diff options
author | Stefan Metzmacher <metze@samba.org> | 2012-08-08 06:25:10 +0200 |
---|---|---|
committer | Stefan Metzmacher <metze@samba.org> | 2012-08-09 08:21:35 +0200 |
commit | 95e4270813fa8bfda2dc899b1c8537e49fb9c115 (patch) | |
tree | a6e7ddf8231f58e9907d499a2cd811f1d0151fae | |
parent | 64dce265338f325e9fdee6b4a95e918d3b704cbf (diff) | |
download | samba-95e4270813fa8bfda2dc899b1c8537e49fb9c115.tar.gz samba-95e4270813fa8bfda2dc899b1c8537e49fb9c115.tar.bz2 samba-95e4270813fa8bfda2dc899b1c8537e49fb9c115.zip |
s3:smb2_tcon: set global->encryption_required and enforce it
This the account or client doesn't support encryption we should
reject the tree connect.
metze
-rw-r--r-- | source3/smbd/smb2_tcon.c | 34 |
1 files changed, 29 insertions, 5 deletions
diff --git a/source3/smbd/smb2_tcon.c b/source3/smbd/smb2_tcon.c index a6b47d3769..2cf91af3ff 100644 --- a/source3/smbd/smb2_tcon.c +++ b/source3/smbd/smb2_tcon.c @@ -175,6 +175,7 @@ static NTSTATUS smbd_smb2_tree_connect(struct smbd_smb2_request *req, uint32_t *out_maximal_access, uint32_t *out_tree_id) { + struct smbXsrv_connection *conn = req->sconn->conn; const char *share = in_path; char *service = NULL; int snum = -1; @@ -183,6 +184,8 @@ static NTSTATUS smbd_smb2_tree_connect(struct smbd_smb2_request *req, connection_struct *compat_conn = NULL; struct user_struct *compat_vuser = req->session->compat; NTSTATUS status; + bool encryption_required = req->session->global->encryption_required; + bool guest_session = false; if (strncmp(share, "\\\\", 2) == 0) { const char *p = strchr(share+2, '\\'); @@ -230,11 +233,26 @@ static NTSTATUS smbd_smb2_tree_connect(struct smbd_smb2_request *req, } if (lp_smb_encrypt(snum) == SMB_SIGNING_REQUIRED) { - status = NT_STATUS_ACCESS_DENIED; - DEBUG(3,("smbd_smb2_tree_connect: " - "service %s needs encryption - %s\n", - service, nt_errstr(status))); - return status; + encryption_required = true; + } + + if (security_session_user_level(compat_vuser->session_info, NULL) < SECURITY_USER) { + guest_session = true; + } + + if (guest_session && encryption_required) { + DEBUG(1,("reject guest as encryption is required for service %s\n", + service)); + return NT_STATUS_ACCESS_DENIED; + } + + if (!(conn->smb2.server.capabilities & SMB2_CAP_ENCRYPTION)) { + if (encryption_required) { + DEBUG(1,("reject tcon with dialect[0x%04X] " + "as encryption is required for service %s\n", + conn->smb2.server.dialect, service)); + return NT_STATUS_ACCESS_DENIED; + } } /* create a new tcon as child of the session */ @@ -243,6 +261,8 @@ static NTSTATUS smbd_smb2_tree_connect(struct smbd_smb2_request *req, return status; } + tcon->global->encryption_required = encryption_required; + compat_conn = make_connection_smb2(req->sconn, tcon, snum, req->session->compat, @@ -309,6 +329,10 @@ static NTSTATUS smbd_smb2_tree_connect(struct smbd_smb2_request *req, *out_share_flags |= SMB2_SHAREFLAG_ACCESS_BASED_DIRECTORY_ENUM; } + if (encryption_required) { + *out_share_flags |= SMB2_SHAREFLAG_ENCRYPT_DATA; + } + *out_maximal_access = tcon->compat->share_access; *out_tree_id = tcon->global->tcon_wire_id; |