesssetup.c b/source3/smbd/smb2_sesssetup.c
index 85f8a9a..e255e46 100644
--- a/source3/smbd/smb2_sesssetup.c
+++ b/source3/smbd/smb2_sesssetup.c
@@ -190,7 +190,13 @@ static NTSTATUS smbd_smb2_auth_generic_return(struct smbXsrv_session *session,
 		x->global->signing_required = true;
 	}
 
+	if ((lp_smb_encrypt(-1) >= SMB_SIGNING_DESIRED) &&
+	    (xconn->smb2.client.capabilities & SMB2_CAP_ENCRYPTION)) {
+		x->encryption_desired = true;
+	}
+
 	if (lp_smb_encrypt(-1) == SMB_SIGNING_REQUIRED) {
+		x->encryption_desired = true;
 		x->global->encryption_required = true;
 	}
 
@@ -217,7 +223,7 @@ static NTSTATUS smbd_smb2_auth_generic_return(struct smbXsrv_session *session,
 		}
 	}
 
-	if (x->global->encryption_required) {
+	if (x->encryption_desired) {
 		*out_session_flags |= SMB2_SESSION_FLAG_ENCRYPT_DATA;
 	}
 
diff --git a/source3/smbd/smb2_tcon.c b/source3/smbd/smb2_tcon.c
index 8a6d339..e3680a0 100644
--- a/source3/smbd/smb2_tcon.c
+++ b/source3/smbd/smb2_tcon.c
@@ -184,6 +184,7 @@ static NTSTATUS smbd_smb2_tree_connect(struct smbd_smb2_request *req,
 	connection_struct *compat_conn = NULL;
 	struct user_struct *compat_vuser = req->session->compat;
 	NTSTATUS status;
+	bool encryption_desired = req->session->encryption_desired;
 	bool encryption_required = req->session->global->encryption_required;
 	bool guest_session = false;
 
@@ -235,7 +236,13 @@ static NTSTATUS smbd_smb2_tree_connect(struct smbd_smb2_request *req,
 		return NT_STATUS_BAD_NETWORK_NAME;
 	}
 
+	if ((lp_smb_encrypt(snum) >= SMB_SIGNING_DESIRED) &&
+	    (conn->smb2.client.capabilities & SMB2_CAP_ENCRYPTION)) {
+		encryption_desired = true;
+	}
+
 	if (lp_smb_encrypt(snum) == SMB_SIGNING_REQUIRED) {
+		encryption_desired = true;
 		encryption_required = true;
 	}
 
@@ -264,6 +271,7 @@ static NTSTATUS smbd_smb2_tree_connect(struct smbd_smb2_request *req,
 		return status;
 	}
 
+	tcon->encryption_desired = encryption_desired;
 	tcon->global->encryption_required = encryption_required;
 
 	compat_conn = make_connection_smb2(req,
@@ -334,7 +342,7 @@ static NTSTATUS smbd_smb2_tree_connect(struct smbd_smb2_request *req,
 		*out_share_flags |= SMB2_SHAREFLAG_ACCESS_BASED_DIRECTORY_ENUM;
 	}
 
-	if (encryption_required) {
+	if (encryption_desired) {
 		*out_share_flags |= SMB2_SHAREFLAG_ENCRYPT_DATA;
 	}
 
diff --git a/source3/smbd/trans2.c b/source3/smbd/trans2.c
index 40983cc..a937023 100644
--- a/source3/smbd/trans2.c
+++ b/source3/smbd/trans2.c
@@ -3608,6 +3608,7 @@ cBytesSector=%u, cUnitTotal=%u, cUnitAvail=%d\n", (unsigned int)bsize, (unsigned
 			case SMB_SIGNING_OFF:
 				encrypt_caps = 0;
 				break;
+			case SMB_SIGNING_DESIRED:
 			case SMB_SIGNING_IF_REQUIRED:
 			case SMB_SIGNING_DEFAULT:
 				encrypt_caps = CIFS_UNIX_TRANSPORT_ENCRYPTION_CAP;
diff --git a/source4/smb_server/smb2/negprot.c b/source4/smb_server/smb2/negprot.c
index 81f2547..b48b170 100644
--- a/source4/smb_server/smb2/negprot.c
+++ b/source4/smb_server/smb2/negprot.c
@@ -150,6 +150,7 @@ static NTSTATUS smb2srv_negprot_backend(struct smb2srv_request *req, struct smb2
 	case SMB_SIGNING_OFF:
 		io->out.security_mode = 0;
 		break;
+	case SMB_SIGNING_DESIRED:
 	case SMB_SIGNING_IF_REQUIRED:
 		io->out.security_mode = SMB2_NEGOTIATE_SIGNING_ENABLED;
 		break;


-- 
Samba Shared Repository



More information about the samba-cvs mailing list