[PATCH] Fix Bug 11103: - Samba does not set the required flags in the SMB2/SMB3 Negotiate Protocol Response when signing required by client

Stefan (metze) Metzmacher metze at samba.org
Thu Feb 19 01:28:35 MST 2015


Hi Jeremy,

> +++ b/source3/smbd/smb2_negprot.c
> @@ -221,7 +221,8 @@ NTSTATUS smbd_smb2_request_process_negprot(struct smbd_smb2_request *req)
>  	}
>  
>  	security_mode = SMB2_NEGOTIATE_SIGNING_ENABLED;
> -	if (lp_server_signing() == SMB_SIGNING_REQUIRED) {
> +	if (lp_server_signing() == SMB_SIGNING_REQUIRED ||
> +			(in_security_mode & SMB2_NEGOTIATE_SIGNING_REQUIRED)) {
>  		security_mode |= SMB2_NEGOTIATE_SIGNING_REQUIRED;
>  	}
>  
> diff --git a/source3/smbd/smb2_sesssetup.c b/source3/smbd/smb2_sesssetup.c
> index 2f58e44..f918328 100644
> --- a/source3/smbd/smb2_sesssetup.c
> +++ b/source3/smbd/smb2_sesssetup.c
> @@ -186,7 +186,9 @@ static NTSTATUS smbd_smb2_auth_generic_return(struct smbXsrv_session *session,
>  	struct smbXsrv_connection *xconn = smb2req->xconn;
>  
>  	if ((in_security_mode & SMB2_NEGOTIATE_SIGNING_REQUIRED) ||
> -	    lp_server_signing() == SMB_SIGNING_REQUIRED) {
> +	    lp_server_signing() == SMB_SIGNING_REQUIRED ||
> +	    (xconn->smb2.server.security_mode &
> +			SMB2_NEGOTIATE_SIGNING_REQUIRED)) {
>  		x->global->signing_required = true;
>  	}

I think we can remove the lp_server_signing() == SMB_SIGNING_REQUIRED) here
as smbd_smb2_request_process_negprot() already sets
xconn->smb2.server.security_mode.


Can you or Steve please also upload a capture that shows the correct
behavior
of a Windows server to the bug report?

metze


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20150219/796952dd/attachment.pgp>


More information about the samba-technical mailing list