s3/smbd: ensure global "smb encrypt = off" is effective for SMB 3.1.1 clients

If encryption is disabled globally, per definition we shouldn't allow
enabling encryption on individual shares.

The behaviour of setting

[Global]
  smb encrypt = off

[share]
  smb encrypt = required

must be to completely deny access to the share "share".

This was working correctly for clients when using SMB 3 dialects <
3.1.1, but not for 3.1.1 with a negprot encryption context.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=12520

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit 6ae63d42f5aacddf5b7b6dbdfbe620344989e4e5)

diff --git a/source3/smbd/smb2_negprot.c b/source3/smbd/smb2_negprot.c
index 9c03b2ca8b86158db1814aff4c7dc828dd253c8b..007be6bc1cbc5d5d445cefdae89a46808e941b7b 100644 (file)
--- a/source3/smbd/smb2_negprot.c
+++ b/source3/smbd/smb2_negprot.c
@@ -429,7 +429,7 @@ NTSTATUS smbd_smb2_request_process_negprot(struct smbd_smb2_request *req)
                req->preauth = &req->xconn->smb2.preauth;
        }
 
-       if (in_cipher != NULL) {
+       if ((capabilities & SMB2_CAP_ENCRYPTION) && (in_cipher != NULL)) {
                size_t needed = 2;
                uint16_t cipher_count;
                const uint8_t *p;