[PATCH] Session reauth signing fix and test

Ralph Böhme slow at samba.org
Mon Nov 12 11:21:31 UTC 2018


Hi!

Attached is a patch that ensures we correctly sign a session reauth response in 
smbd.

The fix itself is obvious, the test was a little bit more work.

Please review&push if happy. Thanks!

CI passed: https://gitlab.com/samba-team/devel/samba/pipelines/36191198

-slow

-- 
Ralph Boehme, Samba Team       https://samba.org/
Samba Developer, SerNet GmbH   https://sernet.de/en/samba/
GPG Key Fingerprint:           FAE2 C608 8A24 2520 51C5
                               59E4 AA1E 9B71 2639 9E46
-------------- next part --------------
From 33d0039c7a4cead28dc9092eec646429187c9b9a Mon Sep 17 00:00:00 2001
From: Ralph Boehme <slow at samba.org>
Date: Thu, 8 Nov 2018 16:24:45 +0100
Subject: [PATCH 01/11] s3:selftest: split "raw.session" and "smb2.session"

The next commit is going to add a testsuite to "smb2.session".

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13661

Signed-off-by: Ralph Boehme <slow at samba.org>
---
 source3/selftest/tests.py | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py
index 20b96762e7a..3bfd8213bb8 100755
--- a/source3/selftest/tests.py
+++ b/source3/selftest/tests.py
@@ -491,7 +491,12 @@ tests = base + raw + smb2 + rpc + unix + local + rap + nbt + libsmbclient + idma
         plansmbtorture4testsuite(t, "nt4_dc", '//$SERVER_IP/tmp -U$USERNAME%$PASSWORD')
         plansmbtorture4testsuite(t, "simpleserver", '//$SERVER_IP/tmp -U$USERNAME%$PASSWORD')
         plansmbtorture4testsuite(t, "ad_dc", '//$SERVER/tmp -U$USERNAME%$PASSWORD')
-    elif t == "raw.session" or t == "smb2.session":
+    elif t == "raw.session":
+        plansmbtorture4testsuite(t, "nt4_dc", '//$SERVER_IP/tmp -U$USERNAME%$PASSWORD', 'plain')
+        plansmbtorture4testsuite(t, "nt4_dc", '//$SERVER_IP/tmpenc -U$USERNAME%$PASSWORD', 'enc')
+        plansmbtorture4testsuite(t, "ad_dc", '//$SERVER/tmp -k no -U$USERNAME%$PASSWORD', 'ntlm')
+        plansmbtorture4testsuite(t, "ad_dc", '//$SERVER/tmp -k yes -U$USERNAME%$PASSWORD', 'krb5')
+    elif t == "smb2.session":
         plansmbtorture4testsuite(t, "nt4_dc", '//$SERVER_IP/tmp -U$USERNAME%$PASSWORD', 'plain')
         plansmbtorture4testsuite(t, "nt4_dc", '//$SERVER_IP/tmpenc -U$USERNAME%$PASSWORD', 'enc')
         plansmbtorture4testsuite(t, "ad_dc", '//$SERVER/tmp -k no -U$USERNAME%$PASSWORD', 'ntlm')
-- 
2.17.2


From 64b936119a2d3131a0d47bea1556e672bcfc44af Mon Sep 17 00:00:00 2001
From: Ralph Boehme <slow at samba.org>
Date: Fri, 9 Nov 2018 12:33:29 +0100
Subject: [PATCH 02/11] s3:selftest: also run smb2.session torture testsuite
 against ad_member

The next commit adds a subtest to the smb2.session testsuite that
requires Kerberos (ad_dc would work), but where neither SMB2 server or
client must require signing (ad_dc, being an AD DC, requires signing).

The ad_member environment supports Kerberos with the SMB2 server not
mandating signing, that'll do.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13661

Signed-off-by: Ralph Boehme <slow at samba.org>
---
 source3/selftest/tests.py | 1 +
 1 file changed, 1 insertion(+)

diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py
index 3bfd8213bb8..24ee9123b7e 100755
--- a/source3/selftest/tests.py
+++ b/source3/selftest/tests.py
@@ -501,6 +501,7 @@ tests = base + raw + smb2 + rpc + unix + local + rap + nbt + libsmbclient + idma
         plansmbtorture4testsuite(t, "nt4_dc", '//$SERVER_IP/tmpenc -U$USERNAME%$PASSWORD', 'enc')
         plansmbtorture4testsuite(t, "ad_dc", '//$SERVER/tmp -k no -U$USERNAME%$PASSWORD', 'ntlm')
         plansmbtorture4testsuite(t, "ad_dc", '//$SERVER/tmp -k yes -U$USERNAME%$PASSWORD', 'krb5')
+        plansmbtorture4testsuite(t, "ad_member", '//$SERVER/tmp -k yes -U$DC_USERNAME@$REALM%$DC_PASSWORD', 'krb5')
     elif t == "rpc.lsa":
         plansmbtorture4testsuite(t, "nt4_dc", '//$SERVER_IP/tmp -U$USERNAME%$PASSWORD', 'over ncacn_np ')
         plansmbtorture4testsuite(t, "nt4_dc", 'ncacn_ip_tcp:$SERVER_IP -U$USERNAME%$PASSWORD', 'over ncacn_ip_tcp ')
-- 
2.17.2


From 79f05fbf0246e4d0d479ea41ab8eae9c16a093ad Mon Sep 17 00:00:00 2001
From: Ralph Boehme <slow at samba.org>
Date: Fri, 9 Nov 2018 15:17:19 +0100
Subject: [PATCH 03/11] libcli/smb: add
 smb2cli_session_require_signed_response()

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13661

Signed-off-by: Ralph Boehme <slow at samba.org>
---
 libcli/smb/smbXcli_base.c | 7 +++++++
 libcli/smb/smbXcli_base.h | 2 ++
 2 files changed, 9 insertions(+)

diff --git a/libcli/smb/smbXcli_base.c b/libcli/smb/smbXcli_base.c
index 93b4c18e407..2e68dc5b630 100644
--- a/libcli/smb/smbXcli_base.c
+++ b/libcli/smb/smbXcli_base.c
@@ -161,6 +161,7 @@ struct smb2cli_session {
 	uint64_t nonce_low;
 	uint16_t channel_sequence;
 	bool replay_active;
+	bool require_signed_response;
 };
 
 struct smbXcli_session {
@@ -5721,6 +5722,12 @@ void smb2cli_session_stop_replay(struct smbXcli_session *session)
 	session->smb2->replay_active = false;
 }
 
+void smb2cli_session_require_signed_response(struct smbXcli_session *session,
+					     bool require_signed_response)
+{
+	session->smb2->require_signed_response = require_signed_response;
+}
+
 NTSTATUS smb2cli_session_update_preauth(struct smbXcli_session *session,
 					const struct iovec *iov)
 {
diff --git a/libcli/smb/smbXcli_base.h b/libcli/smb/smbXcli_base.h
index 536c7ab60f4..42c2519c7ff 100644
--- a/libcli/smb/smbXcli_base.h
+++ b/libcli/smb/smbXcli_base.h
@@ -492,6 +492,8 @@ uint16_t smb2cli_session_reset_channel_sequence(struct smbXcli_session *session,
 uint16_t smb2cli_session_current_channel_sequence(struct smbXcli_session *session);
 void smb2cli_session_start_replay(struct smbXcli_session *session);
 void smb2cli_session_stop_replay(struct smbXcli_session *session);
+void smb2cli_session_require_signed_response(struct smbXcli_session *session,
+					     bool require_signed_response);
 NTSTATUS smb2cli_session_update_preauth(struct smbXcli_session *session,
 					const struct iovec *iov);
 NTSTATUS smb2cli_session_set_session_key(struct smbXcli_session *session,
-- 
2.17.2


From 179f826896412056a91b0c645a831cbd031e6e18 Mon Sep 17 00:00:00 2001
From: Ralph Boehme <slow at samba.org>
Date: Fri, 9 Nov 2018 15:26:44 +0100
Subject: [PATCH 04/11] libcli/smb: maintain require_signed_response in
 smbXcli_req_state

Not used for now, that comes next.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13661

Signed-off-by: Ralph Boehme <slow at samba.org>
---
 libcli/smb/smbXcli_base.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/libcli/smb/smbXcli_base.c b/libcli/smb/smbXcli_base.c
index 2e68dc5b630..6872e061b08 100644
--- a/libcli/smb/smbXcli_base.c
+++ b/libcli/smb/smbXcli_base.c
@@ -290,6 +290,7 @@ struct smbXcli_req_state {
 		uint64_t encryption_session_id;
 
 		bool signing_skipped;
+		bool require_signed_response;
 		bool notify_async;
 		bool got_async;
 		uint16_t cancel_flags;
@@ -2963,6 +2964,8 @@ struct tevent_req *smb2cli_req_create(TALLOC_CTX *mem_ctx,
 
 		state->smb2.should_sign = session->smb2->should_sign;
 		state->smb2.should_encrypt = session->smb2->should_encrypt;
+		state->smb2.require_signed_response =
+			session->smb2->require_signed_response;
 
 		if (cmd == SMB2_OP_SESSSETUP &&
 		    session->smb2_channel.signing_key.length == 0 &&
-- 
2.17.2


From 2784f36076e5fcee111ff25439c9298aec1d14f0 Mon Sep 17 00:00:00 2001
From: Ralph Boehme <slow at samba.org>
Date: Sat, 10 Nov 2018 21:56:28 +0100
Subject: [PATCH 05/11] libcli/smb: defer singing check a little bit

This allows adding an additional condition to the if check where the
condition state may be modified in the "if (opcode ==
SMB2_OP_SESSSETUP)" case directly above.

No change in behaviour.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13661

Signed-off-by: Ralph Boehme <slow at samba.org>
---
 libcli/smb/smbXcli_base.c | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/libcli/smb/smbXcli_base.c b/libcli/smb/smbXcli_base.c
index 6872e061b08..f7c1d4653cd 100644
--- a/libcli/smb/smbXcli_base.c
+++ b/libcli/smb/smbXcli_base.c
@@ -3753,12 +3753,6 @@ static NTSTATUS smb2cli_conn_dispatch_incoming(struct smbXcli_conn *conn,
 		}
 		last_session = session;
 
-		if (state->smb2.should_sign) {
-			if (!(flags & SMB2_HDR_FLAG_SIGNED)) {
-				return NT_STATUS_ACCESS_DENIED;
-			}
-		}
-
 		if (flags & SMB2_HDR_FLAG_SIGNED) {
 			uint64_t uid = BVAL(inhdr, SMB2_HDR_SESSION_ID);
 
@@ -3807,6 +3801,12 @@ static NTSTATUS smb2cli_conn_dispatch_incoming(struct smbXcli_conn *conn,
 			}
 		}
 
+		if (state->smb2.should_sign) {
+			if (!(flags & SMB2_HDR_FLAG_SIGNED)) {
+				return NT_STATUS_ACCESS_DENIED;
+			}
+		}
+
 		if (cur[0].iov_len == SMB2_TF_HDR_SIZE) {
 			const uint8_t *tf = (const uint8_t *)cur[0].iov_base;
 			uint64_t uid = BVAL(tf, SMB2_TF_SESSION_ID);
-- 
2.17.2


From 23d1d4ea3f8b937c3188bb9cafaf15b9983d9cb8 Mon Sep 17 00:00:00 2001
From: Ralph Boehme <slow at samba.org>
Date: Sat, 10 Nov 2018 22:00:04 +0100
Subject: [PATCH 06/11] libcli/smb: use require_signed_response in
 smb2cli_conn_dispatch_incoming()

This can be used by the upper layers to force checking a response is
signed. It will be used to implement verification of session setup
reauth responses in a torture test. That comes next.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13661

Signed-off-by: Ralph Boehme <slow at samba.org>
---
 libcli/smb/smbXcli_base.c | 17 ++++++++++++++++-
 1 file changed, 16 insertions(+), 1 deletion(-)

diff --git a/libcli/smb/smbXcli_base.c b/libcli/smb/smbXcli_base.c
index f7c1d4653cd..40480c83aa0 100644
--- a/libcli/smb/smbXcli_base.c
+++ b/libcli/smb/smbXcli_base.c
@@ -3799,14 +3799,29 @@ static NTSTATUS smb2cli_conn_dispatch_incoming(struct smbXcli_conn *conn,
 				 */
 				signing_key = NULL;
 			}
+
+			if (!NT_STATUS_IS_OK(status)) {
+				/*
+				 * Only check the signature of the last response
+				 * of a successfull session auth. This matches
+				 * Windows behaviour for NTLM auth and reauth.
+				 */
+				state->smb2.require_signed_response = false;
+			}
 		}
 
-		if (state->smb2.should_sign) {
+		if (state->smb2.should_sign ||
+		    state->smb2.require_signed_response)
+		{
 			if (!(flags & SMB2_HDR_FLAG_SIGNED)) {
 				return NT_STATUS_ACCESS_DENIED;
 			}
 		}
 
+		if (signing_key == NULL && state->smb2.require_signed_response) {
+			signing_key = &session->smb2_channel.signing_key;
+		}
+
 		if (cur[0].iov_len == SMB2_TF_HDR_SIZE) {
 			const uint8_t *tf = (const uint8_t *)cur[0].iov_base;
 			uint64_t uid = BVAL(tf, SMB2_TF_SESSION_ID);
-- 
2.17.2


From c01a0fffbb0cf05c0d2c52499ba3dfc0240c7445 Mon Sep 17 00:00:00 2001
From: Ralph Boehme <slow at samba.org>
Date: Thu, 8 Nov 2018 15:42:46 +0100
Subject: [PATCH 07/11] s4:torture/smb2/session: invalidate credential cache

Invalidate credential cache before connecting to the server, otherwise
we will reuse the credentials from the credential cache populated by the
preceeding tests.

Also invalidate it at the end, otherwise subsequent tests might run into
problems if the credentials expire while authenticating.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13661

Signed-off-by: Ralph Boehme <slow at samba.org>
---
 source4/torture/smb2/session.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/source4/torture/smb2/session.c b/source4/torture/smb2/session.c
index 7dc9ba19ee6..65cc53ba337 100644
--- a/source4/torture/smb2/session.c
+++ b/source4/torture/smb2/session.c
@@ -1073,6 +1073,8 @@ static bool test_session_expire1i(struct torture_context *tctx,
 	torture_assert_int_equal(tctx, use_kerberos, CRED_MUST_USE_KERBEROS,
 				 "please use -k yes");
 
+	cli_credentials_invalidate_ccache(credentials, CRED_SPECIFIED);
+
 	lpcfg_set_option(tctx->lp_ctx, "gensec_gssapi:requested_life_time=4");
 
 	lpcfg_smbcli_options(tctx->lp_ctx, &options);
@@ -1167,6 +1169,8 @@ static bool test_session_expire1i(struct torture_context *tctx,
 
 	ret = true;
 done:
+	cli_credentials_invalidate_ccache(credentials, CRED_SPECIFIED);
+
 	if (h1 != NULL) {
 		smb2_util_close(tree, *h1);
 	}
@@ -1236,6 +1240,8 @@ static bool test_session_expire2i(struct torture_context *tctx,
 	torture_assert_int_equal(tctx, use_kerberos, CRED_MUST_USE_KERBEROS,
 				 "please use -k yes");
 
+	cli_credentials_invalidate_ccache(credentials, CRED_SPECIFIED);
+
 	lpcfg_set_option(tctx->lp_ctx, "gensec_gssapi:requested_life_time=4");
 
 	lpcfg_smbcli_options(tctx->lp_ctx, &options);
@@ -1547,6 +1553,8 @@ static bool test_session_expire2i(struct torture_context *tctx,
 
 	ret = true;
 done:
+	cli_credentials_invalidate_ccache(credentials, CRED_SPECIFIED);
+
 	if (h1 != NULL) {
 		smb2_util_close(tree, *h1);
 	}
-- 
2.17.2


From 7b1c1cc9fd70b3db90055cef3265c4a9f81ceabe Mon Sep 17 00:00:00 2001
From: Ralph Boehme <slow at samba.org>
Date: Fri, 9 Nov 2018 15:34:24 +0100
Subject: [PATCH 08/11] s4:torture/smb2/session: require a signed session setup
 reauth response

All existing tests using this function require signing, so currently
this passes. A subsequent commit adds a test where neither client nor
server require signing and that's where this trap will explode.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13661

Signed-off-by: Ralph Boehme <slow at samba.org>
---
 source4/torture/smb2/session.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/source4/torture/smb2/session.c b/source4/torture/smb2/session.c
index 65cc53ba337..a088754ec00 100644
--- a/source4/torture/smb2/session.c
+++ b/source4/torture/smb2/session.c
@@ -1154,12 +1154,20 @@ static bool test_session_expire1i(struct torture_context *tctx,
 		 */
 		cli_credentials_invalidate_ccache(credentials, CRED_SPECIFIED);
 
+		if (!force_encryption) {
+			smb2cli_session_require_signed_response(
+				tree->session->smbXcli, true);
+		}
+
 		torture_comment(tctx, "reauth => OK\n");
 		status = smb2_session_setup_spnego(tree->session,
 						   credentials,
 						   0 /* previous_session_id */);
 		torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
 					"smb2_session_setup_spnego failed");
+
+		smb2cli_session_require_signed_response(
+			tree->session->smbXcli, false);
 	}
 
 	ZERO_STRUCT(qfinfo.access_information.out);
-- 
2.17.2


From c2e5c9f81090445ebb061001f00afb9aeb157f4f Mon Sep 17 00:00:00 2001
From: Ralph Boehme <slow at samba.org>
Date: Fri, 9 Nov 2018 12:19:16 +0100
Subject: [PATCH 09/11] s4:torture/smb2/session: add force_signing to
 test_session_expire1i

Existing callers pass true, so no change in behaviour. The next commit
adds an additional test that passes force_signing=false.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13661

Signed-off-by: Ralph Boehme <slow at samba.org>
---
 source4/torture/smb2/session.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/source4/torture/smb2/session.c b/source4/torture/smb2/session.c
index a088754ec00..0a0b54774e2 100644
--- a/source4/torture/smb2/session.c
+++ b/source4/torture/smb2/session.c
@@ -1047,6 +1047,7 @@ bool test_session_reauth6(struct torture_context *tctx, struct smb2_tree *tree)
 
 
 static bool test_session_expire1i(struct torture_context *tctx,
+				  bool force_signing,
 				  bool force_encryption)
 {
 	NTSTATUS status;
@@ -1078,7 +1079,9 @@ static bool test_session_expire1i(struct torture_context *tctx,
 	lpcfg_set_option(tctx->lp_ctx, "gensec_gssapi:requested_life_time=4");
 
 	lpcfg_smbcli_options(tctx->lp_ctx, &options);
-	options.signing = SMB_SIGNING_REQUIRED;
+	if (force_signing) {
+		options.signing = SMB_SIGNING_REQUIRED;
+	}
 
 	status = smb2_connect(tctx,
 			      host,
@@ -1191,12 +1194,14 @@ static bool test_session_expire1i(struct torture_context *tctx,
 static bool test_session_expire1s(struct torture_context *tctx)
 {
 	return test_session_expire1i(tctx,
+				     true,   /* force_signing */
 				     false); /* force_encryption */
 }
 
 static bool test_session_expire1e(struct torture_context *tctx)
 {
 	return test_session_expire1i(tctx,
+				     true,   /* force_signing */
 				     true); /* force_encryption */
 }
 
-- 
2.17.2


From 90e690e863d47c63446c31956392f9623a06c55d Mon Sep 17 00:00:00 2001
From: Ralph Boehme <slow at samba.org>
Date: Fri, 9 Nov 2018 12:39:41 +0100
Subject: [PATCH 10/11] s4:torture/smb2/session: session reauth response must
 be signed

This test checks that a session setup reauth is signed even when neither
client nor server require signing.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13661

Signed-off-by: Ralph Boehme <slow at samba.org>
---
 selftest/knownfail.d/samba3.smb2 | 1 +
 source4/torture/smb2/session.c   | 8 ++++++++
 2 files changed, 9 insertions(+)
 create mode 100644 selftest/knownfail.d/samba3.smb2

diff --git a/selftest/knownfail.d/samba3.smb2 b/selftest/knownfail.d/samba3.smb2
new file mode 100644
index 00000000000..7e96e6798e7
--- /dev/null
+++ b/selftest/knownfail.d/samba3.smb2
@@ -0,0 +1 @@
+^samba3.smb2.session krb5.expire1n\(ad_member\)
diff --git a/source4/torture/smb2/session.c b/source4/torture/smb2/session.c
index 0a0b54774e2..57a5addcfcc 100644
--- a/source4/torture/smb2/session.c
+++ b/source4/torture/smb2/session.c
@@ -1191,6 +1191,13 @@ static bool test_session_expire1i(struct torture_context *tctx,
 	return ret;
 }
 
+static bool test_session_expire1n(struct torture_context *tctx)
+{
+	return test_session_expire1i(tctx,
+				     false,   /* force_signing */
+				     false); /* force_encryption */
+}
+
 static bool test_session_expire1s(struct torture_context *tctx)
 {
 	return test_session_expire1i(tctx,
@@ -1742,6 +1749,7 @@ struct torture_suite *torture_smb2_session_init(TALLOC_CTX *ctx)
 	torture_suite_add_1smb2_test(suite, "reauth4", test_session_reauth4);
 	torture_suite_add_1smb2_test(suite, "reauth5", test_session_reauth5);
 	torture_suite_add_1smb2_test(suite, "reauth6", test_session_reauth6);
+	torture_suite_add_simple_test(suite, "expire1n", test_session_expire1n);
 	torture_suite_add_simple_test(suite, "expire1s", test_session_expire1s);
 	torture_suite_add_simple_test(suite, "expire1e", test_session_expire1e);
 	torture_suite_add_simple_test(suite, "expire2s", test_session_expire2s);
-- 
2.17.2


From 214e96827bffebbdc3cf2dab6bb50cdafcaa27c9 Mon Sep 17 00:00:00 2001
From: Ralph Boehme <slow at samba.org>
Date: Thu, 8 Nov 2018 17:31:41 +0100
Subject: [PATCH 11/11] s3:smb2_sesssetup: check session_info security level
 before it gets talloc_move'd

We talloc_move() session_info to session->global->auth_session_info
which sets session_info to NULL.

This means security_session_user_level(NULL, NULL) will always return
SECURITY_ANONYMOUS so we never sign the session setup response.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13661

Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
---
 selftest/knownfail.d/samba3.smb2 | 1 -
 source3/smbd/smb2_sesssetup.c    | 8 ++++----
 2 files changed, 4 insertions(+), 5 deletions(-)
 delete mode 100644 selftest/knownfail.d/samba3.smb2

diff --git a/selftest/knownfail.d/samba3.smb2 b/selftest/knownfail.d/samba3.smb2
deleted file mode 100644
index 7e96e6798e7..00000000000
--- a/selftest/knownfail.d/samba3.smb2
+++ /dev/null
@@ -1 +0,0 @@
-^samba3.smb2.session krb5.expire1n\(ad_member\)
diff --git a/source3/smbd/smb2_sesssetup.c b/source3/smbd/smb2_sesssetup.c
index fe5835b83f3..5420d4f09bb 100644
--- a/source3/smbd/smb2_sesssetup.c
+++ b/source3/smbd/smb2_sesssetup.c
@@ -525,6 +525,10 @@ static NTSTATUS smbd_smb2_reauth_generic_return(struct smbXsrv_session *session,
 
 	reload_services(smb2req->sconn, conn_snum_used, true);
 
+	if (security_session_user_level(session_info, NULL) >= SECURITY_USER) {
+		smb2req->do_signing = true;
+	}
+
 	session->status = NT_STATUS_OK;
 	TALLOC_FREE(session->global->auth_session_info);
 	session->global->auth_session_info = talloc_move(session->global,
@@ -551,10 +555,6 @@ static NTSTATUS smbd_smb2_reauth_generic_return(struct smbXsrv_session *session,
 
 	conn_clear_vuid_caches(xconn->client->sconn, session->compat->vuid);
 
-	if (security_session_user_level(session_info, NULL) >= SECURITY_USER) {
-		smb2req->do_signing = true;
-	}
-
 	*out_session_id = session->global->session_wire_id;
 
 	return NT_STATUS_OK;
-- 
2.17.2



More information about the samba-technical mailing list