From 85680565ccdb261cd77b065ac536612810463e1e Mon Sep 17 00:00:00 2001
From: Michael Adam <obnox@samba.org>
Date: Wed, 21 Sep 2011 03:56:30 +0200
Subject: [PATCH] s3:smb2-server: session setup replies should always be signed (except for guest sessions)

not only if the session should be signed

Signed-off-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Wed Sep 21 11:00:09 CEST 2011 on sn-devel-104
---
 source3/smbd/smb2_sesssetup.c |    8 ++++++--
 1 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/source3/smbd/smb2_sesssetup.c b/source3/smbd/smb2_sesssetup.c
index a081290..c837277 100644
--- a/source3/smbd/smb2_sesssetup.c
+++ b/source3/smbd/smb2_sesssetup.c
@@ -187,6 +187,7 @@ static NTSTATUS smbd_smb2_session_setup_krb5(struct smbd_smb2_session *session,
 	fstring tmp;
 	bool username_was_mapped = false;
 	bool map_domainuser_to_guest = false;
+	bool guest = false;
 
 	if (!spnego_parse_krb5_wrap(talloc_tos(), *secblob, &ticket, tok_id)) {
 		status = NT_STATUS_LOGON_FAILURE;
@@ -263,6 +264,7 @@ static NTSTATUS smbd_smb2_session_setup_krb5(struct smbd_smb2_session *session,
 		*out_session_flags |= SMB2_SESSION_FLAG_IS_NULL;
 		/* force no signing */
 		session->do_signing = false;
+		guest = true;
 	}
 
 	data_blob_free(&session->session_info->user_session_key);
@@ -315,7 +317,7 @@ static NTSTATUS smbd_smb2_session_setup_krb5(struct smbd_smb2_session *session,
 	 * so that the response can be signed
 	 */
 	smb2req->session = session;
-	if (session->do_signing) {
+	if (guest) {
 		smb2req->do_signing = true;
 	}
 
@@ -469,6 +471,7 @@ static NTSTATUS smbd_smb2_common_ntlmssp_auth_return(struct smbd_smb2_session *s
 					uint64_t *out_session_id)
 {
 	fstring tmp;
+	bool guest = false;
 
 	if ((in_security_mode & SMB2_NEGOTIATE_SIGNING_REQUIRED) ||
 	    lp_server_signing() == Required) {
@@ -481,6 +484,7 @@ static NTSTATUS smbd_smb2_common_ntlmssp_auth_return(struct smbd_smb2_session *s
 		*out_session_flags |= SMB2_SESSION_FLAG_IS_NULL;
 		/* force no signing */
 		session->do_signing = false;
+		guest = true;
 	}
 
 	session->session_key = session->session_info->user_session_key;
@@ -528,7 +532,7 @@ static NTSTATUS smbd_smb2_common_ntlmssp_auth_return(struct smbd_smb2_session *s
 	 * so that the response can be signed
 	 */
 	smb2req->session = session;
-	if (session->do_signing) {
+	if (!guest) {
 		smb2req->do_signing = true;
 	}
 
-- 
1.5.5.6


From 3250e70bdfa78bddf7276b64b65ead18eb415754 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Thu, 22 Sep 2011 21:04:51 +0200
Subject: [PATCH] s3:smb2_server: fix a logic error, we should sign non guest sessions

metze
---
 source3/smbd/smb2_sesssetup.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/source3/smbd/smb2_sesssetup.c b/source3/smbd/smb2_sesssetup.c
index c837277..64a8053 100644
--- a/source3/smbd/smb2_sesssetup.c
+++ b/source3/smbd/smb2_sesssetup.c
@@ -317,7 +317,7 @@ static NTSTATUS smbd_smb2_session_setup_krb5(struct smbd_smb2_session *session,
 	 * so that the response can be signed
 	 */
 	smb2req->session = session;
-	if (guest) {
+	if (!guest) {
 		smb2req->do_signing = true;
 	}
 
-- 
1.5.5.6