svn commit: samba r24789 - in branches/SAMBA_3_2/source/utils: .
Andrew Bartlett
abartlet at samba.org
Wed Aug 29 21:27:37 GMT 2007
On Wed, 2007-08-29 at 22:18 +0200, Volker Lendecke wrote:
> On Wed, Aug 29, 2007 at 07:55:15PM +0000, mimir at samba.org wrote:
> > + sec = (enum security_types)lp_security();
> > +
> > + if (sec == SEC_ADS) {
> > + /* Connect to IPC$ using machine account's credentials. We don't use anonymous
> > + connection here, as it may be denied by server's local policy. */
> > + net_use_machine_account();
> > +
> > + } else {
> > + /* some servers (e.g. WinNT) don't accept machine-authenticated
> > + smb connections */
> > + conn_flags |= NET_FLAGS_ANONYMOUS;
> > + }
> > +
> > /* Connect to remote machine */
> > - if (!(cli = net_make_ipc_connection_ex(domain, server, ip, (NET_FLAGS_ANONYMOUS|NET_FLAGS_PDC)))) {
> > + if (!(cli = net_make_ipc_connection_ex(domain, server, ip, conn_flags))) {
> > return -1;
> > }
>
> Quick uninformed question: Why the fixed setting here, why
> not try the secure alternative first and do a fallback if
> that fails?
Well, this would be more secure - if we force smb signing, we could
therefore have proof we are talking to the right DC.
Andrew Bartlett
--
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Red Hat Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20070830/b1d32013/attachment.bin
More information about the samba-technical
mailing list