From e698fcf1dcc35d75d8ec2cc6804d818c21e709c5 Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Mon, 11 Sep 2017 16:36:47 -0700
Subject: [PATCH] libcli: SMB2: NetApps negotiate SMB3_11 but also set the
 SMB2_CAP_ENCRYPTION flag.

This is a SHOULD not, not a MUST not.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13009

Signed-off-by: Jeremy Allison <jra@samba.org>
---
 libcli/smb/smbXcli_base.c | 15 ++++++++++++---
 1 file changed, 12 insertions(+), 3 deletions(-)

diff --git a/libcli/smb/smbXcli_base.c b/libcli/smb/smbXcli_base.c
index d73949b90d7..54939546d0e 100644
--- a/libcli/smb/smbXcli_base.c
+++ b/libcli/smb/smbXcli_base.c
@@ -4916,10 +4916,19 @@ static void smbXcli_negprot_smb2_done(struct tevent_req *subreq)
 		return;
 	}
 
+	/*
+	 * Here we are now at SMB3_11, so encryption should be
+	 * negotiated via context, not capabilities.
+	 */
+
 	if (conn->smb2.server.capabilities & SMB2_CAP_ENCRYPTION) {
-		tevent_req_nterror(req,
-				NT_STATUS_INVALID_NETWORK_RESPONSE);
-		return;
+		/*
+		 * Server set SMB2_CAP_ENCRYPTION capability,
+		 * but *SHOULD* not, not *MUST* not. Just mask it off.
+		 * NetApp seems to do this:
+		 * BUG: https://bugzilla.samba.org/show_bug.cgi?id=13009
+		 */
+		conn->smb2.server.capabilities &= ~SMB2_CAP_ENCRYPTION;
 	}
 
 	negotiate_context_offset = IVAL(body, 60);
-- 
2.11.0