From 43a90cee46bb7a70f7973c4fc51eee7634e43145 Mon Sep 17 00:00:00 2001
From: Ralph Boehme <slow@samba.org>
Date: Wed, 18 Jan 2017 16:19:15 +0100
Subject: [PATCH] s3/smbd: ensure global "smb encrypt = off" is effective for
 SMB 1 clients

If encryption is disabled globally, per definition we shouldn't allow
enabling encryption on individual shares.

The behaviour of setting

[Global]
  smb encrypt = off

[share_required]
  smb encrypt = required

[share_desired]
  smb encrypt = desired

must be to completely deny access to the share "share_required" and an
unencrypted connection to "share_desired".

Bug: https://bugzilla.samba.org/show_bug.cgi?id=12520

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
---
 source3/smbd/service.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/source3/smbd/service.c b/source3/smbd/service.c
index 3308e9dce97..ce4b8da1e24 100644
--- a/source3/smbd/service.c
+++ b/source3/smbd/service.c
@@ -623,6 +623,18 @@ static NTSTATUS make_connection_snum(struct smbXsrv_connection *xconn,
 	conn->short_case_preserve = lp_short_preserve_case(snum);
 
 	conn->encrypt_level = lp_smb_encrypt(snum);
+	if (conn->encrypt_level > SMB_SIGNING_OFF) {
+		if (lp_smb_encrypt(-1) == SMB_SIGNING_OFF) {
+			if (conn->encrypt_level == SMB_SIGNING_REQUIRED) {
+				DBG_ERR("Service [%s] requires encryption, but "
+					"it is disabled globally!\n",
+					lp_servicename(talloc_tos(), snum));
+				status = NT_STATUS_ACCESS_DENIED;
+				goto err_root_exit;
+			}
+			conn->encrypt_level = SMB_SIGNING_OFF;
+		}
+	}
 
 	conn->veto_list = NULL;
 	conn->hide_list = NULL;
-- 
2.11.4.GIT