From e665fc394074e5aebc22baa4aa1d8d45077ce37d Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 14 Oct 2013 13:45:42 +1300 Subject: lib/param: Consolidate code to enable smb signing on the server, always enable on AD DC This uses the code from the source4/ SMB server (the NTVFS smb server) in common, to force SMB Signing to be on when we are an AD DC. Andrew Bartlett Signed-off-by: Andrew Bartlett Reviewed-by: David Disseldorp Autobuild-User(master): David Disseldorp Autobuild-Date(master): Fri Nov 22 13:13:05 CET 2013 on sn-devel-104 --- source4/smb_server/smb/signing.c | 41 +++------------------------------------- 1 file changed, 3 insertions(+), 38 deletions(-) (limited to 'source4/smb_server') diff --git a/source4/smb_server/smb/signing.c b/source4/smb_server/smb/signing.c index d632e87ea7b..3fe7cff94fd 100644 --- a/source4/smb_server/smb/signing.c +++ b/source4/smb_server/smb/signing.c @@ -77,49 +77,14 @@ bool smbsrv_setup_signing(struct smbsrv_connection *smb_conn, bool smbsrv_init_signing(struct smbsrv_connection *smb_conn) { - enum smb_signing_setting signing_setting; - smb_conn->signing.mac_key = data_blob(NULL, 0); if (!smbcli_set_signing_off(&smb_conn->signing)) { return false; } - signing_setting = lpcfg_server_signing(smb_conn->lp_ctx); - if (signing_setting == SMB_SIGNING_DEFAULT) { - /* - * If we are a domain controller, SMB signing is - * really important, as it can prevent a number of - * attacks on communications between us and the - * clients - * - * However, it really sucks (no sendfile, CPU - * overhead) performance-wise when used on a - * file server, so disable it by default - * on non-DCs - */ - - if (lpcfg_server_role(smb_conn->lp_ctx) >= ROLE_ACTIVE_DIRECTORY_DC) { - signing_setting = SMB_SIGNING_REQUIRED; - } else { - signing_setting = SMB_SIGNING_OFF; - } - } - - switch (signing_setting) { - case SMB_SIGNING_DEFAULT: - smb_panic(__location__); - break; - case SMB_SIGNING_OFF: - smb_conn->signing.allow_smb_signing = false; - break; - case SMB_SIGNING_IF_REQUIRED: - smb_conn->signing.allow_smb_signing = true; - break; - case SMB_SIGNING_REQUIRED: - smb_conn->signing.allow_smb_signing = true; - smb_conn->signing.mandatory_signing = true; - break; - } + smb_conn->signing.allow_smb_signing + = lpcfg_server_signing_allowed(smb_conn->lp_ctx, + &smb_conn->signing.mandatory_signing); return true; } -- cgit v1.2.1