From ef266af12723c64dd55c4f542d5a7c6163036414 Mon Sep 17 00:00:00 2001
From: Ralph Boehme <slow@samba.org>
Date: Mon, 16 Jan 2017 12:56:10 +0100
Subject: [PATCH] s3/smbd: ensure global "smb encrypt = off" is effective for
 share with "smb encrypt = desired"

If encryption is disabled globally, per definition we shouldn't allow
enabling encryption on individual shares.

The behaviour of specifying

[Global]
  smb encrypt = off

[share]
  smb encrypt = desired

must be an unecrypted tree connect to the share "share".

Bug: https://bugzilla.samba.org/show_bug.cgi?id=12520

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit b0b418c22558fa1df547df9bdac2642343ac39e1)
---
 source3/smbd/smb2_tcon.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/source3/smbd/smb2_tcon.c b/source3/smbd/smb2_tcon.c
index 61e2a3636d3..5330fc39c36 100644
--- a/source3/smbd/smb2_tcon.c
+++ b/source3/smbd/smb2_tcon.c
@@ -268,7 +268,8 @@ static NTSTATUS smbd_smb2_tree_connect(struct smbd_smb2_request *req,
 	}
 
 	if ((lp_smb_encrypt(snum) >= SMB_SIGNING_DESIRED) &&
-	    (conn->smb2.client.capabilities & SMB2_CAP_ENCRYPTION)) {
+	    (conn->smb2.server.cipher != 0))
+	{
 		encryption_desired = true;
 	}