diff options
| author | Stefan Metzmacher <metze@samba.org> | 2011-11-02 17:50:23 +0100 |
|---|---|---|
| committer | Stefan Metzmacher <metze@samba.org> | 2011-11-03 16:55:11 +0100 |
| commit | ebb9d4dc542eefbad8bb3d36e3b0ddb65402e192 (patch) | |
| tree | aa3f89671e40404fcea666da1af123c76683924e /source4/smb_server | |
| parent | aa70b7e0fcafbc92dd779e42dcc5ed55f4035bcf (diff) | |
| download | samba-ebb9d4dc542eefbad8bb3d36e3b0ddb65402e192.tar.gz samba-ebb9d4dc542eefbad8bb3d36e3b0ddb65402e192.tar.bz2 samba-ebb9d4dc542eefbad8bb3d36e3b0ddb65402e192.zip | |
s4:smb_server/smb2: add the same SMB_SIGNING_AUTO logic as for smb1
metze
Diffstat (limited to 'source4/smb_server')
| -rw-r--r-- | source4/smb_server/smb2/negprot.c | 27 |
1 files changed, 25 insertions, 2 deletions
diff --git a/source4/smb_server/smb2/negprot.c b/source4/smb_server/smb2/negprot.c index dd69c9fc7e..892953635c 100644 --- a/source4/smb_server/smb2/negprot.c +++ b/source4/smb_server/smb2/negprot.c @@ -97,6 +97,8 @@ static NTSTATUS smb2srv_negprot_backend(struct smb2srv_request *req, struct smb2 struct timeval boot_time; uint16_t i; uint16_t dialect = 0; + enum smb_signing_setting signing_setting; + struct loadparm_context *lp_ctx = req->smb_conn->lp_ctx; /* we only do one dialect for now */ if (io->in.dialect_count < 1) { @@ -119,12 +121,33 @@ static NTSTATUS smb2srv_negprot_backend(struct smb2srv_request *req, struct smb2 boot_time = timeval_current(); /* TODO: fix me */ ZERO_STRUCT(io->out); - switch (lpcfg_server_signing(req->smb_conn->lp_ctx)) { + + signing_setting = lpcfg_server_signing(lp_ctx); + if (signing_setting == SMB_SIGNING_AUTO) { + /* + * If we are a domain controller, SMB signing is + * really important, as it can prevent a number of + * attacks on communications between us and the + * clients + * + * However, it really sucks (no sendfile, CPU + * overhead) performance-wise when used on a + * file server, so disable it by default + * on non-DCs + */ + + if (lpcfg_server_role(lp_ctx) >= ROLE_DOMAIN_CONTROLLER) { + signing_setting = SMB_SIGNING_REQUIRED; + } else { + signing_setting = SMB_SIGNING_OFF; + } + } + + switch (signing_setting) { case SMB_SIGNING_OFF: io->out.security_mode = 0; break; case SMB_SIGNING_SUPPORTED: - case SMB_SIGNING_AUTO: io->out.security_mode = SMB2_NEGOTIATE_SIGNING_ENABLED; break; case SMB_SIGNING_REQUIRED: |