summaryrefslogtreecommitdiff
path: root/source4
diff options
context:
space:
mode:
Diffstat (limited to 'source4')
-rw-r--r--source4/smb_server/smb/signing.c9
1 files changed, 9 insertions, 0 deletions
diff --git a/source4/smb_server/smb/signing.c b/source4/smb_server/smb/signing.c
index ee4531c8f6..21dc99b165 100644
--- a/source4/smb_server/smb/signing.c
+++ b/source4/smb_server/smb/signing.c
@@ -118,10 +118,19 @@ bool smbsrv_init_signing(struct smbsrv_connection *smb_conn)
smb_conn->signing.mandatory_signing = true;
break;
case SMB_SIGNING_AUTO:
+ /* If we are a domain controller, SMB signing is
+ * really important, as it can prevent a number of
+ * attacks on communications between us and the
+ * clients */
+
if (lp_server_role(smb_conn->lp_ctx) == ROLE_DOMAIN_CONTROLLER) {
smb_conn->signing.allow_smb_signing = true;
smb_conn->signing.mandatory_signing = true;
} else {
+ /* However, it really sucks (no sendfile, CPU
+ * overhead) performance-wise when used on a
+ * file server, so disable it by default (auto
+ * is the default) on non-DCs */
smb_conn->signing.allow_smb_signing = false;
}
break;