uint32_t *out_maximal_access,
uint32_t *out_tree_id)
{
+ struct smbXsrv_connection *conn = req->sconn->conn;
const char *share = in_path;
char *service = NULL;
int snum = -1;
connection_struct *compat_conn = NULL;
struct user_struct *compat_vuser = req->session->compat;
NTSTATUS status;
+ bool encryption_required = req->session->global->encryption_required;
+ bool guest_session = false;
if (strncmp(share, "\\\\", 2) == 0) {
const char *p = strchr(share+2, '\\');
}
if (lp_smb_encrypt(snum) == SMB_SIGNING_REQUIRED) {
- status = NT_STATUS_ACCESS_DENIED;
- DEBUG(3,("smbd_smb2_tree_connect: "
- "service %s needs encryption - %s\n",
- service, nt_errstr(status)));
- return status;
+ encryption_required = true;
+ }
+
+ if (security_session_user_level(compat_vuser->session_info, NULL) < SECURITY_USER) {
+ guest_session = true;
+ }
+
+ if (guest_session && encryption_required) {
+ DEBUG(1,("reject guest as encryption is required for service %s\n",
+ service));
+ return NT_STATUS_ACCESS_DENIED;
+ }
+
+ if (!(conn->smb2.server.capabilities & SMB2_CAP_ENCRYPTION)) {
+ if (encryption_required) {
+ DEBUG(1,("reject tcon with dialect[0x%04X] "
+ "as encryption is required for service %s\n",
+ conn->smb2.server.dialect, service));
+ return NT_STATUS_ACCESS_DENIED;
+ }
}
/* create a new tcon as child of the session */
return status;
}
+ tcon->global->encryption_required = encryption_required;
+
compat_conn = make_connection_smb2(req->sconn,
tcon, snum,
req->session->compat,
*out_share_flags |= SMB2_SHAREFLAG_ACCESS_BASED_DIRECTORY_ENUM;
}
+ if (encryption_required) {
+ *out_share_flags |= SMB2_SHAREFLAG_ENCRYPT_DATA;
+ }
+
*out_maximal_access = tcon->compat->share_access;
*out_tree_id = tcon->global->tcon_wire_id;
projects / thirdparty / samba.git / commitdiff
