s3-winbindd: Require SMB signing by default to disrupt MITM attacks with our DC

This makes it much harder to impersonate the DC, but allows this to be
turned off or returned to IF_REQUIRED with a simple change to the
'client signing' smb.conf parameter.

Andrew Bartlett

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Sun Sep 28 06:25:55 CEST 2014 on sn-devel-104

diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
index 1e639b7cfa67a5aacaa8ce708e30fb564e4a954a..05e9692faf45e23a6573ee1261d24c82dd5c0c1f 100644 (file)
--- a/source3/winbindd/winbindd_cm.c
+++ b/source3/winbindd/winbindd_cm.c
@@ -96,6 +96,7 @@ extern bool override_logfile;
 
 static NTSTATUS init_dc_connection_network(struct winbindd_domain *domain, bool need_rw_dc);
 static void set_dc_type_and_flags( struct winbindd_domain *domain );
+static bool set_dc_type_and_flags_trustinfo( struct winbindd_domain *domain );
 static bool get_dcs(TALLOC_CTX *mem_ctx, struct winbindd_domain *domain,
                    struct dc_name_ip **dcs, int *num_dcs);
 
@@ -881,6 +882,29 @@ static NTSTATUS cm_prepare_connection(const struct winbindd_domain *domain,
 
        NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
 
+       enum smb_signing_setting smb_sign_client_connections = lp_client_signing();
+
+       if (smb_sign_client_connections == SMB_SIGNING_DEFAULT) {
+               /*
+                * If we are connecting to our own AD domain, require
+                * smb signing to disrupt MITM attacks
+                */
+               if (domain->primary && lp_security() == SEC_ADS) {
+                       smb_sign_client_connections = SMB_SIGNING_REQUIRED;
+               /*
+                * If we are in or are an AD domain and connecting to another
+                * AD domain in our forest
+                * then require smb signing to disrupt MITM attacks
+                */
+               } else if ((lp_security() == SEC_ADS ||
+                           lp_server_role() == ROLE_ACTIVE_DIRECTORY_DC)
+                          && domain->active_directory
+                          && (domain->domain_trust_attribs
+                              & LSA_TRUST_ATTRIBUTE_WITHIN_FOREST)) {
+                       smb_sign_client_connections = SMB_SIGNING_REQUIRED;
+               }
+       }
+
        DEBUG(10,("cm_prepare_connection: connecting to DC %s for domain %s\n",
                controller, domain->name ));
 
@@ -900,7 +924,7 @@ static NTSTATUS cm_prepare_connection(const struct winbindd_domain *domain,
 
        *cli = cli_state_create(NULL, sockfd,
                                controller, domain->alt_name,
-                               SMB_SIGNING_DEFAULT, flags);
+                               smb_sign_client_connections, flags);
        if (*cli == NULL) {
                close(sockfd);
                DEBUG(1, ("Could not cli_initialize\n"));
@@ -1958,6 +1982,14 @@ static NTSTATUS init_dc_connection_network(struct winbindd_domain *domain, bool
 
        invalidate_cm_connection(&domain->conn);
 
+       if (!domain->primary && !domain->initialized) {
+               /*
+                * Before we connect to a trust, work out if it is an
+                * AD domain by asking our own domain.
+                */
+               set_dc_type_and_flags_trustinfo(domain);
+       }
+
        result = cm_open_connection(domain, &domain->conn);
 
        if (NT_STATUS_IS_OK(result) && !domain->initialized) {