From: Noel Power Date: Fri, 2 Jun 2017 14:50:48 +0000 (+0100) Subject: s3/utils: Add warning to testparm for "client ipc signing" param values X-Git-Tag: ldb-1.1.31~156 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=df3844f4df14ea2143ba1856710c00b5ab856c44;p=thirdparty%2Fsamba.git s3/utils: Add warning to testparm for "client ipc signing" param values We should warn about security sensitive settings where we can, client ipc signing has 2 values that can allow connections to proceed without SMB signing. This may be unavoidable (e.g. connecting to legacy systems) but nevertheless it is worthwhile to warn. Signed-off-by: Noel Power Reviewed-by: Andreas Schneider Reviewed-by: Jeremy Allison Autobuild-User(master): Jeremy Allison Autobuild-Date(master): Tue Jun 6 22:40:12 CEST 2017 on sn-devel-144 --- diff --git a/source3/utils/testparm.c b/source3/utils/testparm.c index 7883bca135c..9589201d790 100644 --- a/source3/utils/testparm.c +++ b/source3/utils/testparm.c @@ -229,6 +229,18 @@ static int do_global_checks(void) "must differ.\n\n"); } + if (lp_client_ipc_signing() == SMB_SIGNING_IF_REQUIRED + || lp_client_ipc_signing() == SMB_SIGNING_OFF) { + fprintf(stderr, "WARNING: The 'client ipc signing' value " + "%s SMB signing is not used when contacting a " + "domain controller or other server. " + "This setting is not recommended; please be " + "aware of the security implications when using " + "this configuration setting.\n\n", + lp_client_ipc_signing() == SMB_SIGNING_OFF ? + "ensures" : "may mean"); + } + if (strlen(lp_netbios_name()) > 15) { fprintf(stderr, "WARNING: The 'netbios name' is too long " "(max. 15 chars).\n\n");