lib/param: Consolidate code to enable smb signing on the server, always enable on AD DC

This uses the code from the source4/ SMB server (the NTVFS smb server)
in common, to force SMB Signing to be on when we are an AD DC.

Andrew Bartlett

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>

Autobuild-User(master): David Disseldorp <ddiss@samba.org>
Autobuild-Date(master): Fri Nov 22 13:13:05 CET 2013 on sn-devel-104

1 files changed, 42 insertions, 0 deletions

diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
index 71f62edf82..df2ff6e11b 100644
--- a/lib/param/loadparm.c
+++ b/lib/param/loadparm.c
@@ -2611,3 +2611,45 @@ int lpcfg_security(struct loadparm_context *lp_ctx)
 	return lp_find_security(lpcfg__server_role(lp_ctx),
 				lpcfg__security(lp_ctx));
 }
+
+bool lpcfg_server_signing_allowed(struct loadparm_context *lp_ctx, bool *mandatory)
+{
+	bool allowed = true;
+	enum smb_signing_setting signing_setting = lpcfg_server_signing(lp_ctx);
+
+	*mandatory = false;
+
+	if (signing_setting == SMB_SIGNING_DEFAULT) {
+		/*
+		 * If we are a domain controller, SMB signing is
+		 * really important, as it can prevent a number of
+		 * attacks on communications between us and the
+		 * clients
+		 *
+		 * However, it really sucks (no sendfile, CPU
+		 * overhead) performance-wise when used on a
+		 * file server, so disable it by default
+		 * on non-DCs
+		 */
+
+		if (lpcfg_server_role(lp_ctx) >= ROLE_ACTIVE_DIRECTORY_DC) {
+			signing_setting = SMB_SIGNING_REQUIRED;
+		} else {
+			signing_setting = SMB_SIGNING_OFF;
+		}
+	}
+
+	switch (signing_setting) {
+	case SMB_SIGNING_REQUIRED:
+		*mandatory = true;
+		break;
+	case SMB_SIGNING_IF_REQUIRED:
+		break;
+	case SMB_SIGNING_DEFAULT:
+	case SMB_SIGNING_OFF:
+		allowed = false;
+		break;
+	}
+
+	return allowed;
+}