Fix bug #9222 - smbd ignores the "server signing = no" setting for SMB2.

Still sign if client request is signed, just don't negotiate it in
negprot or sessionsetup.

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Oct  3 00:59:42 CEST 2012 on sn-devel-104

diff --git a/source3/smbd/smb2_negprot.c b/source3/smbd/smb2_negprot.c
index 6adc5819ecd92f5c3a249f87b294343246cbffe8..826e0d1d2a248b9570482814a9f2e0d630ac8721 100644 (file)
--- a/source3/smbd/smb2_negprot.c
+++ b/source3/smbd/smb2_negprot.c
@@ -92,7 +92,7 @@ NTSTATUS smbd_smb2_request_process_negprot(struct smbd_smb2_request *req)
        DATA_BLOB security_buffer;
        size_t expected_dyn_size = 0;
        size_t c;
-       uint16_t security_mode;
+       uint16_t security_mode = 0;
        uint16_t dialect_count;
        uint16_t in_security_mode;
        uint32_t in_capabilities;
@@ -244,9 +244,11 @@ NTSTATUS smbd_smb2_request_process_negprot(struct smbd_smb2_request *req)
                return smbd_smb2_request_error(req, NT_STATUS_INTERNAL_ERROR);
        }
 
-       security_mode = SMB2_NEGOTIATE_SIGNING_ENABLED;
-       if (lp_server_signing() == SMB_SIGNING_REQUIRED) {
-               security_mode |= SMB2_NEGOTIATE_SIGNING_REQUIRED;
+       if (lp_server_signing() != SMB_SIGNING_OFF) {
+               security_mode = SMB2_NEGOTIATE_SIGNING_ENABLED;
+               if (lp_server_signing() == SMB_SIGNING_REQUIRED) {
+                       security_mode |= SMB2_NEGOTIATE_SIGNING_REQUIRED;
+               }
        }
 
        capabilities = 0;

diff --git a/source3/smbd/smb2_sesssetup.c b/source3/smbd/smb2_sesssetup.c
index 2599d2a63dabf713fe709f699018866c6ef4a38f..8bdfd49644dfe2ae3f9b0d5a1658688054e34d7f 100644 (file)
--- a/source3/smbd/smb2_sesssetup.c
+++ b/source3/smbd/smb2_sesssetup.c
@@ -185,6 +185,12 @@ static NTSTATUS smbd_smb2_auth_generic_return(struct smbXsrv_session *session,
        struct smbXsrv_session *x = session;
        struct smbXsrv_connection *conn = session->connection;
 
+       if ((lp_server_signing() == SMB_SIGNING_OFF) &&
+                       (in_security_mode & SMB2_NEGOTIATE_SIGNING_REQUIRED)) {
+               DEBUG(0,("SMB2 signing required and we have disabled it.\n"));
+               return NT_STATUS_ACCESS_DENIED;
+       }
+
        if ((in_security_mode & SMB2_NEGOTIATE_SIGNING_REQUIRED) ||
            lp_server_signing() == SMB_SIGNING_REQUIRED) {
                x->global->signing_required = true;