[PATCH] lib/param: Consolidate code to enable smb signing on the server, always enable on AD DC
Andrew Bartlett
abartlet at samba.org
Mon Apr 14 03:45:18 MDT 2014
On Tue, 2014-04-08 at 13:40 +0200, Stefan (metze) Metzmacher wrote:
> Am 07.04.2014 01:11, schrieb Andrew Bartlett:
> > On Fri, 2013-11-22 at 13:24 +0100, David Disseldorp wrote:
> >> On Fri, 22 Nov 2013 14:43:34 +1300
> >> Andrew Bartlett <abartlet at samba.org> wrote:
> >>
> >>> I tried an autobuild with another patch, and that passed. So I tried with just
> >>> this patch, and that autobuild passed too, which doesn't provide me with any more insights
> >>> on this.
> >>>
> >>> Do you think we should dare to try an official autobuild again?
> >>
> >> I pushed again. It made it through this time.
> >>
> >> Cheers, David
> >
> > I'm wondering if this is the kind of change we can make during the 4.0
> > and 4.1 series? It would be good to be able to rely on SMB signing
> > against AD DC servers, but unless we apply this patch Samba 4.0 and 4.1
> > will be exceptions to that unless SMB2 is used.
>
> smbd should support FLAGS2_SMB_SECURITY_SIGNATURES_REQUIRED.
> So what is the actual problem here?
The default 'server signing' is disabled, so the client can't sign even
if it wants to. Thankfully SMB2 changed the rules here, and that is the
way we will be able to assume a signing-compatible DC in 99% of AD
domains.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the samba-technical
mailing list