The branch, v4-1-test has been updated via d7d60d8 s3-smbd: reset protocol in smbXsrv_connection_init_tables failure paths. via 7127c60 s3:libsmb: Fix a bug in conversion of ea list to ea array. via 5f029fc smbd:trans2: treat new SMB_SIGNING_DESIRED in case via a55bed3 docs:smb.conf: explain effect of new setting 'desired' of smb encrypt via aae0423 smbd:smb2: use encryption_desired in send_break via 57c879a smbd:smb2: only enable encryption in tcon if desired via 2cad86c smbd:smb2: only enable encryption in session if desired via 3ed2fbe smbd:smb2: separate between encryption required and enc desired via 2c19c6f smbXsrv: add bools encryption_desired to session and tcon via b615fb6 Introduce setting "desired" for 'smb encrypt' and 'client/server signing' via 0b97972 smbd: Make SMB3 clients use encryption with "smb encrypt = auto" from 15b323d s4:selftest: also run rpc.winreg with kerberos and all possible auth options
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-1-test - Log ----------------------------------------------------------------- commit d7d60d837e236f2dfee873158e5df6640e17136d Author: Günther Deschner <g...@samba.org> Date: Wed Jun 10 17:07:15 2015 +0200 s3-smbd: reset protocol in smbXsrv_connection_init_tables failure paths. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11373 Guenther Pair-Programmed-With: Stefan Metzmacher <me...@samba.org> Pair-Programmed-With: Michael Adam <ob...@samba.org> Signed-off-by: Guenther Deschner <g...@samba.org> Signed-off-by: Stefan Metzmacher <me...@samba.org> Signed-off-by: Michael Adam <ob...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> Autobuild-User(v4-1-test): Karolin Seeger <ksee...@samba.org> Autobuild-Date(v4-1-test): Sun Jul 19 22:23:18 CEST 2015 on sn-devel-104 commit 7127c60daabfdb54434db0ef030f763ca650b2b4 Author: Anubhav Rakshit <anubhav.raks...@gmail.com> Date: Fri Jun 26 12:24:23 2015 +0530 s3:libsmb: Fix a bug in conversion of ea list to ea array. Bug 11361 - Reading of EA's (Extended Attributes) fails using SMB2 and above protocols Tested against Win2k12r2 server. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11361 Signed-off-by: Anubhav Rakshit <anubhav.raks...@gmail.com> Reviewed-by: Andreas Schneider <a...@samba.org> Reviewed-by: Michael Adam <ob...@samba.org> (cherry picked from commit 5af2e3eed2ac309e2491fc54e03e7b04c8b118fb) commit 5f029fc80873dba620226fc946dbe6f00a1c3cf1 Author: Michael Adam <ob...@samba.org> Date: Tue Jul 7 17:15:00 2015 +0200 smbd:trans2: treat new SMB_SIGNING_DESIRED in case BUG: https://bugzilla.samba.org/show_bug.cgi?id=11372 Signed-off-by: Michael Adam <ob...@samba.org> Reviewed-by: Guenther Deschner <g...@samba.org> (cherry picked from commit 76f8d0fbada15c9466f66a2d9961bebd1425d141) commit a55bed3f8ceccd06a6f73bbec752d9fbc7b97001 Author: Michael Adam <ob...@samba.org> Date: Tue Jun 30 17:46:36 2015 +0200 docs:smb.conf: explain effect of new setting 'desired' of smb encrypt Thereby clarify some details. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11372 Signed-off-by: Michael Adam <ob...@samba.org> Reviewed-by: Guenther Deschner <g...@samba.org> (cherry picked from commit 365d9d8bdfe9759ef9662d0080cf9c9a0767dbf2) commit aae0423902f5f159cb3fe7523fc8cd950635c832 Author: Michael Adam <ob...@samba.org> Date: Wed Jul 1 17:41:38 2015 +0200 smbd:smb2: use encryption_desired in send_break BUG: https://bugzilla.samba.org/show_bug.cgi?id=11372 Signed-off-by: Michael Adam <ob...@samba.org> Reviewed-by: Guenther Deschner <g...@samba.org> (cherry picked from commit 14357700fd69291995ce6adebb13e7340a63c209) commit 57c879aa568f3c5f81e5ebd167cebdefe0f55af3 Author: Michael Adam <ob...@samba.org> Date: Wed Jul 1 18:07:52 2015 +0200 smbd:smb2: only enable encryption in tcon if desired Don't enforce it but only announce DATA_ENCRYPT, making use of encryption_desired in tcon. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11372 Signed-off-by: Michael Adam <ob...@samba.org> Reviewed-by: Guenther Deschner <g...@samba.org> (cherry picked from commit 41cb881e775ea7eb0c59d9e0cafb6ab5531918d9) commit 2cad86cbece6a7a09755dee1e9008d0c89b342ba Author: Michael Adam <ob...@samba.org> Date: Wed Jul 1 18:07:26 2015 +0200 smbd:smb2: only enable encryption in session if desired Don't enforce it but only announce ENCRYPT_DATA, using the encryption_desired flag in session setup. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11372 Signed-off-by: Michael Adam <ob...@samba.org> Reviewed-by: Guenther Deschner <g...@samba.org> (cherry picked from commit fc228025d78f165815d3fa1670d51f0c27ed2091) commit 3ed2fbe74351ff13da935af355e87c28f4992415 Author: Michael Adam <ob...@samba.org> Date: Wed Jul 1 17:42:58 2015 +0200 smbd:smb2: separate between encryption required and enc desired this means we: - accept unencrypted requests if encryption only desired and not required, - but we always send encrypted responses in the desired case, not only when the request was encrypted. For this purpose, the do_encryption in the request structure is separated into was_encrypted and do_encryption. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11372 Signed-off-by: Michael Adam <ob...@samba.org> Reviewed-by: Guenther Deschner <g...@samba.org> (cherry picked from commit 3bb299944391633c45d87d5e8ad48c2c14428592) commit 2c19c6f4e594b1488ef38aeb84272148ef8b4b4d Author: Michael Adam <ob...@samba.org> Date: Wed Jul 1 17:34:45 2015 +0200 smbXsrv: add bools encryption_desired to session and tcon This is to indicate that we should sen the ENCRYPT_DATA flag on session or tcon replies. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11372 Signed-off-by: Michael Adam <ob...@samba.org> Reviewed-by: Guenther Deschner <g...@samba.org> (cherry picked from commit a3ea6dbef53e049701326497e684e1563344e6d8) commit b615fb6cc5eed3320d635f6ca06c12cd408e89a1 Author: Michael Adam <ob...@samba.org> Date: Tue Jun 30 14:16:19 2015 +0200 Introduce setting "desired" for 'smb encrypt' and 'client/server signing' This should trigger the behaviour where the server requires signing when the client supports it, but does not reject clients that don't support it. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11372 Signed-off-by: Michael Adam <ob...@samba.org> Reviewed-by: Guenther Deschner <g...@samba.org> (cherry picked from commit 204cbe3645c59b43175beeadad792b4a00e80da3) commit 0b97972bb1e31acbded8c8b674594441c1544269 Author: Volker Lendecke <v...@samba.org> Date: Wed Feb 25 16:59:26 2015 +0100 smbd: Make SMB3 clients use encryption with "smb encrypt = auto" Slight modification for 4.1 by Michael Adam <ob...@samba.org> (s/xconn/conn/ in smb2_sesssetup.c) BUG: https://bugzilla.samba.org/show_bug.cgi?id=11372 Signed-off-by: Volker Lendecke <v...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> Autobuild-User(master): Volker Lendecke <v...@samba.org> Autobuild-Date(master): Tue Mar 3 10:40:42 CET 2015 on sn-devel-104 (cherry picked from commit b3385f74db54bd8a07a0be5515151b633c067da4) ----------------------------------------------------------------------- Summary of changes: docs-xml/smbdotconf/security/smbencrypt.xml | 66 ++++++++++++++++++++--------- lib/param/param_table.c | 1 + libcli/smb/smbXcli_base.c | 6 +++ libcli/smb/smb_constants.h | 1 + source3/librpc/idl/smbXsrv.idl | 2 + source3/libsmb/cli_smb2_fnum.c | 2 +- source3/smbd/globals.h | 3 ++ source3/smbd/process.c | 7 ++- source3/smbd/smb2_server.c | 22 +++++++--- source3/smbd/smb2_sesssetup.c | 8 +++- source3/smbd/smb2_tcon.c | 10 ++++- source3/smbd/trans2.c | 1 + source4/smb_server/smb2/negprot.c | 1 + 13 files changed, 101 insertions(+), 29 deletions(-) Changeset truncated at 500 lines: diff --git a/docs-xml/smbdotconf/security/smbencrypt.xml b/docs-xml/smbdotconf/security/smbencrypt.xml index 14b32c2..284fe9e 100644 --- a/docs-xml/smbdotconf/security/smbencrypt.xml +++ b/docs-xml/smbdotconf/security/smbencrypt.xml @@ -31,11 +31,15 @@ <para> This parameter can be set globally and on a per-share bases. Possible values are - <emphasis>off</emphasis> or <emphasis>disabled</emphasis>, - <emphasis>auto</emphasis> or <emphasis>enabled</emphasis>, and - <emphasis>mandatory</emphasis> or <emphasis>required</emphasis>. + <emphasis>off</emphasis> (or <emphasis>disabled</emphasis>), + <emphasis>enabled</emphasis> (or <emphasis>auto</emphasis>, or + <emphasis>if_required</emphasis>), + <emphasis>desired</emphasis>, + and + <emphasis>required</emphasis> + (or <emphasis>mandatory</emphasis>). A special value is <emphasis>default</emphasis> which is - the implicit default setting. + the implicit default setting of <emphasis>enabled</emphasis>. </para> <variablelist> @@ -104,7 +108,7 @@ <listitem> <para> The capability to perform SMB encryption can be - negotiated during prorocol negotiation. + negotiated during protocol negotiation. </para> </listitem> @@ -146,8 +150,9 @@ <itemizedlist> <listitem> <para> - Leaving it as default or explicitly setting - <emphasis>default</emphasis> globally will enable + Leaving it as default, explicitly setting + <emphasis>default</emphasis>, or setting it to + <emphasis>enabled</emphasis> globally will enable negotiation of encryption but will not turn on data encryption globally or per share. </para> @@ -155,16 +160,20 @@ <listitem> <para> - Setting it to <emphasis>enabled</emphasis> globally will - enable negotiation and turn on data encryption globally. + Setting it to <emphasis>desired</emphasis> globally + will enable negotiation and will turn on data encryption + on sessions and share connections for those clients + that support it. </para> </listitem> <listitem> <para> Setting it to <emphasis>required</emphasis> globally - will enable negotiation and enforce data encryption - globally. + will enable negotiation and turn on data encryption + on sessions and share connections. Clients that do + not support encryption will be denied access to the + server. </para> </listitem> @@ -177,9 +186,10 @@ <listitem> <para> - Setting it to <emphasis>enabled</emphasis> on a share - will turn on data encryption for this share if - negotiation has been enabled globally. + Setting it to <emphasis>desired</emphasis> on a share + will turn on data encryption for this share for clients + that support encryption if negotiation has been + enabled globally. </para> </listitem> @@ -187,16 +197,34 @@ <para> Setting it to <emphasis>required</emphasis> on a share will enforce data encryption for this share if - negotiation has been enabled globally. Note that this - allows enforcing to be controlled in Samba more - fine-grainedly than in Windows. This is a small - deviation from the MS-SMB2 protocol document. + negotiation has been enabled globally. I.e. clients that + do not support encryption will be denied access to the + share. + </para> + <para> + Note that this allows per-share enforcing to be + controlled in Samba differently from Windows: + In Windows, <emphasis>RejectUnencryptedAccess</emphasis> + is a global setting, and if it is set, all shares with + data encryption turned on + are automatically enforcing encryption. In order to + achieve the same effect in Samba, one + has to globally set <emphasis>smb encrypt</emphasis> to + <emphasis>enabled</emphasis>, and then set all shares + that should be encrypted to + <emphasis>required</emphasis>. + Additionally, it is possible in Samba to have some + shares with encryption <emphasis>required</emphasis> + and some other shares with encryption only + <emphasis>desired</emphasis>, which is not possible in + Windows. </para> </listitem> <listitem> <para> - Setting it to <emphasis>off</emphasis> for a share has + Setting it to <emphasis>off</emphasis> or + <emphasis>enabled</emphasis> for a share has no effect. </para> </listitem> diff --git a/lib/param/param_table.c b/lib/param/param_table.c index d590bd1..aa16969 100644 --- a/lib/param/param_table.c +++ b/lib/param/param_table.c @@ -101,6 +101,7 @@ static const struct enum_list enum_smb_signing_vals[] = { {SMB_SIGNING_IF_REQUIRED, "On"}, {SMB_SIGNING_IF_REQUIRED, "enabled"}, {SMB_SIGNING_IF_REQUIRED, "auto"}, + {SMB_SIGNING_DESIRED, "desired"}, {SMB_SIGNING_REQUIRED, "required"}, {SMB_SIGNING_REQUIRED, "mandatory"}, {SMB_SIGNING_REQUIRED, "force"}, diff --git a/libcli/smb/smbXcli_base.c b/libcli/smb/smbXcli_base.c index 0c6a6d2..5063e59 100644 --- a/libcli/smb/smbXcli_base.c +++ b/libcli/smb/smbXcli_base.c @@ -354,6 +354,12 @@ struct smbXcli_conn *smbXcli_conn_create(TALLOC_CTX *mem_ctx, conn->desire_signing = false; conn->mandatory_signing = false; break; + case SMB_SIGNING_DESIRED: + /* if the server desires it */ + conn->allow_signing = true; + conn->desire_signing = true; + conn->mandatory_signing = false; + break; case SMB_SIGNING_REQUIRED: /* always */ conn->allow_signing = true; diff --git a/libcli/smb/smb_constants.h b/libcli/smb/smb_constants.h index 175ffaf..6dbaa28 100644 --- a/libcli/smb/smb_constants.h +++ b/libcli/smb/smb_constants.h @@ -94,6 +94,7 @@ enum smb_signing_setting { SMB_SIGNING_DEFAULT = -1, SMB_SIGNING_OFF = 0, SMB_SIGNING_IF_REQUIRED = 1, + SMB_SIGNING_DESIRED = 2, SMB_SIGNING_REQUIRED = 3, }; diff --git a/source3/librpc/idl/smbXsrv.idl b/source3/librpc/idl/smbXsrv.idl index 36710dd..43d0ecc 100644 --- a/source3/librpc/idl/smbXsrv.idl +++ b/source3/librpc/idl/smbXsrv.idl @@ -151,6 +151,7 @@ interface smbXsrv [ignore] gensec_security *gensec; [ignore] user_struct *compat; [ignore] smbXsrv_tcon_table *tcon_table; + boolean8 encryption_desired; } smbXsrv_session; typedef union { @@ -245,6 +246,7 @@ interface smbXsrv NTSTATUS status; NTTIME idle_time; [ignore] connection_struct *compat; + boolean8 encryption_desired; } smbXsrv_tcon; typedef union { diff --git a/source3/libsmb/cli_smb2_fnum.c b/source3/libsmb/cli_smb2_fnum.c index aeade88..d71c6c5 100644 --- a/source3/libsmb/cli_smb2_fnum.c +++ b/source3/libsmb/cli_smb2_fnum.c @@ -2027,7 +2027,7 @@ NTSTATUS cli_smb2_get_ea_list_path(struct cli_state *cli, } ea_count = 0; for (eal = ea_list; eal; eal = eal->next) { - (*pea_array)[ea_count++] = ea_list->ea; + (*pea_array)[ea_count++] = eal->ea; } *pnum_eas = ea_count; } diff --git a/source3/smbd/globals.h b/source3/smbd/globals.h index 66358fb..93624bb 100644 --- a/source3/smbd/globals.h +++ b/source3/smbd/globals.h @@ -503,6 +503,9 @@ struct smbd_smb2_request { int current_idx; bool do_signing; + /* Was the request encrypted? */ + bool was_encrypted; + /* Should we encrypt? */ bool do_encryption; struct tevent_timer *async_te; bool compound_related; diff --git a/source3/smbd/process.c b/source3/smbd/process.c index 9d84578..4a27f2c 100644 --- a/source3/smbd/process.c +++ b/source3/smbd/process.c @@ -3292,36 +3292,41 @@ NTSTATUS smbXsrv_connection_init_tables(struct smbXsrv_connection *conn, { NTSTATUS status; - set_Protocol(protocol); conn->protocol = protocol; if (protocol >= PROTOCOL_SMB2_02) { status = smb2srv_session_table_init(conn); if (!NT_STATUS_IS_OK(status)) { + conn->protocol = PROTOCOL_NONE; return status; } status = smb2srv_open_table_init(conn); if (!NT_STATUS_IS_OK(status)) { + conn->protocol = PROTOCOL_NONE; return status; } } else { status = smb1srv_session_table_init(conn); if (!NT_STATUS_IS_OK(status)) { + conn->protocol = PROTOCOL_NONE; return status; } status = smb1srv_tcon_table_init(conn); if (!NT_STATUS_IS_OK(status)) { + conn->protocol = PROTOCOL_NONE; return status; } status = smb1srv_open_table_init(conn); if (!NT_STATUS_IS_OK(status)) { + conn->protocol = PROTOCOL_NONE; return status; } } + set_Protocol(protocol); return NT_STATUS_OK; } diff --git a/source3/smbd/smb2_server.c b/source3/smbd/smb2_server.c index eed0b0e..ce39335 100644 --- a/source3/smbd/smb2_server.c +++ b/source3/smbd/smb2_server.c @@ -1862,6 +1862,7 @@ NTSTATUS smbd_smb2_request_dispatch(struct smbd_smb2_request *req) NTSTATUS return_value; struct smbXsrv_session *x = NULL; bool signing_required = false; + bool encryption_desired = false; bool encryption_required = false; inhdr = SMBD_SMB2_IN_HDR_PTR(req); @@ -1907,11 +1908,13 @@ NTSTATUS smbd_smb2_request_dispatch(struct smbd_smb2_request *req) x = req->session; if (x != NULL) { signing_required = x->global->signing_required; + encryption_desired = x->encryption_desired; encryption_required = x->global->encryption_required; } req->do_signing = false; req->do_encryption = false; + req->was_encrypted = false; if (intf_v->iov_len == SMB2_TF_HDR_SIZE) { const uint8_t *intf = SMBD_SMB2_IN_TF_PTR(req); uint64_t tf_session_id = BVAL(intf, SMB2_TF_SESSION_ID); @@ -1933,10 +1936,10 @@ NTSTATUS smbd_smb2_request_dispatch(struct smbd_smb2_request *req) NT_STATUS_ACCESS_DENIED); } - req->do_encryption = true; + req->was_encrypted = true; } - if (encryption_required && !req->do_encryption) { + if (encryption_required && !req->was_encrypted) { return smbd_smb2_request_error(req, NT_STATUS_ACCESS_DENIED); } @@ -1968,7 +1971,7 @@ NTSTATUS smbd_smb2_request_dispatch(struct smbd_smb2_request *req) req->compat_chain_fsp = NULL; } - if (req->do_encryption) { + if (req->was_encrypted) { signing_required = false; } else if (signing_required || (flags & SMB2_HDR_FLAG_SIGNED)) { DATA_BLOB signing_key; @@ -2039,15 +2042,22 @@ NTSTATUS smbd_smb2_request_dispatch(struct smbd_smb2_request *req) if (!NT_STATUS_IS_OK(status)) { return smbd_smb2_request_error(req, status); } + if (req->tcon->encryption_desired) { + encryption_desired = true; + } if (req->tcon->global->encryption_required) { encryption_required = true; } - if (encryption_required && !req->do_encryption) { + if (encryption_required && !req->was_encrypted) { return smbd_smb2_request_error(req, NT_STATUS_ACCESS_DENIED); } } + if (req->was_encrypted || encryption_desired) { + req->do_encryption = true; + } + if (call->fileid_ofs != 0) { size_t needed = call->fileid_ofs + 16; const uint8_t *body = SMBD_SMB2_IN_BODY_PTR(req); @@ -2675,12 +2685,12 @@ NTSTATUS smbd_smb2_send_oplock_break(struct smbd_server_connection *sconn, size_t body_len; uint8_t *dyn; size_t dyn_len; - bool do_encryption = session->global->encryption_required; + bool do_encryption = session->encryption_desired; uint64_t nonce_high = 0; uint64_t nonce_low = 0; NTSTATUS status; - if (tcon->global->encryption_required) { + if (tcon->encryption_desired) { do_encryption = true; } diff --git a/source3/smbd/smb2_sesssetup.c b/source3/smbd/smb2_sesssetup.c index 9f34a09..bf40ab4 100644 --- a/source3/smbd/smb2_sesssetup.c +++ b/source3/smbd/smb2_sesssetup.c @@ -190,7 +190,13 @@ static NTSTATUS smbd_smb2_auth_generic_return(struct smbXsrv_session *session, x->global->signing_required = true; } + if ((lp_smb_encrypt(-1) >= SMB_SIGNING_DESIRED) && + (conn->smb2.client.capabilities & SMB2_CAP_ENCRYPTION)) { + x->encryption_desired = true; + } + if (lp_smb_encrypt(-1) == SMB_SIGNING_REQUIRED) { + x->encryption_desired = true; x->global->encryption_required = true; } @@ -217,7 +223,7 @@ static NTSTATUS smbd_smb2_auth_generic_return(struct smbXsrv_session *session, } } - if (x->global->encryption_required) { + if (x->encryption_desired) { *out_session_flags |= SMB2_SESSION_FLAG_ENCRYPT_DATA; } diff --git a/source3/smbd/smb2_tcon.c b/source3/smbd/smb2_tcon.c index ef2e318..014264d 100644 --- a/source3/smbd/smb2_tcon.c +++ b/source3/smbd/smb2_tcon.c @@ -185,6 +185,7 @@ static NTSTATUS smbd_smb2_tree_connect(struct smbd_smb2_request *req, connection_struct *compat_conn = NULL; struct user_struct *compat_vuser = req->session->compat; NTSTATUS status; + bool encryption_desired = req->session->encryption_desired; bool encryption_required = req->session->global->encryption_required; bool guest_session = false; @@ -236,7 +237,13 @@ static NTSTATUS smbd_smb2_tree_connect(struct smbd_smb2_request *req, return NT_STATUS_BAD_NETWORK_NAME; } + if ((lp_smb_encrypt(snum) >= SMB_SIGNING_DESIRED) && + (conn->smb2.client.capabilities & SMB2_CAP_ENCRYPTION)) { + encryption_desired = true; + } + if (lp_smb_encrypt(snum) == SMB_SIGNING_REQUIRED) { + encryption_desired = true; encryption_required = true; } @@ -265,6 +272,7 @@ static NTSTATUS smbd_smb2_tree_connect(struct smbd_smb2_request *req, return status; } + tcon->encryption_desired = encryption_desired; tcon->global->encryption_required = encryption_required; compat_conn = make_connection_smb2(req->sconn, @@ -335,7 +343,7 @@ static NTSTATUS smbd_smb2_tree_connect(struct smbd_smb2_request *req, *out_share_flags |= SMB2_SHAREFLAG_ACCESS_BASED_DIRECTORY_ENUM; } - if (encryption_required) { + if (encryption_desired) { *out_share_flags |= SMB2_SHAREFLAG_ENCRYPT_DATA; } diff --git a/source3/smbd/trans2.c b/source3/smbd/trans2.c index a6a8b5d..b6109b2 100644 --- a/source3/smbd/trans2.c +++ b/source3/smbd/trans2.c @@ -3447,6 +3447,7 @@ cBytesSector=%u, cUnitTotal=%u, cUnitAvail=%d\n", (unsigned int)bsize, (unsigned case SMB_SIGNING_OFF: encrypt_caps = 0; break; + case SMB_SIGNING_DESIRED: case SMB_SIGNING_IF_REQUIRED: case SMB_SIGNING_DEFAULT: encrypt_caps = CIFS_UNIX_TRANSPORT_ENCRYPTION_CAP; diff --git a/source4/smb_server/smb2/negprot.c b/source4/smb_server/smb2/negprot.c index 83cae18..6a8f6ef 100644 --- a/source4/smb_server/smb2/negprot.c +++ b/source4/smb_server/smb2/negprot.c @@ -150,6 +150,7 @@ static NTSTATUS smb2srv_negprot_backend(struct smb2srv_request *req, struct smb2 case SMB_SIGNING_OFF: io->out.security_mode = 0; break; + case SMB_SIGNING_DESIRED: case SMB_SIGNING_IF_REQUIRED: io->out.security_mode = SMB2_NEGOTIATE_SIGNING_ENABLED; break; -- Samba Shared Repository