From 1b90bf2db890a12868730fdcedaafb7a0145b15c Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Fri, 12 Dec 2014 09:22:15 +0100
Subject: [PATCH 1/2] s3:smb2_server: allow reauthentication without signing

If signing is not required we should not require it for reauthentication.
Windows clients would otherwise fail to reauthenticate.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=10958

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit 382019656ee164fd21455ed7d7b5e9e18bd0ca72)
---
 source3/smbd/smb2_server.c    | 5 -----
 source3/smbd/smb2_sesssetup.c | 4 ++++
 2 files changed, 4 insertions(+), 5 deletions(-)

diff --git a/source3/smbd/smb2_server.c b/source3/smbd/smb2_server.c
index 31ec70b..39155b8 100644
--- a/source3/smbd/smb2_server.c
+++ b/source3/smbd/smb2_server.c
@@ -1987,11 +1987,6 @@ NTSTATUS smbd_smb2_request_dispatch(struct smbd_smb2_request *req)
 	if (x != NULL) {
 		signing_required = x->global->signing_required;
 		encryption_required = x->global->encryption_required;
-
-		if (opcode == SMB2_OP_SESSSETUP &&
-		    x->global->signing_key.length > 0) {
-			signing_required = true;
-		}
 	}
 
 	req->do_signing = false;
diff --git a/source3/smbd/smb2_sesssetup.c b/source3/smbd/smb2_sesssetup.c
index 366ca58..57f623a 100644
--- a/source3/smbd/smb2_sesssetup.c
+++ b/source3/smbd/smb2_sesssetup.c
@@ -422,6 +422,10 @@ static NTSTATUS smbd_smb2_reauth_generic_return(struct smbXsrv_session *session,
 
 	conn_clear_vuid_caches(smb2req->sconn, session->compat->vuid);
 
+	if (security_session_user_level(session_info, NULL) >= SECURITY_USER) {
+		smb2req->do_signing = true;
+	}
+
 	*out_session_id = session->global->session_wire_id;
 
 	return NT_STATUS_OK;
-- 
1.9.1


From b38f6e44605d8d5c5252407dfc3ee9ee37feeeb2 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Fri, 12 Dec 2014 13:55:38 +0000
Subject: [PATCH 2/2] libcli/smb: only force signing of smb2 session setups
 when binding a new session

Bug: https://bugzilla.samba.org/show_bug.cgi?id=10958

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Dec 12 23:11:40 CET 2014 on sn-devel-104

(cherry picked from commit daff0f5d709eca621a7f319c892ecaba7b03e5c2)
---
 libcli/smb/smbXcli_base.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/libcli/smb/smbXcli_base.c b/libcli/smb/smbXcli_base.c
index e0c5ff9..2fe6a5a 100644
--- a/libcli/smb/smbXcli_base.c
+++ b/libcli/smb/smbXcli_base.c
@@ -2677,7 +2677,12 @@ struct tevent_req *smb2cli_req_create(TALLOC_CTX *mem_ctx,
 		state->smb2.should_encrypt = session->smb2->should_encrypt;
 
 		if (cmd == SMB2_OP_SESSSETUP &&
-		    session->smb2->signing_key.length != 0) {
+		    session->smb2_channel.signing_key.length == 0 &&
+		    session->smb2->signing_key.length != 0)
+		{
+			/*
+			 * a session bind needs to be signed
+			 */
 			state->smb2.should_sign = true;
 		}
 
-- 
1.9.1