From 9576a99572f976ae646e564aaaf737ddb6450d57 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Thu, 12 Jun 2014 15:10:11 +0200
Subject: [PATCH 1/3] s3:smb2_server: use the global signing key to check if
 signing is required

If we have a channel session key, we also always have a global session key.

For multi-channel it's possible that the channel session key is not in place
yet, in that case the global session key needs to be used.

In both cases (reauth or session bind) we session setup requests need to be
signed.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
(cherry picked from commit 7e006d11134cdc37ea0fc13110fe5bbfb9de3f14)
---
 source3/smbd/smb2_server.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/source3/smbd/smb2_server.c b/source3/smbd/smb2_server.c
index 58eddee..2a03b7c 100644
--- a/source3/smbd/smb2_server.c
+++ b/source3/smbd/smb2_server.c
@@ -1912,7 +1912,7 @@ NTSTATUS smbd_smb2_request_dispatch(struct smbd_smb2_request *req)
 		encryption_required = x->global->encryption_required;
 
 		if (opcode == SMB2_OP_SESSSETUP &&
-		    x->global->channels[0].signing_key.length) {
+		    x->global->signing_key.length > 0) {
 			signing_required = true;
 		}
 	}
-- 
1.9.1


From d0ba463e2e815b6d25b09da382a798c1c8c32e22 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Fri, 12 Dec 2014 09:22:15 +0100
Subject: [PATCH 2/3] s3:smb2_server: allow reauthentication without signing

If signing is not required we should not require it for reauthentication.
Windows clients would otherwise fail to reauthenticate.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=10958

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit 382019656ee164fd21455ed7d7b5e9e18bd0ca72)
---
 source3/smbd/smb2_server.c    | 5 -----
 source3/smbd/smb2_sesssetup.c | 4 ++++
 2 files changed, 4 insertions(+), 5 deletions(-)

diff --git a/source3/smbd/smb2_server.c b/source3/smbd/smb2_server.c
index 2a03b7c..f7798fa 100644
--- a/source3/smbd/smb2_server.c
+++ b/source3/smbd/smb2_server.c
@@ -1910,11 +1910,6 @@ NTSTATUS smbd_smb2_request_dispatch(struct smbd_smb2_request *req)
 	if (x != NULL) {
 		signing_required = x->global->signing_required;
 		encryption_required = x->global->encryption_required;
-
-		if (opcode == SMB2_OP_SESSSETUP &&
-		    x->global->signing_key.length > 0) {
-			signing_required = true;
-		}
 	}
 
 	req->do_signing = false;
diff --git a/source3/smbd/smb2_sesssetup.c b/source3/smbd/smb2_sesssetup.c
index e911945..a82d696 100644
--- a/source3/smbd/smb2_sesssetup.c
+++ b/source3/smbd/smb2_sesssetup.c
@@ -422,6 +422,10 @@ static NTSTATUS smbd_smb2_reauth_generic_return(struct smbXsrv_session *session,
 
 	conn_clear_vuid_caches(conn->sconn, session->compat->vuid);
 
+	if (security_session_user_level(session_info, NULL) >= SECURITY_USER) {
+		smb2req->do_signing = true;
+	}
+
 	*out_session_id = session->global->session_wire_id;
 
 	return NT_STATUS_OK;
-- 
1.9.1


From 99a4dae7058aa0c0b4db18c51e123783b73373ea Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Fri, 12 Dec 2014 13:55:38 +0000
Subject: [PATCH 3/3] libcli/smb: only force signing of smb2 session setups
 when binding a new session

Bug: https://bugzilla.samba.org/show_bug.cgi?id=10958

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Dec 12 23:11:40 CET 2014 on sn-devel-104

(cherry picked from commit daff0f5d709eca621a7f319c892ecaba7b03e5c2)
---
 libcli/smb/smbXcli_base.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/libcli/smb/smbXcli_base.c b/libcli/smb/smbXcli_base.c
index 0ceb1dd..7fadffa 100644
--- a/libcli/smb/smbXcli_base.c
+++ b/libcli/smb/smbXcli_base.c
@@ -2655,7 +2655,12 @@ struct tevent_req *smb2cli_req_create(TALLOC_CTX *mem_ctx,
 		state->smb2.should_encrypt = session->smb2->should_encrypt;
 
 		if (cmd == SMB2_OP_SESSSETUP &&
-		    session->smb2->signing_key.length != 0) {
+		    session->smb2_channel.signing_key.length == 0 &&
+		    session->smb2->signing_key.length != 0)
+		{
+			/*
+			 * a session bind needs to be signed
+			 */
 			state->smb2.should_sign = true;
 		}
 
-- 
1.9.1