[Samba] Badlock patching difficult

[Klaus Hartnegg]

Hi,

I prefer to not blindly throw in updates, but understand what is changing.

Is there an admin-compatible summary of the 4.3.8 release notes? They 
are full of technical details that require insider knowledge of the SMB 
protocol. I read it all, but still do not know what needs to be done.

Are there options which must be set in order to be secure?
Which options will cause compatibility issues?

Should I enable "client signing" on a classic PDC with Win7 clients?

Will "server max protocol = NT1" still work? (Unfortunately we need 
this, otherwise one program cannot be run from a samba share)

Also (eventough it probably not affects me on a PDC) I wonder why "tls 
verify peer" defaults to "as_strict_as_possible", when the Samba default 
is auto-generated certificates, which to not have a crl file.
Does not sound like this will be an easy upgrade for everybody.

thanks,
Klaus