s3/smbd: ensure global "smb encrypt = off" is effective for share with "smb encrypt...

If encryption is disabled globally, per definition we shouldn't allow
enabling encryption on individual shares.

The behaviour of specifying

[Global]
  smb encrypt = off

[share]
  smb encrypt = desired

must be an unecrypted tree connect to the share "share".

Bug: https://bugzilla.samba.org/show_bug.cgi?id=12520

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit b0b418c22558fa1df547df9bdac2642343ac39e1)

diff --git a/source3/smbd/smb2_tcon.c b/source3/smbd/smb2_tcon.c
index 61e2a3636d3a4535418bb14d2dc96e8c372746da..5330fc39c36dfc8c674ebdd12bdcdc6599610ab7 100644 (file)
--- a/source3/smbd/smb2_tcon.c
+++ b/source3/smbd/smb2_tcon.c
@@ -268,7 +268,8 @@ static NTSTATUS smbd_smb2_tree_connect(struct smbd_smb2_request *req,
        }
 
        if ((lp_smb_encrypt(snum) >= SMB_SIGNING_DESIRED) &&
-           (conn->smb2.client.capabilities & SMB2_CAP_ENCRYPTION)) {
+           (conn->smb2.server.cipher != 0))
+       {
                encryption_desired = true;
        }