(this does not change the file server role, and only really changes
what 'server signing = auto' means)
Optional signing really isn't any benifit to network security.
In doing so, allow anonymous clients (if permitted by policy) to log
in without signing, as Samba3 does not sign these connections (which
would use an all-zero key, so pointless).
Andrew Bartlett
/* Unfortunetly win2k3 as a client doesn't sign the request
* packet here, so we have to force signing to start again */
/* Unfortunetly win2k3 as a client doesn't sign the request
* packet here, so we have to force signing to start again */
- smbsrv_signing_restart(req->smb_conn, &session_info->session_key, &sess->nt1.in.password2);
+ smbsrv_signing_restart(req->smb_conn, &session_info->session_key, &sess->nt1.in.password2,
+ session_info->server_info->authenticated);
done:
status = NT_STATUS_OK;
done:
status = NT_STATUS_OK;
/* Force check of the request packet, now we know the session key */
smbsrv_signing_check_incoming(req);
/* Force check of the request packet, now we know the session key */
smbsrv_signing_check_incoming(req);
- smbsrv_signing_restart(req->smb_conn, &session_key, NULL);
+ smbsrv_signing_restart(req->smb_conn, &session_key, NULL,
+ session_info->server_info->authenticated);
}
/* Ensure this is marked as a 'real' vuid, not one
}
/* Ensure this is marked as a 'real' vuid, not one
void smbsrv_signing_restart(struct smbsrv_connection *smb_conn,
DATA_BLOB *session_key,
void smbsrv_signing_restart(struct smbsrv_connection *smb_conn,
DATA_BLOB *session_key,
+ DATA_BLOB *response,
+ bool authenticated_session)
{
if (!smb_conn->signing.seen_valid) {
DEBUG(5, ("Client did not send a valid signature on "
{
if (!smb_conn->signing.seen_valid) {
DEBUG(5, ("Client did not send a valid signature on "
/* force things back on (most clients do not sign this packet)... */
smbsrv_setup_signing(smb_conn, session_key, response);
smb_conn->signing.next_seq_num = 2;
/* force things back on (most clients do not sign this packet)... */
smbsrv_setup_signing(smb_conn, session_key, response);
smb_conn->signing.next_seq_num = 2;
- if (smb_conn->signing.mandatory_signing) {
+
+ /* If mandetory_signing is set, and this was an authenticated logon, then force on */
+ if (smb_conn->signing.mandatory_signing && authenticated_session) {
DEBUG(5, ("Configured for mandatory signing, 'good packet seen' forced on\n"));
/* if this is mandatory, then
* pretend we have seen a
DEBUG(5, ("Configured for mandatory signing, 'good packet seen' forced on\n"));
/* if this is mandatory, then
* pretend we have seen a
case SMB_SIGNING_AUTO:
if (lp_server_role(smb_conn->lp_ctx) == ROLE_DOMAIN_CONTROLLER) {
smb_conn->signing.allow_smb_signing = true;
case SMB_SIGNING_AUTO:
if (lp_server_role(smb_conn->lp_ctx) == ROLE_DOMAIN_CONTROLLER) {
smb_conn->signing.allow_smb_signing = true;
+ smb_conn->signing.mandatory_signing = true;
} else {
smb_conn->signing.allow_smb_signing = false;
}
} else {
smb_conn->signing.allow_smb_signing = false;
}