python: Set smb signing via the creds API

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

python/samba/gpclass.py

@@ -38,6 +38,7 @@ from tempfile import NamedTemporaryFile
 from samba.dcerpc import preg
 from samba.dcerpc import misc
 from samba.ndr import ndr_pack, ndr_unpack
+from samba.credentials import SMB_SIGNING_REQUIRED
 
 try:
     from enum import Enum
@@ -394,7 +395,13 @@ def check_refresh_gpo_list(dc_hostname, lp, creds, gpos):
     # the SMB bindings rely on having a s3 loadparm
     s3_lp = s3param.get_context()
     s3_lp.load(lp.configfile)
+
+    # Force signing for the connection
+    saved_signing_state = creds.get_smb_signing()
+    creds.set_smb_signing(SMB_SIGNING_REQUIRED)
     conn = libsmb.Conn(dc_hostname, 'sysvol', lp=s3_lp, creds=creds, sign=True)
+    # Reset signing state
+    creds.set_smb_signing(saved_signing_state)
     cache_path = lp.cache_path('gpo_cache')
     for gpo in gpos:
         if not gpo.file_sys_path:

python/samba/netcmd/domain_backup.py

@@ -54,6 +54,7 @@ from subprocess import CalledProcessError
 from samba import sites
 from samba.dsdb import _dsdb_load_udv_v2
 from samba.ndr import ndr_pack
+from samba.credentials import SMB_SIGNING_REQUIRED
 
 
 # work out a SID (based on a free RID) to use when the domain gets restored.
@@ -115,7 +116,14 @@ def smb_sysvol_conn(server, lp, creds):
     # the SMB bindings rely on having a s3 loadparm
     s3_lp = s3param.get_context()
     s3_lp.load(lp.configfile)
-    return libsmb.Conn(server, "sysvol", lp=s3_lp, creds=creds, sign=True)
+
+    # Force signing for the connection
+    saved_signing_state = creds.get_smb_signing()
+    creds.set_smb_signing(SMB_SIGNING_REQUIRED)
+    conn = libsmb.Conn(server, "sysvol", lp=s3_lp, creds=creds, sign=True)
+    # Reset signing state
+    creds.set_smb_signing(saved_signing_state)
+    return conn
 
 
 def get_timestamp():

python/samba/netcmd/gpo.py

@@ -62,6 +62,7 @@ from samba.gp_parse.gp_csv import GPAuditCsvParser
 from samba.gp_parse.gp_inf import GptTmplInfParser
 from samba.gp_parse.gp_aas import GPAasParser
 from samba import param
+from samba.credentials import SMB_SIGNING_REQUIRED
 
 
 def attr_default(msg, attrname, default):
@@ -384,6 +385,9 @@ def create_directory_hier(conn, remotedir):
 
 def smb_connection(dc_hostname, service, lp, creds):
     # SMB connect to DC
+    # Force signing for the smb connection
+    saved_signing_state = creds.get_smb_signing()
+    creds.set_smb_signing(SMB_SIGNING_REQUIRED)
     try:
         # the SMB bindings rely on having a s3 loadparm
         s3_lp = s3param.get_context()
@@ -391,6 +395,8 @@ def smb_connection(dc_hostname, service, lp, creds):
         conn = libsmb.Conn(dc_hostname, service, lp=s3_lp, creds=creds, sign=True)
     except Exception:
         raise CommandError("Error connecting to '%s' using SMB" % dc_hostname)
+    # Reset signing state
+    creds.set_smb_signing(saved_signing_state)
     return conn