--- /dev/null
+<samba:parameter name="client ipc signing"
+ context="G"
+ type="enum"
+ function="_client_ipc_signing"
+ enumlist="enum_smb_signing_vals"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>This controls whether the client is allowed or required to use SMB signing for IPC$
+ connections as DCERPC transport. Possible values
+ are <emphasis>auto</emphasis>, <emphasis>mandatory</emphasis>
+ and <emphasis>disabled</emphasis>.
+ </para>
+
+ <para>The default value is the same as the effective value of
+ <smbconfoption name="client signing"/> if the effective value of
+ <smbconfoption name="client ipc min protocol"/> is
+ <constant>NT1</constant>. In any other case the default value is
+ <constant>mandatory</constant>.</para>
+
+ <para>Note that the default value will be changed to <constant>mandatory</constant>
+ in all cases for Samba 4.5</para>
+
+ <para>When the effective value of this option is <constant>mandatory</constant>, SMB signing is required.</para>
+
+ <para>When set to auto, SMB signing is offered, but not enforced and if set
+ to disabled, SMB signing is not offered either.</para>
+
+ <para>Connections from winbindd to Active Directory Domain Controllers
+ always enforce signing.</para>
+</description>
+
+<related>client signing</related>
+
+<value type="default">default</value>
+</samba:parameter>
and <emphasis>disabled</emphasis>.
</para>
- <para>When set to auto or default, SMB signing is offered, but not
- enforced, except in winbindd, where it is enforced to Active
- Directory Domain Controllers. </para>
+ <para>When set to auto or default, SMB signing is offered, but not enforced.</para>
<para>When set to mandatory, SMB signing is required and if set
- to disabled, SMB signing is not offered either.
-</para>
+ to disabled, SMB signing is not offered either.</para>
+
+ <para>IPC$ connections for DCERPC e.g. in winbindd, are handled by the
+ <smbconfoption name="client ipc signing"/> option.</para>
</description>
+<related>client ipc signing</related>
+
<value type="default">default</value>
</samba:parameter>
lpcfg_do_global_parameter(lp_ctx, "template homedir", "/home/%D/%U");
lpcfg_do_global_parameter(lp_ctx, "client signing", "default");
+ lpcfg_do_global_parameter(lp_ctx, "client ipc signing", "default");
lpcfg_do_global_parameter(lp_ctx, "server signing", "default");
lpcfg_do_global_parameter(lp_ctx, "use spnego", "True");
return client_ipc_max_protocol;
}
+int lpcfg_client_ipc_signing(struct loadparm_context *lp_ctx)
+{
+ int client_ipc_signing = lpcfg__client_ipc_signing(lp_ctx);
+ if (client_ipc_signing == SMB_SIGNING_DEFAULT) {
+ int ipc_min_protocol = lpcfg_client_ipc_min_protocol(lp_ctx);
+ if (ipc_min_protocol >= PROTOCOL_SMB2_02) {
+ return SMB_SIGNING_REQUIRED;
+ }
+ return lpcfg_client_signing(lp_ctx);
+ }
+ return client_ipc_signing;
+}
+
bool lpcfg_server_signing_allowed(struct loadparm_context *lp_ctx, bool *mandatory)
{
bool allowed = true;
int lp_winbindd_max_protocol(void);
int lp_client_ipc_min_protocol(void);
int lp_client_ipc_max_protocol(void);
+int lp_client_ipc_signing(void);
int lp_smb2_max_credits(void);
int lp_cups_encrypt(void);
bool lp_widelinks(int );
Globals.client_use_spnego = true;
Globals.client_signing = SMB_SIGNING_DEFAULT;
+ Globals._client_ipc_signing = SMB_SIGNING_DEFAULT;
Globals.server_signing = SMB_SIGNING_DEFAULT;
Globals.defer_sharing_violations = true;
return client_ipc_max_protocol;
}
+int lp_client_ipc_signing(void)
+{
+ int client_ipc_signing = lp__client_ipc_signing();
+ if (client_ipc_signing == SMB_SIGNING_DEFAULT) {
+ int ipc_min_protocol = lp_client_ipc_min_protocol();
+ if (ipc_min_protocol >= PROTOCOL_SMB2_02) {
+ return SMB_SIGNING_REQUIRED;
+ }
+ return lp_client_signing();
+ }
+ return client_ipc_signing;
+}
+
struct loadparm_global * get_globals(void)
{
return &Globals;