diff options
| author | Stefan Metzmacher <metze@samba.org> | 2011-11-02 17:48:45 +0100 |
|---|---|---|
| committer | Stefan Metzmacher <metze@samba.org> | 2011-11-03 16:55:11 +0100 |
| commit | 716da104987293ea84035c50d5beae35081ea756 (patch) | |
| tree | e6eff5c47f1301efb056f261f551b6e6384a2844 /source4/smb_server | |
| parent | 44d7774a1816da7ce02dadc98535fd67a10905ca (diff) | |
| download | samba-716da104987293ea84035c50d5beae35081ea756.tar.gz samba-716da104987293ea84035c50d5beae35081ea756.tar.bz2 samba-716da104987293ea84035c50d5beae35081ea756.zip | |
s4:smb_server/smb: make the SMB_SIGNING_AUTO behavior a bit easier to follow
The prepares a future change to SMB_SIGNING_DEFAULT.
metze
Diffstat (limited to 'source4/smb_server')
| -rw-r--r-- | source4/smb_server/smb/signing.c | 44 |
1 files changed, 25 insertions, 19 deletions
diff --git a/source4/smb_server/smb/signing.c b/source4/smb_server/smb/signing.c index 94ea74681c..3e08e219ec 100644 --- a/source4/smb_server/smb/signing.c +++ b/source4/smb_server/smb/signing.c @@ -77,12 +77,35 @@ bool smbsrv_setup_signing(struct smbsrv_connection *smb_conn, bool smbsrv_init_signing(struct smbsrv_connection *smb_conn) { + enum smb_signing_setting signing_setting; + smb_conn->signing.mac_key = data_blob(NULL, 0); if (!smbcli_set_signing_off(&smb_conn->signing)) { return false; } - - switch (lpcfg_server_signing(smb_conn->lp_ctx)) { + + signing_setting = lpcfg_server_signing(smb_conn->lp_ctx); + if (signing_setting == SMB_SIGNING_AUTO) { + /* + * If we are a domain controller, SMB signing is + * really important, as it can prevent a number of + * attacks on communications between us and the + * clients + * + * However, it really sucks (no sendfile, CPU + * overhead) performance-wise when used on a + * file server, so disable it by default + * on non-DCs + */ + + if (lpcfg_server_role(smb_conn->lp_ctx) >= ROLE_DOMAIN_CONTROLLER) { + signing_setting = SMB_SIGNING_REQUIRED; + } else { + signing_setting = SMB_SIGNING_OFF; + } + } + + switch (signing_setting) { case SMB_SIGNING_OFF: smb_conn->signing.allow_smb_signing = false; break; @@ -93,23 +116,6 @@ bool smbsrv_init_signing(struct smbsrv_connection *smb_conn) smb_conn->signing.allow_smb_signing = true; smb_conn->signing.mandatory_signing = true; break; - case SMB_SIGNING_AUTO: - /* If we are a domain controller, SMB signing is - * really important, as it can prevent a number of - * attacks on communications between us and the - * clients */ - - if (lpcfg_server_role(smb_conn->lp_ctx) == ROLE_DOMAIN_CONTROLLER) { - smb_conn->signing.allow_smb_signing = true; - smb_conn->signing.mandatory_signing = true; - } else { - /* However, it really sucks (no sendfile, CPU - * overhead) performance-wise when used on a - * file server, so disable it by default (auto - * is the default) on non-DCs */ - smb_conn->signing.allow_smb_signing = false; - } - break; } return true; } |