s3:smb2_tcon: Add check to prevent non-DFS clients from connecting to an msdfs proxy.

Signed-off-by: Ralph Wuerthner <ralph.wuerthner@de.ibm.com>
Reviewed-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Sat Apr  7 05:05:22 CEST 2018 on sn-devel-144

diff --git a/source3/smbd/smb2_tcon.c b/source3/smbd/smb2_tcon.c
index 07e01cddd46365675246575c63eaa1de3f515bc0..ebd31602efcd8b2349f2e81fe2c1ac29e756e0eb 100644 (file)
--- a/source3/smbd/smb2_tcon.c
+++ b/source3/smbd/smb2_tcon.c
@@ -270,6 +270,21 @@ static NTSTATUS smbd_smb2_tree_connect(struct smbd_smb2_request *req,
                return NT_STATUS_BAD_NETWORK_NAME;
        }
 
+       /* Handle non-DFS clients attempting connections to msdfs proxy */
+       if (lp_host_msdfs()) {
+               char *proxy = lp_msdfs_proxy(talloc_tos(), snum);
+
+               if ((proxy != NULL) && (*proxy != '\0')) {
+                       DBG_NOTICE("refusing connection to dfs proxy share "
+                                  "'%s' (pointing to %s)\n",
+                                  service,
+                                  proxy);
+                       TALLOC_FREE(proxy);
+                       return NT_STATUS_BAD_NETWORK_NAME;
+               }
+               TALLOC_FREE(proxy);
+       }
+
        if ((lp_smb_encrypt(snum) >= SMB_SIGNING_DESIRED) &&
            (conn->smb2.server.cipher != 0))
        {