On 14/04/16 10:02, Chris Boot wrote: > Firstly: > >> Finally, two important configuration options should be considered, >> that we were unable to silently change defaults for: >> - smb signing = required >> - ntlm auth = no >> >> Without smb signing = required, Man in the Middle attacks are >> still possible against our file server and classic/NT4-like/Samba3 >> Domain controller. (It is now enforced on our AD DC.) > > There is no parameter named "smb signing" in smb.conf, and Samba rightly > complains: > >> [2016/04/14 09:43:53, 0] ../lib/param/loadparm.c:743(lpcfg_map_parameter) >> Unknown parameter encountered: "smb signing" >> [2016/04/14 09:43:53, 0] >> ../lib/param/loadparm.c:1626(lpcfg_do_global_parameter) >> Ignoring unknown parameter "smb signing" > > I suspect you meant one/several of "client ipc signing", "client > signing" and/or "server signing" instead. Can you please clarify?
Someone has pointed out to me by private mail that this has been fixed in an updated NEWS entry, and there is a bug open about it: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=820983 https://anonscm.debian.org/cgit/pkg-samba/samba.git/commit/?h=stable-update&id=cbcad2a543a28926ee712cf299dbdc03da351cb0 Please can we make sure that this makes it into the inevitable deb8u3 update? I'm filing a bug about the AD DC winbind issue now. Cheers, Chris -- Chris Boot Tiger Computing Ltd ISO27001:2013 Certified Tel: 01600 483 484 Web: https://www.tiger-computing.co.uk Registered in England. Company number: 3389961 Registered address: Wyastone Business Park, Wyastone Leys, Monmouth, NP25 3SR
