WHATSNEW: Include info on secured winbindd connections

Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
author: Andrew Bartlett <abartlet@samba.org> 2014-09-23 13:40:23 -0700
committer: Stefan Metzmacher <metze@samba.org> 2014-09-30 12:32:05 +0200
commit: 736098e2cf0fc63fb19525f265aff8e07cc7afba (patch)
tree: 375c2bed6ecdf1dfbcd35808482b6847b0ad1c4e /WHATSNEW.txt
parent: afe02d12f444ad9a6abf31a61f578320520263a9 (diff)
download: samba-736098e2cf0fc63fb19525f265aff8e07cc7afba.tar.gz
1 files changed, 15 insertions, 0 deletions
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 0ab0561fc3b..78fc7779d3a 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -90,6 +90,21 @@ services parameter specified should ensure they change 'winbind' to
 The 'samba' binary still manages the starting of this service, there
 is no need to start the winbindd binary manually.
 
+Winbind now requires secured connections
+========================================
+
+To improve protection against rouge domain controllers we now require
+that when we connect to an AD DC in our forest, that the connection be
+signed using SMB Signing.  Set 'client signing = off' in the smb.conf
+to disable.
+
+Also and DCE/RPC pipes must be sealed, set 'require strong key =
+false' and 'winbind sealed pipes = false' to disable.
+
+Finally, the default for 'client ldap sasl wrapping' has been set to
+'sign', to ensure the integrity of LDAP connections.  Set 'client ldap
+sasl wrapping = plain' to disable.
+
 Larger IO sizes for SMB2/3 by default
 =====================================
author	Andrew Bartlett <abartlet@samba.org>	2014-09-23 13:40:23 -0700
committer	Stefan Metzmacher <metze@samba.org>	2014-09-30 12:32:05 +0200
commit	736098e2cf0fc63fb19525f265aff8e07cc7afba (patch)
tree	375c2bed6ecdf1dfbcd35808482b6847b0ad1c4e /WHATSNEW.txt
parent	afe02d12f444ad9a6abf31a61f578320520263a9 (diff)
download	samba-736098e2cf0fc63fb19525f265aff8e07cc7afba.tar.gz