c981d4fa126956 needs to be in 3.6. Sent the following explanation to Jeremy:
With the async echo responder
active we did not enable sconn->using_smb2. Client came in
with a SMB1 negprot offering SMB2, which we happily
accepted. So we were running SMB2 without sconn->using_smb2
being set to true. Now look at exit_server_common. We
explicitly do the conn_close_all which in the SMB1 case does
the close_cnum on all connections. In exit_server_common we
later do the TALLOC_FREE(smbd_server_conn). All smb2_tcon
structs are eventually children of smbd_server_conn, so
smbd_smb2_tcon_destructor gets called. There if
tcon->compat_conn exists (which it still does, but
invalidly, see the conn_close_all above) we call
set_current_service. That then wants to dereference
conn->params, which conn_free (called from conn_close_all)
had already NULL'ed out.
This patch makes 100% sure we never handle SMB2 without
sconn->using_smb2 being set to true.
Yep, that should go into 3.6.0
+1 makes sense.
Pushed to v3-6-test.
Closing out bug report.