diff options
author | Andrew Bartlett <abartlet@samba.org> | 2014-09-05 17:38:38 +1200 |
---|---|---|
committer | Stefan Metzmacher <metze@samba.org> | 2014-09-30 12:32:05 +0200 |
commit | afe02d12f444ad9a6abf31a61f578320520263a9 (patch) | |
tree | 8826e55ffd9d93a8cde8db09679e9d147bee497a | |
parent | e2cd3257141bd4a88cda1fff5bde9df60b253a97 (diff) | |
download | samba-afe02d12f444ad9a6abf31a61f578320520263a9.tar.gz |
winbindd: Change value of "ldap sasl wrapping" to sign
This is to disrupt MITM attacks between us and our DC
Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
-rw-r--r-- | docs-xml/smbdotconf/ldap/clientldapsaslwrapping.xml | 8 | ||||
-rw-r--r-- | lib/param/loadparm.c | 2 | ||||
-rw-r--r-- | source3/param/loadparm.c | 2 |
3 files changed, 7 insertions, 5 deletions
diff --git a/docs-xml/smbdotconf/ldap/clientldapsaslwrapping.xml b/docs-xml/smbdotconf/ldap/clientldapsaslwrapping.xml index 076b05ca164..e0ce700079b 100644 --- a/docs-xml/smbdotconf/ldap/clientldapsaslwrapping.xml +++ b/docs-xml/smbdotconf/ldap/clientldapsaslwrapping.xml @@ -34,11 +34,9 @@ </para> <para> - The default value is <emphasis>plain</emphasis> which is not irritable - to KRB5 clock skew errors. That implies synchronizing the time - with the KDC in the case of using <emphasis>sign</emphasis> or - <emphasis>seal</emphasis>. + The default value is <emphasis>sign</emphasis>. That implies synchronizing the time + with the KDC in the case of using <emphasis>Kerberos</emphasis>. </para> </description> -<value type="default">plain</value> +<value type="default">sign</value> </samba:parameter> diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c index 7b86a1eeb6d..9953053569a 100644 --- a/lib/param/loadparm.c +++ b/lib/param/loadparm.c @@ -2665,6 +2665,8 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx) lpcfg_do_global_parameter(lp_ctx, "ldap debug threshold", "10"); + lpcfg_do_global_parameter(lp_ctx, "client ldap sasl wrapping", "sign"); + lpcfg_do_global_parameter(lp_ctx, "follow symlinks", "yes"); lpcfg_do_global_parameter(lp_ctx, "machine password timeout", "604800"); diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c index 94d3b8de574..5ab0de71104 100644 --- a/source3/param/loadparm.c +++ b/source3/param/loadparm.c @@ -739,6 +739,8 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals) Globals.ldap_debug_level = 0; Globals.ldap_debug_threshold = 10; + Globals.client_ldap_sasl_wrapping = ADS_AUTH_SASL_SIGN; + /* This is what we tell the afs client. in reality we set the token * to never expire, though, when this runs out the afs client will * forget the token. Set to 0 to get NEVERDATE.*/ |