[PATCH] lib/param: Consolidate code to enable smb signing on the server, always enable on AD DC
Stefan (metze) Metzmacher
metze at samba.org
Mon Apr 14 11:05:28 MDT 2014
Hi Andrew,
>>> I'm wondering if this is the kind of change we can make during the 4.0
>>> and 4.1 series? It would be good to be able to rely on SMB signing
>>> against AD DC servers, but unless we apply this patch Samba 4.0 and 4.1
>>> will be exceptions to that unless SMB2 is used.
>>
>> smbd should support FLAGS2_SMB_SECURITY_SIGNATURES_REQUIRED.
>> So what is the actual problem here?
>
> The default 'server signing' is disabled, so the client can't sign even
> if it wants to.
I don't believe this is true, with modern servers.
If the client sends FLAGS2_SMB_SECURITY_SIGNATURES_REQUIRED in the
session setup request,
the server should detect this and enable signing for the session.
This was introduced in Windows (after 2000) and Samba 4.0.
See commit abb24bf8e874d525382e994af7ae432212775153.
So do you really see failures, if so please provide captures and log
files:-)
metze
More information about the samba-technical
mailing list