summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--source4/smb_server/smb/sesssetup.c6
-rw-r--r--source4/smb_server/smb/signing.c8
2 files changed, 10 insertions, 4 deletions
diff --git a/source4/smb_server/smb/sesssetup.c b/source4/smb_server/smb/sesssetup.c
index 9d0d1533ce..f45cbf1756 100644
--- a/source4/smb_server/smb/sesssetup.c
+++ b/source4/smb_server/smb/sesssetup.c
@@ -200,7 +200,8 @@ static void sesssetup_nt1_send(struct auth_check_password_request *areq,
/* Unfortunetly win2k3 as a client doesn't sign the request
* packet here, so we have to force signing to start again */
- smbsrv_signing_restart(req->smb_conn, &session_info->session_key, &sess->nt1.in.password2);
+ smbsrv_signing_restart(req->smb_conn, &session_info->session_key, &sess->nt1.in.password2,
+ session_info->server_info->authenticated);
done:
status = NT_STATUS_OK;
@@ -325,7 +326,8 @@ static void sesssetup_spnego_send(struct gensec_update_request *greq, void *priv
/* Force check of the request packet, now we know the session key */
smbsrv_signing_check_incoming(req);
- smbsrv_signing_restart(req->smb_conn, &session_key, NULL);
+ smbsrv_signing_restart(req->smb_conn, &session_key, NULL,
+ session_info->server_info->authenticated);
}
/* Ensure this is marked as a 'real' vuid, not one
diff --git a/source4/smb_server/smb/signing.c b/source4/smb_server/smb/signing.c
index 186f5548ab..ee4531c8f6 100644
--- a/source4/smb_server/smb/signing.c
+++ b/source4/smb_server/smb/signing.c
@@ -77,7 +77,8 @@ bool smbsrv_setup_signing(struct smbsrv_connection *smb_conn,
void smbsrv_signing_restart(struct smbsrv_connection *smb_conn,
DATA_BLOB *session_key,
- DATA_BLOB *response)
+ DATA_BLOB *response,
+ bool authenticated_session)
{
if (!smb_conn->signing.seen_valid) {
DEBUG(5, ("Client did not send a valid signature on "
@@ -85,7 +86,9 @@ void smbsrv_signing_restart(struct smbsrv_connection *smb_conn,
/* force things back on (most clients do not sign this packet)... */
smbsrv_setup_signing(smb_conn, session_key, response);
smb_conn->signing.next_seq_num = 2;
- if (smb_conn->signing.mandatory_signing) {
+
+ /* If mandetory_signing is set, and this was an authenticated logon, then force on */
+ if (smb_conn->signing.mandatory_signing && authenticated_session) {
DEBUG(5, ("Configured for mandatory signing, 'good packet seen' forced on\n"));
/* if this is mandatory, then
* pretend we have seen a
@@ -117,6 +120,7 @@ bool smbsrv_init_signing(struct smbsrv_connection *smb_conn)
case SMB_SIGNING_AUTO:
if (lp_server_role(smb_conn->lp_ctx) == ROLE_DOMAIN_CONTROLLER) {
smb_conn->signing.allow_smb_signing = true;
+ smb_conn->signing.mandatory_signing = true;
} else {
smb_conn->signing.allow_smb_signing = false;
}
generated by cgit (git 2.34.1) at 2025-01-18 05:49:32 +0000