5 files changed, 55 insertions, 1 deletions
diff --git a/source3/smbd/files.c b/source3/smbd/files.c
index 6aad76a..42bb323 100644
--- a/source3/smbd/files.c
+++ b/source3/smbd/files.c
@@ -1312,6 +1312,24 @@ next:
 	}
 
 	if (fd == -1) {
+		/*
+		 * vfs_widelink widelink_openat will update stat for fsp
+		 * and return ELOOP for non-existing link, we can report
+		 * the link here and let calling code decide what to do.
+		 */
+		if ((errno == ELOOP) && S_ISLNK(fsp->fsp_name->st.st_ex_mode)) {
+			status = create_open_symlink_err(mem_ctx,
+							dirfsp,
+							&rel_fname,
+							&symlink_err);
+			if (NT_STATUS_IS_OK(status)) {
+				status = NT_STATUS_STOPPED_ON_SYMLINK;
+			} else {
+				DBG_ERR("read_symlink_reparse failed: %s\n",
+					nt_errstr(status));
+			}
+			goto fail;
+		}
 		status = map_nt_error_from_unix(errno);
 		DBG_DEBUG("SMB_VFS_OPENAT() failed: %s\n",
 			  strerror(errno));
diff --git a/source3/smbd/globals.h b/source3/smbd/globals.h
index 4928d1f..a954499 100644
--- a/source3/smbd/globals.h
+++ b/source3/smbd/globals.h
@@ -522,6 +522,11 @@ struct smbXsrv_connection {
 		} smbtorture;
 
 		bool signing_mandatory;
+		/*
+		 * This is ConstrainedConnection in MS-SMB2,
+		 * but with reversed value...
+		 */
+		bool got_authenticated_session;
 	} smb2;
 };
 
diff --git a/source3/smbd/smb2_server.c b/source3/smbd/smb2_server.c
index afb86ab..5b83d4d 100644
--- a/source3/smbd/smb2_server.c
+++ b/source3/smbd/smb2_server.c
@@ -494,6 +494,17 @@ static NTSTATUS smbd_smb2_inbuf_parse_compound(struct smbXsrv_connection *xconn,
 				goto inval;
 			}
 
+			if (!xconn->smb2.got_authenticated_session) {
+				D_INFO("Got SMB2_TRANSFORM header, "
+				       "but not no authenticated session yet "
+				       "client[%s] server[%s]\n",
+				       tsocket_address_string(
+					xconn->remote_address, talloc_tos()),
+				       tsocket_address_string(
+					xconn->local_address, talloc_tos()));
+				goto inval;
+			}
+
 			if (len < SMB2_TF_HDR_SIZE) {
 				DEBUG(1, ("%d bytes left, expected at least %d\n",
 					   (int)len, SMB2_TF_HDR_SIZE));
diff --git a/source3/smbd/smb2_sesssetup.c b/source3/smbd/smb2_sesssetup.c
index ac71e55..d3b21ea 100644
--- a/source3/smbd/smb2_sesssetup.c
+++ b/source3/smbd/smb2_sesssetup.c
@@ -271,6 +271,13 @@ static NTSTATUS smbd_smb2_auth_generic_return(struct smbXsrv_session *session,
 		x->global->signing_flags &= ~SMBXSRV_SIGNING_REQUIRED;
 		/* we map anonymous to guest internally */
 		guest = true;
+	} else {
+		/*
+		 * Remember we got one authenticated session on the connection
+		 * in order to allow SMB3 decryption to happen
+		 * (sadly even for future anonymous connections).
+		 */
+		xconn->smb2.got_authenticated_session = true;
 	}
 
 	if (guest && (x->global->encryption_flags & SMBXSRV_ENCRYPTION_REQUIRED)) {
@@ -288,7 +295,10 @@ static NTSTATUS smbd_smb2_auth_generic_return(struct smbXsrv_session *session,
 	}
 	x->global->signing_algo = xconn->smb2.server.sign_algo;
 	x->global->encryption_cipher = xconn->smb2.server.cipher;
-	if (guest) {
+	if (*out_session_flags & SMB2_SESSION_FLAG_IS_GUEST) {
+		/*
+		 * A fallback to guest can't do any encryption
+		 */
 		x->global->encryption_cipher = SMB2_ENCRYPTION_NONE;
 	}
 
@@ -642,6 +652,12 @@ static NTSTATUS smbd_smb2_bind_auth_return(struct smbXsrv_session *session,
 		return NT_STATUS_LOGON_FAILURE;
 	}
 
+	/*
+	 * Remember we got one authenticated session on the connection
+	 * in order to allow SMB3 decryption to happen
+	 */
+	xconn->smb2.got_authenticated_session = true;
+
 	*out_session_id = session->global->session_wire_id;
 
 	return NT_STATUS_OK;
diff --git a/source3/smbd/smb2_tcon.c b/source3/smbd/smb2_tcon.c
index b228036..20d8967 100644
--- a/source3/smbd/smb2_tcon.c
+++ b/source3/smbd/smb2_tcon.c
@@ -331,6 +331,10 @@ static NTSTATUS smbd_smb2_tree_connect(struct smbd_smb2_request *req,
 		}
 	}
 
+	if (guest_session) {
+		/* make sure we don't ask for optional encryption */
+		encryption_desired = false;
+	}
 	if (encryption_desired) {
 		encryption_flags |= SMBXSRV_ENCRYPTION_DESIRED;
 	}