summaryrefslogtreecommitdiff
path: root/source4
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2008-09-22 16:32:04 -0700
committerAndrew Bartlett <abartlet@samba.org>2008-09-22 16:32:04 -0700
commit3b5060fdbaee5ffdfcb304179772d5e89dc8cff0 (patch)
treeb3eb100e980fb66f0caa5c1d9e1c71e4360d88b1 /source4
parent7831169af5a909b614c8e34ef505f3565b4e2a0a (diff)
downloadsamba-3b5060fdbaee5ffdfcb304179772d5e89dc8cff0.tar.gz
samba-3b5060fdbaee5ffdfcb304179772d5e89dc8cff0.tar.bz2
samba-3b5060fdbaee5ffdfcb304179772d5e89dc8cff0.zip
Explain why we use signing for DCs, but not file servers
Diffstat (limited to 'source4')
-rw-r--r--source4/smb_server/smb/signing.c9
1 files changed, 9 insertions, 0 deletions
diff --git a/source4/smb_server/smb/signing.c b/source4/smb_server/smb/signing.c
index ee4531c8f6..21dc99b165 100644
--- a/source4/smb_server/smb/signing.c
+++ b/source4/smb_server/smb/signing.c
@@ -118,10 +118,19 @@ bool smbsrv_init_signing(struct smbsrv_connection *smb_conn)
smb_conn->signing.mandatory_signing = true;
break;
case SMB_SIGNING_AUTO:
+ /* If we are a domain controller, SMB signing is
+ * really important, as it can prevent a number of
+ * attacks on communications between us and the
+ * clients */
+
if (lp_server_role(smb_conn->lp_ctx) == ROLE_DOMAIN_CONTROLLER) {
smb_conn->signing.allow_smb_signing = true;
smb_conn->signing.mandatory_signing = true;
} else {
+ /* However, it really sucks (no sendfile, CPU
+ * overhead) performance-wise when used on a
+ * file server, so disable it by default (auto
+ * is the default) on non-DCs */
smb_conn->signing.allow_smb_signing = false;
}
break;