From: Ralph Boehme <slow@samba.org>
Date: Wed, 18 Jan 2017 15:19:15 +0000 (+0100)
Subject: s3/smbd: ensure global "smb encrypt = off" is effective for SMB 1 clients
X-Git-Tag: samba-4.4.10~68
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=080ce6e3fc243c98b386dfe7d5ff7e9b12814fc5;p=thirdparty%2Fsamba.git

s3/smbd: ensure global "smb encrypt = off" is effective for SMB 1 clients

If encryption is disabled globally, per definition we shouldn't allow
enabling encryption on individual shares.

The behaviour of setting

[Global]
  smb encrypt = off

[share_required]
  smb encrypt = required

[share_desired]
  smb encrypt = desired

must be to completely deny access to the share "share_required" and an
unencrypted connection to "share_desired".

Bug: https://bugzilla.samba.org/show_bug.cgi?id=12520

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit 43a90cee46bb7a70f7973c4fc51eee7634e43145)
---

diff --git a/source3/smbd/service.c b/source3/smbd/service.c
index 0c70250e309..8c6d140de58 100644
--- a/source3/smbd/service.c
+++ b/source3/smbd/service.c
@@ -584,6 +584,18 @@ static NTSTATUS make_connection_snum(struct smbXsrv_connection *xconn,
 	conn->short_case_preserve = lp_short_preserve_case(snum);
 
 	conn->encrypt_level = lp_smb_encrypt(snum);
+	if (conn->encrypt_level > SMB_SIGNING_OFF) {
+		if (lp_smb_encrypt(-1) == SMB_SIGNING_OFF) {
+			if (conn->encrypt_level == SMB_SIGNING_REQUIRED) {
+				DBG_ERR("Service [%s] requires encryption, but "
+					"it is disabled globally!\n",
+					lp_servicename(talloc_tos(), snum));
+				status = NT_STATUS_ACCESS_DENIED;
+				goto err_root_exit;
+			}
+			conn->encrypt_level = SMB_SIGNING_OFF;
+		}
+	}
 
 	conn->veto_list = NULL;
 	conn->hide_list = NULL;