s3/smbd: ensure global "smb encrypt = off" is effective for SMB 3.1.1 clients

If encryption is disabled globally, per definition we shouldn't allow
enabling encryption on individual shares.

The behaviour of setting

[Global]
  smb encrypt = off

[share]
  smb encrypt = required

must be to completely deny access to the share "share".

This was working correctly for clients when using SMB 3 dialects <
3.1.1, but not for 3.1.1 with a negprot encryption context.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=12520

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

diff --git a/source3/smbd/smb2_negprot.c b/source3/smbd/smb2_negprot.c
index 6cfa64f1c75750489fd346cf3b61a60450582cb3..d9ccdbeea8ec7e2bc803c2f9d3b84a97f26cc9c6 100644 (file)
--- a/source3/smbd/smb2_negprot.c
+++ b/source3/smbd/smb2_negprot.c
@@ -441,7 +441,7 @@ NTSTATUS smbd_smb2_request_process_negprot(struct smbd_smb2_request *req)
                req->preauth = &req->xconn->smb2.preauth;
        }
 
-       if (in_cipher != NULL) {
+       if ((capabilities & SMB2_CAP_ENCRYPTION) && (in_cipher != NULL)) {
                size_t needed = 2;
                uint16_t cipher_count;
                const uint8_t *p;