From 55275d7fcf81a19e429ce8bb61655e6aa2ffed50 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Thu, 12 Jun 2014 15:10:11 +0200
Subject: [PATCH 1/3] s3:smb2_server: use the global signing key to check if
 signing is required

If we have a channel session key, we also always have a global session key.

For multi-channel it's possible that the channel session key is not in place
yet, in that case the global session key needs to be used.

In both cases (reauth or session bind) we session setup requests need to be
signed.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
(cherry picked from commit 7e006d11134cdc37ea0fc13110fe5bbfb9de3f14)
---
 source3/smbd/smb2_server.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/source3/smbd/smb2_server.c b/source3/smbd/smb2_server.c
index b46f994..fe58ca5 100644
--- a/source3/smbd/smb2_server.c
+++ b/source3/smbd/smb2_server.c
@@ -1912,7 +1912,7 @@ NTSTATUS smbd_smb2_request_dispatch(struct smbd_smb2_request *req)
 		encryption_required = x->global->encryption_required;
 
 		if (opcode == SMB2_OP_SESSSETUP &&
-		    x->global->channels[0].signing_key.length) {
+		    x->global->signing_key.length > 0) {
 			signing_required = true;
 		}
 	}
-- 
1.9.1


From 187b0b3579cd4865dd23d1fd5eed6f9012b94447 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Fri, 12 Dec 2014 09:22:15 +0100
Subject: [PATCH 2/3] s3:smb2_server: allow reauthentication without signing

If signing is not required we should not require it for reauthentication.
Windows clients would otherwise fail to reauthenticate.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=10958

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit 382019656ee164fd21455ed7d7b5e9e18bd0ca72)
---
 source3/smbd/smb2_server.c    | 5 -----
 source3/smbd/smb2_sesssetup.c | 4 ++++
 2 files changed, 4 insertions(+), 5 deletions(-)

diff --git a/source3/smbd/smb2_server.c b/source3/smbd/smb2_server.c
index fe58ca5..d0dec0f 100644
--- a/source3/smbd/smb2_server.c
+++ b/source3/smbd/smb2_server.c
@@ -1910,11 +1910,6 @@ NTSTATUS smbd_smb2_request_dispatch(struct smbd_smb2_request *req)
 	if (x != NULL) {
 		signing_required = x->global->signing_required;
 		encryption_required = x->global->encryption_required;
-
-		if (opcode == SMB2_OP_SESSSETUP &&
-		    x->global->signing_key.length > 0) {
-			signing_required = true;
-		}
 	}
 
 	req->do_signing = false;
diff --git a/source3/smbd/smb2_sesssetup.c b/source3/smbd/smb2_sesssetup.c
index e911945..a82d696 100644
--- a/source3/smbd/smb2_sesssetup.c
+++ b/source3/smbd/smb2_sesssetup.c
@@ -422,6 +422,10 @@ static NTSTATUS smbd_smb2_reauth_generic_return(struct smbXsrv_session *session,
 
 	conn_clear_vuid_caches(conn->sconn, session->compat->vuid);
 
+	if (security_session_user_level(session_info, NULL) >= SECURITY_USER) {
+		smb2req->do_signing = true;
+	}
+
 	*out_session_id = session->global->session_wire_id;
 
 	return NT_STATUS_OK;
-- 
1.9.1


From 5cd8617142f9b74c5d740de45e812811a0b1e9ec Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Fri, 12 Dec 2014 13:55:38 +0000
Subject: [PATCH 3/3] libcli/smb: only force signing of smb2 session setups
 when binding a new session

Bug: https://bugzilla.samba.org/show_bug.cgi?id=10958

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Dec 12 23:11:40 CET 2014 on sn-devel-104

(cherry picked from commit daff0f5d709eca621a7f319c892ecaba7b03e5c2)
---
 libcli/smb/smbXcli_base.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/libcli/smb/smbXcli_base.c b/libcli/smb/smbXcli_base.c
index c971a6d..b799e11 100644
--- a/libcli/smb/smbXcli_base.c
+++ b/libcli/smb/smbXcli_base.c
@@ -2576,7 +2576,12 @@ struct tevent_req *smb2cli_req_create(TALLOC_CTX *mem_ctx,
 		state->smb2.should_encrypt = session->smb2->should_encrypt;
 
 		if (cmd == SMB2_OP_SESSSETUP &&
-		    session->smb2->signing_key.length != 0) {
+		    session->smb2_channel.signing_key.length == 0 &&
+		    session->smb2->signing_key.length != 0)
+		{
+			/*
+			 * a session bind needs to be signed
+			 */
 			state->smb2.should_sign = true;
 		}
 
-- 
1.9.1