smb2_sesssetup: a bind dialect mismatch should always result in INVALID_PARAMETER

The ACCESS_DENIED errors happened as we didn't expected to signing
algo is attached to the session key. So our client calculated the
wrong signature.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14512

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

diff --git a/selftest/knownfail.d/smb2.session b/selftest/knownfail.d/smb2.session
index dbb380cc435728011b2a9f08c2c1cc4be9f32af8..02ce9c07ba57c6fdc26ea17ede4632245a75850f 100644 (file)
--- a/selftest/knownfail.d/smb2.session
+++ b/selftest/knownfail.d/smb2.session
@@ -1,4 +1,3 @@
-^samba3.smb2.session.*.bind_negative_smb2to3
 ^samba3.smb2.session.*.bind_negative_smb3encGtoC
 ^samba3.smb2.session.*.bind_different_user.ad_dc
 ^samba3.smb2.session.*.bind_invalid_auth.ad_member_idmap_rid

diff --git a/source3/smbd/smb2_sesssetup.c b/source3/smbd/smb2_sesssetup.c
index f10d33a69555088fbb2829b15c38676864cb9839..c431c534b601af07640eee39ffdbd91eb9bc07b1 100644 (file)
--- a/source3/smbd/smb2_sesssetup.c
+++ b/source3/smbd/smb2_sesssetup.c
@@ -716,6 +716,13 @@ static struct tevent_req *smbd_smb2_session_setup_send(TALLOC_CTX *mem_ctx,
                        return tevent_req_post(req, ev);
                }
 
+               if (smb2req->session->global->connection_dialect
+                   != smb2req->xconn->smb2.server.dialect)
+               {
+                       tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER);
+                       return tevent_req_post(req, ev);
+               }
+
                status = smbXsrv_session_find_channel(smb2req->session,
                                                      smb2req->xconn,
                                                      &c);
@@ -727,31 +734,6 @@ static struct tevent_req *smbd_smb2_session_setup_send(TALLOC_CTX *mem_ctx,
                        return tevent_req_post(req, ev);
                }
 
-               /*
-                * OLD: 3.00 NEW 3.02 => INVALID_PARAMETER
-                * OLD: 3.02 NEW 3.00 => INVALID_PARAMETER
-                * OLD: 2.10 NEW 3.02 => ACCESS_DENIED
-                * OLD: 3.02 NEW 2.10 => ACCESS_DENIED
-                */
-               if (smb2req->session->global->connection_dialect
-                   < SMB2_DIALECT_REVISION_222)
-               {
-                       tevent_req_nterror(req, NT_STATUS_ACCESS_DENIED);
-                       return tevent_req_post(req, ev);
-               }
-               if (smb2req->xconn->smb2.server.dialect
-                   < SMB2_DIALECT_REVISION_222)
-               {
-                       tevent_req_nterror(req, NT_STATUS_ACCESS_DENIED);
-                       return tevent_req_post(req, ev);
-               }
-               if (smb2req->session->global->connection_dialect
-                   != smb2req->xconn->smb2.server.dialect)
-               {
-                       tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER);
-                       return tevent_req_post(req, ev);
-               }
-
                seclvl = security_session_user_level(
                                smb2req->session->global->auth_session_info,
                                NULL);