c981d4fa126956 needs to be in 3.6. Sent the following explanation to Jeremy:

With the async echo responder                        
active we did not enable sconn->using_smb2. Client came in                     
with a SMB1 negprot offering SMB2, which we happily                            
accepted. So we were running SMB2 without sconn->using_smb2                    
being set to true. Now look at exit_server_common. We                          
explicitly do the conn_close_all which in the SMB1 case does                   
the close_cnum on all connections. In exit_server_common we                    
later do the TALLOC_FREE(smbd_server_conn). All smb2_tcon                      
structs are eventually children of smbd_server_conn, so                        
smbd_smb2_tcon_destructor gets called. There if                                
tcon->compat_conn exists (which it still does, but                             
invalidly, see the conn_close_all above) we call                               
set_current_service. That then wants to dereference                            
conn->params, which conn_free (called from conn_close_all)                     
had already NULL'ed out.                                                       
                                                                               
This patch makes 100% sure we never handle SMB2 without                        
sconn->using_smb2 being set to true.