smbd:smb2: only enable encryption in tcon if desired

Don't enforce it but only announce DATA_ENCRYPT,
making use of encryption_desired in tcon.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11372

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>

1 files changed, 6 insertions, 3 deletions

diff --git a/source3/smbd/smb2_tcon.c b/source3/smbd/smb2_tcon.c
index eb66ea04303..99e2f215ca4 100644
--- a/source3/smbd/smb2_tcon.c
+++ b/source3/smbd/smb2_tcon.c
@@ -193,6 +193,7 @@ static NTSTATUS smbd_smb2_tree_connect(struct smbd_smb2_request *req,
 	connection_struct *compat_conn = NULL;
 	struct user_struct *compat_vuser = req->session->compat;
 	NTSTATUS status;
+	bool encryption_desired = req->session->encryption_desired;
 	bool encryption_required = req->session->global->encryption_required;
 	bool guest_session = false;
 	bool require_signed_tcon = false;
@@ -266,12 +267,13 @@ static NTSTATUS smbd_smb2_tree_connect(struct smbd_smb2_request *req,
 		return NT_STATUS_BAD_NETWORK_NAME;
 	}
 
-	if ((lp_smb_encrypt(snum) > SMB_SIGNING_OFF) &&
+	if ((lp_smb_encrypt(snum) >= SMB_SIGNING_DESIRED) &&
 	    (conn->smb2.client.capabilities & SMB2_CAP_ENCRYPTION)) {
-		encryption_required = true;
+		encryption_desired = true;
 	}
 
 	if (lp_smb_encrypt(snum) == SMB_SIGNING_REQUIRED) {
+		encryption_desired = true;
 		encryption_required = true;
 	}
 
@@ -296,6 +298,7 @@ static NTSTATUS smbd_smb2_tree_connect(struct smbd_smb2_request *req,
 		return status;
 	}
 
+	tcon->encryption_desired = encryption_desired;
 	tcon->global->encryption_required = encryption_required;
 
 	compat_conn = make_connection_smb2(req,
@@ -366,7 +369,7 @@ static NTSTATUS smbd_smb2_tree_connect(struct smbd_smb2_request *req,
 		*out_share_flags |= SMB2_SHAREFLAG_ACCESS_BASED_DIRECTORY_ENUM;
 	}
 
-	if (encryption_required) {
+	if (encryption_desired) {
 		*out_share_flags |= SMB2_SHAREFLAG_ENCRYPT_DATA;
 	}