s3/smbd: ensure global "smb encrypt = off" is effective for SMB 1 clients

If encryption is disabled globally, per definition we shouldn't allow
enabling encryption on individual shares.

The behaviour of setting

[Global]
  smb encrypt = off

[share_required]
  smb encrypt = required

[share_desired]
  smb encrypt = desired

must be to completely deny access to the share "share_required" and an
unencrypted connection to "share_desired".

Bug: https://bugzilla.samba.org/show_bug.cgi?id=12520

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit 43a90cee46bb7a70f7973c4fc51eee7634e43145)

diff --git a/source3/smbd/service.c b/source3/smbd/service.c
index 0c70250e309cefd7e3b24ece6e0ed0a4b7fc8c6c..8c6d140de580bffcfdbd705bfbc7eaa3fc1e0405 100644 (file)
--- a/source3/smbd/service.c
+++ b/source3/smbd/service.c
@@ -584,6 +584,18 @@ static NTSTATUS make_connection_snum(struct smbXsrv_connection *xconn,
        conn->short_case_preserve = lp_short_preserve_case(snum);
 
        conn->encrypt_level = lp_smb_encrypt(snum);
+       if (conn->encrypt_level > SMB_SIGNING_OFF) {
+               if (lp_smb_encrypt(-1) == SMB_SIGNING_OFF) {
+                       if (conn->encrypt_level == SMB_SIGNING_REQUIRED) {
+                               DBG_ERR("Service [%s] requires encryption, but "
+                                       "it is disabled globally!\n",
+                                       lp_servicename(talloc_tos(), snum));
+                               status = NT_STATUS_ACCESS_DENIED;
+                               goto err_root_exit;
+                       }
+                       conn->encrypt_level = SMB_SIGNING_OFF;
+               }
+       }
 
        conn->veto_list = NULL;
        conn->hide_list = NULL;