From 059cd93497c4c81d6ab957144beb6ae58e1638dc Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Fri, 5 Sep 2008 16:45:10 +1000 Subject: [PATCH] Move our DC to implement mandetory signing. (this does not change the file server role, and only really changes what 'server signing = auto' means) Optional signing really isn't any benifit to network security. In doing so, allow anonymous clients (if permitted by policy) to log in without signing, as Samba3 does not sign these connections (which would use an all-zero key, so pointless). Andrew Bartlett (This used to be commit 468bf839c500ed1a26ab9a358ee64a4c0a695797) --- source4/smb_server/smb/sesssetup.c | 6 ++++-- source4/smb_server/smb/signing.c | 8 ++++++-- 2 files changed, 10 insertions(+), 4 deletions(-) diff --git a/source4/smb_server/smb/sesssetup.c b/source4/smb_server/smb/sesssetup.c index 9d0d1533cea7..f45cbf17562d 100644 --- a/source4/smb_server/smb/sesssetup.c +++ b/source4/smb_server/smb/sesssetup.c @@ -200,7 +200,8 @@ static void sesssetup_nt1_send(struct auth_check_password_request *areq, /* Unfortunetly win2k3 as a client doesn't sign the request * packet here, so we have to force signing to start again */ - smbsrv_signing_restart(req->smb_conn, &session_info->session_key, &sess->nt1.in.password2); + smbsrv_signing_restart(req->smb_conn, &session_info->session_key, &sess->nt1.in.password2, + session_info->server_info->authenticated); done: status = NT_STATUS_OK; @@ -325,7 +326,8 @@ static void sesssetup_spnego_send(struct gensec_update_request *greq, void *priv /* Force check of the request packet, now we know the session key */ smbsrv_signing_check_incoming(req); - smbsrv_signing_restart(req->smb_conn, &session_key, NULL); + smbsrv_signing_restart(req->smb_conn, &session_key, NULL, + session_info->server_info->authenticated); } /* Ensure this is marked as a 'real' vuid, not one diff --git a/source4/smb_server/smb/signing.c b/source4/smb_server/smb/signing.c index 186f5548ab8c..ee4531c8f69b 100644 --- a/source4/smb_server/smb/signing.c +++ b/source4/smb_server/smb/signing.c @@ -77,7 +77,8 @@ bool smbsrv_setup_signing(struct smbsrv_connection *smb_conn, void smbsrv_signing_restart(struct smbsrv_connection *smb_conn, DATA_BLOB *session_key, - DATA_BLOB *response) + DATA_BLOB *response, + bool authenticated_session) { if (!smb_conn->signing.seen_valid) { DEBUG(5, ("Client did not send a valid signature on " @@ -85,7 +86,9 @@ void smbsrv_signing_restart(struct smbsrv_connection *smb_conn, /* force things back on (most clients do not sign this packet)... */ smbsrv_setup_signing(smb_conn, session_key, response); smb_conn->signing.next_seq_num = 2; - if (smb_conn->signing.mandatory_signing) { + + /* If mandetory_signing is set, and this was an authenticated logon, then force on */ + if (smb_conn->signing.mandatory_signing && authenticated_session) { DEBUG(5, ("Configured for mandatory signing, 'good packet seen' forced on\n")); /* if this is mandatory, then * pretend we have seen a @@ -117,6 +120,7 @@ bool smbsrv_init_signing(struct smbsrv_connection *smb_conn) case SMB_SIGNING_AUTO: if (lp_server_role(smb_conn->lp_ctx) == ROLE_DOMAIN_CONTROLLER) { smb_conn->signing.allow_smb_signing = true; + smb_conn->signing.mandatory_signing = true; } else { smb_conn->signing.allow_smb_signing = false; } -- 2.34.1