diff options
author | Andrew Bartlett <abartlet@samba.org> | 2008-09-22 16:32:04 -0700 |
---|---|---|
committer | Andrew Bartlett <abartlet@samba.org> | 2008-09-22 16:32:04 -0700 |
commit | 3b5060fdbaee5ffdfcb304179772d5e89dc8cff0 (patch) | |
tree | b3eb100e980fb66f0caa5c1d9e1c71e4360d88b1 /source4 | |
parent | 7831169af5a909b614c8e34ef505f3565b4e2a0a (diff) | |
download | samba-3b5060fdbaee5ffdfcb304179772d5e89dc8cff0.tar.gz samba-3b5060fdbaee5ffdfcb304179772d5e89dc8cff0.tar.bz2 samba-3b5060fdbaee5ffdfcb304179772d5e89dc8cff0.zip |
Explain why we use signing for DCs, but not file servers
Diffstat (limited to 'source4')
-rw-r--r-- | source4/smb_server/smb/signing.c | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/source4/smb_server/smb/signing.c b/source4/smb_server/smb/signing.c index ee4531c8f6..21dc99b165 100644 --- a/source4/smb_server/smb/signing.c +++ b/source4/smb_server/smb/signing.c @@ -118,10 +118,19 @@ bool smbsrv_init_signing(struct smbsrv_connection *smb_conn) smb_conn->signing.mandatory_signing = true; break; case SMB_SIGNING_AUTO: + /* If we are a domain controller, SMB signing is + * really important, as it can prevent a number of + * attacks on communications between us and the + * clients */ + if (lp_server_role(smb_conn->lp_ctx) == ROLE_DOMAIN_CONTROLLER) { smb_conn->signing.allow_smb_signing = true; smb_conn->signing.mandatory_signing = true; } else { + /* However, it really sucks (no sendfile, CPU + * overhead) performance-wise when used on a + * file server, so disable it by default (auto + * is the default) on non-DCs */ smb_conn->signing.allow_smb_signing = false; } break; |