From b4e5a04f069f73db46d1463dc8aba0cab814d2c0 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Fri, 12 Dec 2014 09:22:15 +0100 Subject: [PATCH 1/2] s3:smb2_server: allow reauthentication without signing If signing is not required we should not require it for reauthentication. Windows clients would otherwise fail to reauthenticate. Bug: https://bugzilla.samba.org/show_bug.cgi?id=10958 Signed-off-by: Stefan Metzmacher --- source3/smbd/smb2_server.c | 5 ----- source3/smbd/smb2_sesssetup.c | 4 ++++ 2 files changed, 4 insertions(+), 5 deletions(-) diff --git a/source3/smbd/smb2_server.c b/source3/smbd/smb2_server.c index 4a2c875..46bf6f9 100644 --- a/source3/smbd/smb2_server.c +++ b/source3/smbd/smb2_server.c @@ -1990,11 +1990,6 @@ NTSTATUS smbd_smb2_request_dispatch(struct smbd_smb2_request *req) if (x != NULL) { signing_required = x->global->signing_required; encryption_required = x->global->encryption_required; - - if (opcode == SMB2_OP_SESSSETUP && - x->global->signing_key.length > 0) { - signing_required = true; - } } req->do_signing = false; diff --git a/source3/smbd/smb2_sesssetup.c b/source3/smbd/smb2_sesssetup.c index 78cafe8..2f58e44 100644 --- a/source3/smbd/smb2_sesssetup.c +++ b/source3/smbd/smb2_sesssetup.c @@ -422,6 +422,10 @@ static NTSTATUS smbd_smb2_reauth_generic_return(struct smbXsrv_session *session, conn_clear_vuid_caches(smb2req->sconn, session->compat->vuid); + if (security_session_user_level(session_info, NULL) >= SECURITY_USER) { + smb2req->do_signing = true; + } + *out_session_id = session->global->session_wire_id; return NT_STATUS_OK; -- 1.9.1 From d3578997eb0f15ab887ea955c6c99980817c4270 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Fri, 12 Dec 2014 13:55:38 +0000 Subject: [PATCH 2/2] libcli/smb: only force signing of smb2 session setups when binding a new session Bug: https://bugzilla.samba.org/show_bug.cgi?id=10958 Signed-off-by: Stefan Metzmacher --- libcli/smb/smbXcli_base.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/libcli/smb/smbXcli_base.c b/libcli/smb/smbXcli_base.c index a3a7ecb..8aa6020 100644 --- a/libcli/smb/smbXcli_base.c +++ b/libcli/smb/smbXcli_base.c @@ -2682,7 +2682,12 @@ struct tevent_req *smb2cli_req_create(TALLOC_CTX *mem_ctx, state->smb2.should_encrypt = session->smb2->should_encrypt; if (cmd == SMB2_OP_SESSSETUP && - session->smb2->signing_key.length != 0) { + session->smb2_channel.signing_key.length == 0 && + session->smb2->signing_key.length != 0) + { + /* + * a session bind needs to be signed + */ state->smb2.should_sign = true; } -- 1.9.1