From df3844f4df14ea2143ba1856710c00b5ab856c44 Mon Sep 17 00:00:00 2001 From: Noel Power Date: Fri, 2 Jun 2017 15:50:48 +0100 Subject: [PATCH] s3/utils: Add warning to testparm for "client ipc signing" param values We should warn about security sensitive settings where we can, client ipc signing has 2 values that can allow connections to proceed without SMB signing. This may be unavoidable (e.g. connecting to legacy systems) but nevertheless it is worthwhile to warn. Signed-off-by: Noel Power Reviewed-by: Andreas Schneider Reviewed-by: Jeremy Allison Autobuild-User(master): Jeremy Allison Autobuild-Date(master): Tue Jun 6 22:40:12 CEST 2017 on sn-devel-144 --- source3/utils/testparm.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/source3/utils/testparm.c b/source3/utils/testparm.c index 7883bca135c..9589201d790 100644 --- a/source3/utils/testparm.c +++ b/source3/utils/testparm.c @@ -229,6 +229,18 @@ static int do_global_checks(void) "must differ.\n\n"); } + if (lp_client_ipc_signing() == SMB_SIGNING_IF_REQUIRED + || lp_client_ipc_signing() == SMB_SIGNING_OFF) { + fprintf(stderr, "WARNING: The 'client ipc signing' value " + "%s SMB signing is not used when contacting a " + "domain controller or other server. " + "This setting is not recommended; please be " + "aware of the security implications when using " + "this configuration setting.\n\n", + lp_client_ipc_signing() == SMB_SIGNING_OFF ? + "ensures" : "may mean"); + } + if (strlen(lp_netbios_name()) > 15) { fprintf(stderr, "WARNING: The 'netbios name' is too long " "(max. 15 chars).\n\n"); -- 2.47.2