From 736098e2cf0fc63fb19525f265aff8e07cc7afba Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Tue, 23 Sep 2014 13:40:23 -0700
Subject: WHATSNEW: Include info on secured winbindd connections

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
---
 WHATSNEW.txt | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 0ab0561fc3..78fc7779d3 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -90,6 +90,21 @@ services parameter specified should ensure they change 'winbind' to
 The 'samba' binary still manages the starting of this service, there
 is no need to start the winbindd binary manually.
 
+Winbind now requires secured connections
+========================================
+
+To improve protection against rouge domain controllers we now require
+that when we connect to an AD DC in our forest, that the connection be
+signed using SMB Signing.  Set 'client signing = off' in the smb.conf
+to disable.
+
+Also and DCE/RPC pipes must be sealed, set 'require strong key =
+false' and 'winbind sealed pipes = false' to disable.
+
+Finally, the default for 'client ldap sasl wrapping' has been set to
+'sign', to ensure the integrity of LDAP connections.  Set 'client ldap
+sasl wrapping = plain' to disable.
+
 Larger IO sizes for SMB2/3 by default
 =====================================
 
-- 
cgit