c981d4fa126956 needs to be in 3.6. Sent the following explanation to Jeremy: With the async echo responder active we did not enable sconn->using_smb2. Client came in with a SMB1 negprot offering SMB2, which we happily accepted. So we were running SMB2 without sconn->using_smb2 being set to true. Now look at exit_server_common. We explicitly do the conn_close_all which in the SMB1 case does the close_cnum on all connections. In exit_server_common we later do the TALLOC_FREE(smbd_server_conn). All smb2_tcon structs are eventually children of smbd_server_conn, so smbd_smb2_tcon_destructor gets called. There if tcon->compat_conn exists (which it still does, but invalidly, see the conn_close_all above) we call set_current_service. That then wants to dereference conn->params, which conn_free (called from conn_close_all) had already NULL'ed out. This patch makes 100% sure we never handle SMB2 without sconn->using_smb2 being set to true.
Yep, that should go into 3.6.0
+1 makes sense. Jeremy.
Pushed to v3-6-test. Closing out bug report. Thanks!