summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorStefan Metzmacher <metze@samba.org>2012-08-08 06:25:10 +0200
committerStefan Metzmacher <metze@samba.org>2012-08-09 08:21:35 +0200
commit95e4270813fa8bfda2dc899b1c8537e49fb9c115 (patch)
treea6e7ddf8231f58e9907d499a2cd811f1d0151fae
parent64dce265338f325e9fdee6b4a95e918d3b704cbf (diff)
downloadsamba-95e4270813fa8bfda2dc899b1c8537e49fb9c115.tar.gz
samba-95e4270813fa8bfda2dc899b1c8537e49fb9c115.tar.bz2
samba-95e4270813fa8bfda2dc899b1c8537e49fb9c115.zip
s3:smb2_tcon: set global->encryption_required and enforce it
This the account or client doesn't support encryption we should reject the tree connect. metze
-rw-r--r--source3/smbd/smb2_tcon.c34
1 files changed, 29 insertions, 5 deletions
diff --git a/source3/smbd/smb2_tcon.c b/source3/smbd/smb2_tcon.c
index a6b47d3769..2cf91af3ff 100644
--- a/source3/smbd/smb2_tcon.c
+++ b/source3/smbd/smb2_tcon.c
@@ -175,6 +175,7 @@ static NTSTATUS smbd_smb2_tree_connect(struct smbd_smb2_request *req,
uint32_t *out_maximal_access,
uint32_t *out_tree_id)
{
+ struct smbXsrv_connection *conn = req->sconn->conn;
const char *share = in_path;
char *service = NULL;
int snum = -1;
@@ -183,6 +184,8 @@ static NTSTATUS smbd_smb2_tree_connect(struct smbd_smb2_request *req,
connection_struct *compat_conn = NULL;
struct user_struct *compat_vuser = req->session->compat;
NTSTATUS status;
+ bool encryption_required = req->session->global->encryption_required;
+ bool guest_session = false;
if (strncmp(share, "\\\\", 2) == 0) {
const char *p = strchr(share+2, '\\');
@@ -230,11 +233,26 @@ static NTSTATUS smbd_smb2_tree_connect(struct smbd_smb2_request *req,
}
if (lp_smb_encrypt(snum) == SMB_SIGNING_REQUIRED) {
- status = NT_STATUS_ACCESS_DENIED;
- DEBUG(3,("smbd_smb2_tree_connect: "
- "service %s needs encryption - %s\n",
- service, nt_errstr(status)));
- return status;
+ encryption_required = true;
+ }
+
+ if (security_session_user_level(compat_vuser->session_info, NULL) < SECURITY_USER) {
+ guest_session = true;
+ }
+
+ if (guest_session && encryption_required) {
+ DEBUG(1,("reject guest as encryption is required for service %s\n",
+ service));
+ return NT_STATUS_ACCESS_DENIED;
+ }
+
+ if (!(conn->smb2.server.capabilities & SMB2_CAP_ENCRYPTION)) {
+ if (encryption_required) {
+ DEBUG(1,("reject tcon with dialect[0x%04X] "
+ "as encryption is required for service %s\n",
+ conn->smb2.server.dialect, service));
+ return NT_STATUS_ACCESS_DENIED;
+ }
}
/* create a new tcon as child of the session */
@@ -243,6 +261,8 @@ static NTSTATUS smbd_smb2_tree_connect(struct smbd_smb2_request *req,
return status;
}
+ tcon->global->encryption_required = encryption_required;
+
compat_conn = make_connection_smb2(req->sconn,
tcon, snum,
req->session->compat,
@@ -309,6 +329,10 @@ static NTSTATUS smbd_smb2_tree_connect(struct smbd_smb2_request *req,
*out_share_flags |= SMB2_SHAREFLAG_ACCESS_BASED_DIRECTORY_ENUM;
}
+ if (encryption_required) {
+ *out_share_flags |= SMB2_SHAREFLAG_ENCRYPT_DATA;
+ }
+
*out_maximal_access = tcon->compat->share_access;
*out_tree_id = tcon->global->tcon_wire_id;