The branch, v4-1-test has been updated
via d7d60d8 s3-smbd: reset protocol in smbXsrv_connection_init_tables
failure paths.
via 7127c60 s3:libsmb: Fix a bug in conversion of ea list to ea array.
via 5f029fc smbd:trans2: treat new SMB_SIGNING_DESIRED in case
via a55bed3 docs:smb.conf: explain effect of new setting 'desired' of
smb encrypt
via aae0423 smbd:smb2: use encryption_desired in send_break
via 57c879a smbd:smb2: only enable encryption in tcon if desired
via 2cad86c smbd:smb2: only enable encryption in session if desired
via 3ed2fbe smbd:smb2: separate between encryption required and enc
desired
via 2c19c6f smbXsrv: add bools encryption_desired to session and tcon
via b615fb6 Introduce setting "desired" for 'smb encrypt' and
'client/server signing'
via 0b97972 smbd: Make SMB3 clients use encryption with "smb encrypt =
auto"
from 15b323d s4:selftest: also run rpc.winreg with kerberos and all
possible auth options
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-1-test
- Log -----------------------------------------------------------------
commit d7d60d837e236f2dfee873158e5df6640e17136d
Author: Günther Deschner <g...@samba.org>
Date: Wed Jun 10 17:07:15 2015 +0200
s3-smbd: reset protocol in smbXsrv_connection_init_tables failure paths.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11373
Guenther
Pair-Programmed-With: Stefan Metzmacher <me...@samba.org>
Pair-Programmed-With: Michael Adam <ob...@samba.org>
Signed-off-by: Guenther Deschner <g...@samba.org>
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Signed-off-by: Michael Adam <ob...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
Autobuild-User(v4-1-test): Karolin Seeger <ksee...@samba.org>
Autobuild-Date(v4-1-test): Sun Jul 19 22:23:18 CEST 2015 on sn-devel-104
commit 7127c60daabfdb54434db0ef030f763ca650b2b4
Author: Anubhav Rakshit <anubhav.raks...@gmail.com>
Date: Fri Jun 26 12:24:23 2015 +0530
s3:libsmb: Fix a bug in conversion of ea list to ea array.
Bug 11361 - Reading of EA's (Extended Attributes) fails using SMB2 and above
protocols
Tested against Win2k12r2 server.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11361
Signed-off-by: Anubhav Rakshit <anubhav.raks...@gmail.com>
Reviewed-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Michael Adam <ob...@samba.org>
(cherry picked from commit 5af2e3eed2ac309e2491fc54e03e7b04c8b118fb)
commit 5f029fc80873dba620226fc946dbe6f00a1c3cf1
Author: Michael Adam <ob...@samba.org>
Date: Tue Jul 7 17:15:00 2015 +0200
smbd:trans2: treat new SMB_SIGNING_DESIRED in case
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11372
Signed-off-by: Michael Adam <ob...@samba.org>
Reviewed-by: Guenther Deschner <g...@samba.org>
(cherry picked from commit 76f8d0fbada15c9466f66a2d9961bebd1425d141)
commit a55bed3f8ceccd06a6f73bbec752d9fbc7b97001
Author: Michael Adam <ob...@samba.org>
Date: Tue Jun 30 17:46:36 2015 +0200
docs:smb.conf: explain effect of new setting 'desired' of smb encrypt
Thereby clarify some details.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11372
Signed-off-by: Michael Adam <ob...@samba.org>
Reviewed-by: Guenther Deschner <g...@samba.org>
(cherry picked from commit 365d9d8bdfe9759ef9662d0080cf9c9a0767dbf2)
commit aae0423902f5f159cb3fe7523fc8cd950635c832
Author: Michael Adam <ob...@samba.org>
Date: Wed Jul 1 17:41:38 2015 +0200
smbd:smb2: use encryption_desired in send_break
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11372
Signed-off-by: Michael Adam <ob...@samba.org>
Reviewed-by: Guenther Deschner <g...@samba.org>
(cherry picked from commit 14357700fd69291995ce6adebb13e7340a63c209)
commit 57c879aa568f3c5f81e5ebd167cebdefe0f55af3
Author: Michael Adam <ob...@samba.org>
Date: Wed Jul 1 18:07:52 2015 +0200
smbd:smb2: only enable encryption in tcon if desired
Don't enforce it but only announce DATA_ENCRYPT,
making use of encryption_desired in tcon.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11372
Signed-off-by: Michael Adam <ob...@samba.org>
Reviewed-by: Guenther Deschner <g...@samba.org>
(cherry picked from commit 41cb881e775ea7eb0c59d9e0cafb6ab5531918d9)
commit 2cad86cbece6a7a09755dee1e9008d0c89b342ba
Author: Michael Adam <ob...@samba.org>
Date: Wed Jul 1 18:07:26 2015 +0200
smbd:smb2: only enable encryption in session if desired
Don't enforce it but only announce ENCRYPT_DATA, using the
encryption_desired flag in session setup.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11372
Signed-off-by: Michael Adam <ob...@samba.org>
Reviewed-by: Guenther Deschner <g...@samba.org>
(cherry picked from commit fc228025d78f165815d3fa1670d51f0c27ed2091)
commit 3ed2fbe74351ff13da935af355e87c28f4992415
Author: Michael Adam <ob...@samba.org>
Date: Wed Jul 1 17:42:58 2015 +0200
smbd:smb2: separate between encryption required and enc desired
this means we:
- accept unencrypted requests if encryption only desired
and not required,
- but we always send encrypted responses in the desired
case, not only when the request was encrypted.
For this purpose, the do_encryption in the request
structure is separated into was_encrypted and do_encryption.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11372
Signed-off-by: Michael Adam <ob...@samba.org>
Reviewed-by: Guenther Deschner <g...@samba.org>
(cherry picked from commit 3bb299944391633c45d87d5e8ad48c2c14428592)
commit 2c19c6f4e594b1488ef38aeb84272148ef8b4b4d
Author: Michael Adam <ob...@samba.org>
Date: Wed Jul 1 17:34:45 2015 +0200
smbXsrv: add bools encryption_desired to session and tcon
This is to indicate that we should sen the ENCRYPT_DATA
flag on session or tcon replies.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11372
Signed-off-by: Michael Adam <ob...@samba.org>
Reviewed-by: Guenther Deschner <g...@samba.org>
(cherry picked from commit a3ea6dbef53e049701326497e684e1563344e6d8)
commit b615fb6cc5eed3320d635f6ca06c12cd408e89a1
Author: Michael Adam <ob...@samba.org>
Date: Tue Jun 30 14:16:19 2015 +0200
Introduce setting "desired" for 'smb encrypt' and 'client/server signing'
This should trigger the behaviour where the server requires
signing when the client supports it, but does not reject
clients that don't support it.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11372
Signed-off-by: Michael Adam <ob...@samba.org>
Reviewed-by: Guenther Deschner <g...@samba.org>
(cherry picked from commit 204cbe3645c59b43175beeadad792b4a00e80da3)
commit 0b97972bb1e31acbded8c8b674594441c1544269
Author: Volker Lendecke <v...@samba.org>
Date: Wed Feb 25 16:59:26 2015 +0100
smbd: Make SMB3 clients use encryption with "smb encrypt = auto"
Slight modification for 4.1 by Michael Adam <ob...@samba.org>
(s/xconn/conn/ in smb2_sesssetup.c)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11372
Signed-off-by: Volker Lendecke <v...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
Autobuild-User(master): Volker Lendecke <v...@samba.org>
Autobuild-Date(master): Tue Mar 3 10:40:42 CET 2015 on sn-devel-104
(cherry picked from commit b3385f74db54bd8a07a0be5515151b633c067da4)
-----------------------------------------------------------------------
Summary of changes:
docs-xml/smbdotconf/security/smbencrypt.xml | 66 ++++++++++++++++++++---------
lib/param/param_table.c | 1 +
libcli/smb/smbXcli_base.c | 6 +++
libcli/smb/smb_constants.h | 1 +
source3/librpc/idl/smbXsrv.idl | 2 +
source3/libsmb/cli_smb2_fnum.c | 2 +-
source3/smbd/globals.h | 3 ++
source3/smbd/process.c | 7 ++-
source3/smbd/smb2_server.c | 22 +++++++---
source3/smbd/smb2_sesssetup.c | 8 +++-
source3/smbd/smb2_tcon.c | 10 ++++-
source3/smbd/trans2.c | 1 +
source4/smb_server/smb2/negprot.c | 1 +
13 files changed, 101 insertions(+), 29 deletions(-)
Changeset truncated at 500 lines:
diff --git a/docs-xml/smbdotconf/security/smbencrypt.xml
b/docs-xml/smbdotconf/security/smbencrypt.xml
index 14b32c2..284fe9e 100644
--- a/docs-xml/smbdotconf/security/smbencrypt.xml
+++ b/docs-xml/smbdotconf/security/smbencrypt.xml
@@ -31,11 +31,15 @@
<para>
This parameter can be set globally and on a per-share bases.
Possible values are
- <emphasis>off</emphasis> or <emphasis>disabled</emphasis>,
- <emphasis>auto</emphasis> or <emphasis>enabled</emphasis>, and
- <emphasis>mandatory</emphasis> or <emphasis>required</emphasis>.
+ <emphasis>off</emphasis> (or <emphasis>disabled</emphasis>),
+ <emphasis>enabled</emphasis> (or <emphasis>auto</emphasis>, or
+ <emphasis>if_required</emphasis>),
+ <emphasis>desired</emphasis>,
+ and
+ <emphasis>required</emphasis>
+ (or <emphasis>mandatory</emphasis>).
A special value is <emphasis>default</emphasis> which is
- the implicit default setting.
+ the implicit default setting of <emphasis>enabled</emphasis>.
</para>
<variablelist>
@@ -104,7 +108,7 @@
<listitem>
<para>
The capability to perform SMB encryption can be
- negotiated during prorocol negotiation.
+ negotiated during protocol negotiation.
</para>
</listitem>
@@ -146,8 +150,9 @@
<itemizedlist>
<listitem>
<para>
- Leaving it as default or explicitly setting
- <emphasis>default</emphasis> globally will enable
+ Leaving it as default, explicitly setting
+ <emphasis>default</emphasis>, or setting it to
+ <emphasis>enabled</emphasis> globally will enable
negotiation of encryption but will not turn on
data encryption globally or per share.
</para>
@@ -155,16 +160,20 @@
<listitem>
<para>
- Setting it to <emphasis>enabled</emphasis> globally will
- enable negotiation and turn on data encryption globally.
+ Setting it to <emphasis>desired</emphasis> globally
+ will enable negotiation and will turn on data encryption
+ on sessions and share connections for those clients
+ that support it.
</para>
</listitem>
<listitem>
<para>
Setting it to <emphasis>required</emphasis> globally
- will enable negotiation and enforce data encryption
- globally.
+ will enable negotiation and turn on data encryption
+ on sessions and share connections. Clients that do
+ not support encryption will be denied access to the
+ server.
</para>
</listitem>
@@ -177,9 +186,10 @@
<listitem>
<para>
- Setting it to <emphasis>enabled</emphasis> on a share
- will turn on data encryption for this share if
- negotiation has been enabled globally.
+ Setting it to <emphasis>desired</emphasis> on a share
+ will turn on data encryption for this share for clients
+ that support encryption if negotiation has been
+ enabled globally.
</para>
</listitem>
@@ -187,16 +197,34 @@
<para>
Setting it to <emphasis>required</emphasis> on a share
will enforce data encryption for this share if
- negotiation has been enabled globally. Note that this
- allows enforcing to be controlled in Samba more
- fine-grainedly than in Windows. This is a small
- deviation from the MS-SMB2 protocol document.
+ negotiation has been enabled globally. I.e. clients that
+ do not support encryption will be denied access to the
+ share.
+ </para>
+ <para>
+ Note that this allows per-share enforcing to be
+ controlled in Samba differently from Windows:
+ In Windows, <emphasis>RejectUnencryptedAccess</emphasis>
+ is a global setting, and if it is set, all shares with
+ data encryption turned on
+ are automatically enforcing encryption. In order to
+ achieve the same effect in Samba, one
+ has to globally set <emphasis>smb encrypt</emphasis> to
+ <emphasis>enabled</emphasis>, and then set all shares
+ that should be encrypted to
+ <emphasis>required</emphasis>.
+ Additionally, it is possible in Samba to have some
+ shares with encryption <emphasis>required</emphasis>
+ and some other shares with encryption only
+ <emphasis>desired</emphasis>, which is not possible in
+ Windows.
</para>
</listitem>
<listitem>
<para>
- Setting it to <emphasis>off</emphasis> for a share has
+ Setting it to <emphasis>off</emphasis> or
+ <emphasis>enabled</emphasis> for a share has
no effect.
</para>
</listitem>
diff --git a/lib/param/param_table.c b/lib/param/param_table.c
index d590bd1..aa16969 100644
--- a/lib/param/param_table.c
+++ b/lib/param/param_table.c
@@ -101,6 +101,7 @@ static const struct enum_list enum_smb_signing_vals[] = {
{SMB_SIGNING_IF_REQUIRED, "On"},
{SMB_SIGNING_IF_REQUIRED, "enabled"},
{SMB_SIGNING_IF_REQUIRED, "auto"},
+ {SMB_SIGNING_DESIRED, "desired"},
{SMB_SIGNING_REQUIRED, "required"},
{SMB_SIGNING_REQUIRED, "mandatory"},
{SMB_SIGNING_REQUIRED, "force"},
diff --git a/libcli/smb/smbXcli_base.c b/libcli/smb/smbXcli_base.c
index 0c6a6d2..5063e59 100644
--- a/libcli/smb/smbXcli_base.c
+++ b/libcli/smb/smbXcli_base.c
@@ -354,6 +354,12 @@ struct smbXcli_conn *smbXcli_conn_create(TALLOC_CTX
*mem_ctx,
conn->desire_signing = false;
conn->mandatory_signing = false;
break;
+ case SMB_SIGNING_DESIRED:
+ /* if the server desires it */
+ conn->allow_signing = true;
+ conn->desire_signing = true;
+ conn->mandatory_signing = false;
+ break;
case SMB_SIGNING_REQUIRED:
/* always */
conn->allow_signing = true;
diff --git a/libcli/smb/smb_constants.h b/libcli/smb/smb_constants.h
index 175ffaf..6dbaa28 100644
--- a/libcli/smb/smb_constants.h
+++ b/libcli/smb/smb_constants.h
@@ -94,6 +94,7 @@ enum smb_signing_setting {
SMB_SIGNING_DEFAULT = -1,
SMB_SIGNING_OFF = 0,
SMB_SIGNING_IF_REQUIRED = 1,
+ SMB_SIGNING_DESIRED = 2,
SMB_SIGNING_REQUIRED = 3,
};
diff --git a/source3/librpc/idl/smbXsrv.idl b/source3/librpc/idl/smbXsrv.idl
index 36710dd..43d0ecc 100644
--- a/source3/librpc/idl/smbXsrv.idl
+++ b/source3/librpc/idl/smbXsrv.idl
@@ -151,6 +151,7 @@ interface smbXsrv
[ignore] gensec_security *gensec;
[ignore] user_struct *compat;
[ignore] smbXsrv_tcon_table *tcon_table;
+ boolean8 encryption_desired;
} smbXsrv_session;
typedef union {
@@ -245,6 +246,7 @@ interface smbXsrv
NTSTATUS status;
NTTIME idle_time;
[ignore] connection_struct *compat;
+ boolean8 encryption_desired;
} smbXsrv_tcon;
typedef union {
diff --git a/source3/libsmb/cli_smb2_fnum.c b/source3/libsmb/cli_smb2_fnum.c
index aeade88..d71c6c5 100644
--- a/source3/libsmb/cli_smb2_fnum.c
+++ b/source3/libsmb/cli_smb2_fnum.c
@@ -2027,7 +2027,7 @@ NTSTATUS cli_smb2_get_ea_list_path(struct cli_state *cli,
}
ea_count = 0;
for (eal = ea_list; eal; eal = eal->next) {
- (*pea_array)[ea_count++] = ea_list->ea;
+ (*pea_array)[ea_count++] = eal->ea;
}
*pnum_eas = ea_count;
}
diff --git a/source3/smbd/globals.h b/source3/smbd/globals.h
index 66358fb..93624bb 100644
--- a/source3/smbd/globals.h
+++ b/source3/smbd/globals.h
@@ -503,6 +503,9 @@ struct smbd_smb2_request {
int current_idx;
bool do_signing;
+ /* Was the request encrypted? */
+ bool was_encrypted;
+ /* Should we encrypt? */
bool do_encryption;
struct tevent_timer *async_te;
bool compound_related;
diff --git a/source3/smbd/process.c b/source3/smbd/process.c
index 9d84578..4a27f2c 100644
--- a/source3/smbd/process.c
+++ b/source3/smbd/process.c
@@ -3292,36 +3292,41 @@ NTSTATUS smbXsrv_connection_init_tables(struct
smbXsrv_connection *conn,
{
NTSTATUS status;
- set_Protocol(protocol);
conn->protocol = protocol;
if (protocol >= PROTOCOL_SMB2_02) {
status = smb2srv_session_table_init(conn);
if (!NT_STATUS_IS_OK(status)) {
+ conn->protocol = PROTOCOL_NONE;
return status;
}
status = smb2srv_open_table_init(conn);
if (!NT_STATUS_IS_OK(status)) {
+ conn->protocol = PROTOCOL_NONE;
return status;
}
} else {
status = smb1srv_session_table_init(conn);
if (!NT_STATUS_IS_OK(status)) {
+ conn->protocol = PROTOCOL_NONE;
return status;
}
status = smb1srv_tcon_table_init(conn);
if (!NT_STATUS_IS_OK(status)) {
+ conn->protocol = PROTOCOL_NONE;
return status;
}
status = smb1srv_open_table_init(conn);
if (!NT_STATUS_IS_OK(status)) {
+ conn->protocol = PROTOCOL_NONE;
return status;
}
}
+ set_Protocol(protocol);
return NT_STATUS_OK;
}
diff --git a/source3/smbd/smb2_server.c b/source3/smbd/smb2_server.c
index eed0b0e..ce39335 100644
--- a/source3/smbd/smb2_server.c
+++ b/source3/smbd/smb2_server.c
@@ -1862,6 +1862,7 @@ NTSTATUS smbd_smb2_request_dispatch(struct
smbd_smb2_request *req)
NTSTATUS return_value;
struct smbXsrv_session *x = NULL;
bool signing_required = false;
+ bool encryption_desired = false;
bool encryption_required = false;
inhdr = SMBD_SMB2_IN_HDR_PTR(req);
@@ -1907,11 +1908,13 @@ NTSTATUS smbd_smb2_request_dispatch(struct
smbd_smb2_request *req)
x = req->session;
if (x != NULL) {
signing_required = x->global->signing_required;
+ encryption_desired = x->encryption_desired;
encryption_required = x->global->encryption_required;
}
req->do_signing = false;
req->do_encryption = false;
+ req->was_encrypted = false;
if (intf_v->iov_len == SMB2_TF_HDR_SIZE) {
const uint8_t *intf = SMBD_SMB2_IN_TF_PTR(req);
uint64_t tf_session_id = BVAL(intf, SMB2_TF_SESSION_ID);
@@ -1933,10 +1936,10 @@ NTSTATUS smbd_smb2_request_dispatch(struct
smbd_smb2_request *req)
NT_STATUS_ACCESS_DENIED);
}
- req->do_encryption = true;
+ req->was_encrypted = true;
}
- if (encryption_required && !req->do_encryption) {
+ if (encryption_required && !req->was_encrypted) {
return smbd_smb2_request_error(req,
NT_STATUS_ACCESS_DENIED);
}
@@ -1968,7 +1971,7 @@ NTSTATUS smbd_smb2_request_dispatch(struct
smbd_smb2_request *req)
req->compat_chain_fsp = NULL;
}
- if (req->do_encryption) {
+ if (req->was_encrypted) {
signing_required = false;
} else if (signing_required || (flags & SMB2_HDR_FLAG_SIGNED)) {
DATA_BLOB signing_key;
@@ -2039,15 +2042,22 @@ NTSTATUS smbd_smb2_request_dispatch(struct
smbd_smb2_request *req)
if (!NT_STATUS_IS_OK(status)) {
return smbd_smb2_request_error(req, status);
}
+ if (req->tcon->encryption_desired) {
+ encryption_desired = true;
+ }
if (req->tcon->global->encryption_required) {
encryption_required = true;
}
- if (encryption_required && !req->do_encryption) {
+ if (encryption_required && !req->was_encrypted) {
return smbd_smb2_request_error(req,
NT_STATUS_ACCESS_DENIED);
}
}
+ if (req->was_encrypted || encryption_desired) {
+ req->do_encryption = true;
+ }
+
if (call->fileid_ofs != 0) {
size_t needed = call->fileid_ofs + 16;
const uint8_t *body = SMBD_SMB2_IN_BODY_PTR(req);
@@ -2675,12 +2685,12 @@ NTSTATUS smbd_smb2_send_oplock_break(struct
smbd_server_connection *sconn,
size_t body_len;
uint8_t *dyn;
size_t dyn_len;
- bool do_encryption = session->global->encryption_required;
+ bool do_encryption = session->encryption_desired;
uint64_t nonce_high = 0;
uint64_t nonce_low = 0;
NTSTATUS status;
- if (tcon->global->encryption_required) {
+ if (tcon->encryption_desired) {
do_encryption = true;
}
diff --git a/source3/smbd/smb2_sesssetup.c b/source3/smbd/smb2_sesssetup.c
index 9f34a09..bf40ab4 100644
--- a/source3/smbd/smb2_sesssetup.c
+++ b/source3/smbd/smb2_sesssetup.c
@@ -190,7 +190,13 @@ static NTSTATUS smbd_smb2_auth_generic_return(struct
smbXsrv_session *session,
x->global->signing_required = true;
}
+ if ((lp_smb_encrypt(-1) >= SMB_SIGNING_DESIRED) &&
+ (conn->smb2.client.capabilities & SMB2_CAP_ENCRYPTION)) {
+ x->encryption_desired = true;
+ }
+
if (lp_smb_encrypt(-1) == SMB_SIGNING_REQUIRED) {
+ x->encryption_desired = true;
x->global->encryption_required = true;
}
@@ -217,7 +223,7 @@ static NTSTATUS smbd_smb2_auth_generic_return(struct
smbXsrv_session *session,
}
}
- if (x->global->encryption_required) {
+ if (x->encryption_desired) {
*out_session_flags |= SMB2_SESSION_FLAG_ENCRYPT_DATA;
}
diff --git a/source3/smbd/smb2_tcon.c b/source3/smbd/smb2_tcon.c
index ef2e318..014264d 100644
--- a/source3/smbd/smb2_tcon.c
+++ b/source3/smbd/smb2_tcon.c
@@ -185,6 +185,7 @@ static NTSTATUS smbd_smb2_tree_connect(struct
smbd_smb2_request *req,
connection_struct *compat_conn = NULL;
struct user_struct *compat_vuser = req->session->compat;
NTSTATUS status;
+ bool encryption_desired = req->session->encryption_desired;
bool encryption_required = req->session->global->encryption_required;
bool guest_session = false;
@@ -236,7 +237,13 @@ static NTSTATUS smbd_smb2_tree_connect(struct
smbd_smb2_request *req,
return NT_STATUS_BAD_NETWORK_NAME;
}
+ if ((lp_smb_encrypt(snum) >= SMB_SIGNING_DESIRED) &&
+ (conn->smb2.client.capabilities & SMB2_CAP_ENCRYPTION)) {
+ encryption_desired = true;
+ }
+
if (lp_smb_encrypt(snum) == SMB_SIGNING_REQUIRED) {
+ encryption_desired = true;
encryption_required = true;
}
@@ -265,6 +272,7 @@ static NTSTATUS smbd_smb2_tree_connect(struct
smbd_smb2_request *req,
return status;
}
+ tcon->encryption_desired = encryption_desired;
tcon->global->encryption_required = encryption_required;
compat_conn = make_connection_smb2(req->sconn,
@@ -335,7 +343,7 @@ static NTSTATUS smbd_smb2_tree_connect(struct
smbd_smb2_request *req,
*out_share_flags |= SMB2_SHAREFLAG_ACCESS_BASED_DIRECTORY_ENUM;
}
- if (encryption_required) {
+ if (encryption_desired) {
*out_share_flags |= SMB2_SHAREFLAG_ENCRYPT_DATA;
}
diff --git a/source3/smbd/trans2.c b/source3/smbd/trans2.c
index a6a8b5d..b6109b2 100644
--- a/source3/smbd/trans2.c
+++ b/source3/smbd/trans2.c
@@ -3447,6 +3447,7 @@ cBytesSector=%u, cUnitTotal=%u, cUnitAvail=%d\n",
(unsigned int)bsize, (unsigned
case SMB_SIGNING_OFF:
encrypt_caps = 0;
break;
+ case SMB_SIGNING_DESIRED:
case SMB_SIGNING_IF_REQUIRED:
case SMB_SIGNING_DEFAULT:
encrypt_caps =
CIFS_UNIX_TRANSPORT_ENCRYPTION_CAP;
diff --git a/source4/smb_server/smb2/negprot.c
b/source4/smb_server/smb2/negprot.c
index 83cae18..6a8f6ef 100644
--- a/source4/smb_server/smb2/negprot.c
+++ b/source4/smb_server/smb2/negprot.c
@@ -150,6 +150,7 @@ static NTSTATUS smb2srv_negprot_backend(struct
smb2srv_request *req, struct smb2
case SMB_SIGNING_OFF:
io->out.security_mode = 0;
break;
+ case SMB_SIGNING_DESIRED:
case SMB_SIGNING_IF_REQUIRED:
io->out.security_mode = SMB2_NEGOTIATE_SIGNING_ENABLED;
break;
--
Samba Shared Repository
