From 736098e2cf0fc63fb19525f265aff8e07cc7afba Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 23 Sep 2014 13:40:23 -0700 Subject: WHATSNEW: Include info on secured winbindd connections Signed-off-by: Andrew Bartlett Reviewed-by: Stefan Metzmacher --- WHATSNEW.txt | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/WHATSNEW.txt b/WHATSNEW.txt index 0ab0561fc3..78fc7779d3 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -90,6 +90,21 @@ services parameter specified should ensure they change 'winbind' to The 'samba' binary still manages the starting of this service, there is no need to start the winbindd binary manually. +Winbind now requires secured connections +======================================== + +To improve protection against rouge domain controllers we now require +that when we connect to an AD DC in our forest, that the connection be +signed using SMB Signing. Set 'client signing = off' in the smb.conf +to disable. + +Also and DCE/RPC pipes must be sealed, set 'require strong key = +false' and 'winbind sealed pipes = false' to disable. + +Finally, the default for 'client ldap sasl wrapping' has been set to +'sign', to ensure the integrity of LDAP connections. Set 'client ldap +sasl wrapping = plain' to disable. + Larger IO sizes for SMB2/3 by default ===================================== -- cgit