3 files changed, 7 insertions, 2 deletions

diff --git a/source4/smb_server/smb2/negprot.c b/source4/smb_server/smb2/negprot.c
index 2da39001ab..3e6e2e1a43 100644
--- a/source4/smb_server/smb2/negprot.c
+++ b/source4/smb_server/smb2/negprot.c
@@ -121,6 +121,8 @@ static NTSTATUS smb2srv_negprot_backend(struct smb2srv_request *req, struct smb2
 		break;
 	case SMB_SIGNING_REQUIRED:
 		io->out.security_mode = SMB2_NEGOTIATE_SIGNING_ENABLED | SMB2_NEGOTIATE_SIGNING_REQUIRED;
+		/* force signing on immediately */
+		req->smb_conn->doing_signing = true;
 		break;
 	}
 	io->out.dialect_revision   = SMB2_DIALECT_REVISION;
diff --git a/source4/smb_server/smb2/receive.c b/source4/smb_server/smb2/receive.c
index 3def8fe563..2f4e9df2b6 100644
--- a/source4/smb_server/smb2/receive.c
+++ b/source4/smb_server/smb2/receive.c
@@ -321,6 +321,10 @@ static NTSTATUS smb2srv_reply(struct smb2srv_request *req)
 			smb2srv_send_error(req, status);
 			return NT_STATUS_OK;			
 		}
+	} else if (req->smb_conn->doing_signing && req->session != NULL) {
+		/* we require signing and this request was not signed */
+		smb2srv_send_error(req, NT_STATUS_ACCESS_DENIED);
+		return NT_STATUS_OK;					
 	}
 
 	/* TODO: check the seqnum */
diff --git a/source4/smb_server/smb2/sesssetup.c b/source4/smb_server/smb2/sesssetup.c
index 482dd181c2..9fb3220005 100644
--- a/source4/smb_server/smb2/sesssetup.c
+++ b/source4/smb_server/smb2/sesssetup.c
@@ -181,8 +181,7 @@ static void smb2srv_sesssetup_backend(struct smb2srv_request *req, union smb_ses
 	/* note that we ignore SMB2_NEGOTIATE_SIGNING_ENABLED from the client.
 	   This is deliberate as windows does not set it even when it does 
 	   set SMB2_NEGOTIATE_SIGNING_REQUIRED */
-	if ((io->smb2.in.security_mode & SMB2_NEGOTIATE_SIGNING_REQUIRED) ||
-	    lp_server_signing(req->smb_conn->lp_ctx) == SMB_SIGNING_REQUIRED) {
+	if (io->smb2.in.security_mode & SMB2_NEGOTIATE_SIGNING_REQUIRED) {
 		req->smb_conn->doing_signing = true;
 	}