s3: smbd: signing. Ensure we respond correctly to an SMB2 negprot with SMB2_NEGOTIATE_SIGNING_REQUIRED.

Bug 11103:  - Samba does not set the required flags in the SMB2/SMB3 Negotiate Protocol Response when signing required by client

https://bugzilla.samba.org/show_bug.cgi?id=11103

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Steve French <smfrench@gmail.com>

2 files changed, 5 insertions, 2 deletions

diff --git a/source3/smbd/smb2_negprot.c b/source3/smbd/smb2_negprot.c
index 9a1ca9c22e..02f688221a 100644
--- a/source3/smbd/smb2_negprot.c
+++ b/source3/smbd/smb2_negprot.c
@@ -221,7 +221,8 @@ NTSTATUS smbd_smb2_request_process_negprot(struct smbd_smb2_request *req)
 	}
 
 	security_mode = SMB2_NEGOTIATE_SIGNING_ENABLED;
-	if (lp_server_signing() == SMB_SIGNING_REQUIRED) {
+	if (lp_server_signing() == SMB_SIGNING_REQUIRED ||
+			(in_security_mode & SMB2_NEGOTIATE_SIGNING_REQUIRED)) {
 		security_mode |= SMB2_NEGOTIATE_SIGNING_REQUIRED;
 	}
 
diff --git a/source3/smbd/smb2_sesssetup.c b/source3/smbd/smb2_sesssetup.c
index 2f58e44f55..f9183285f3 100644
--- a/source3/smbd/smb2_sesssetup.c
+++ b/source3/smbd/smb2_sesssetup.c
@@ -186,7 +186,9 @@ static NTSTATUS smbd_smb2_auth_generic_return(struct smbXsrv_session *session,
 	struct smbXsrv_connection *xconn = smb2req->xconn;
 
 	if ((in_security_mode & SMB2_NEGOTIATE_SIGNING_REQUIRED) ||
-	    lp_server_signing() == SMB_SIGNING_REQUIRED) {
+	    lp_server_signing() == SMB_SIGNING_REQUIRED ||
+	    (xconn->smb2.server.security_mode &
+			SMB2_NEGOTIATE_SIGNING_REQUIRED)) {
 		x->global->signing_required = true;
 	}