winbindd: Change value of "ldap sasl wrapping" to sign

This is to disrupt MITM attacks between us and our DC

Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>

diff --git a/docs-xml/smbdotconf/ldap/clientldapsaslwrapping.xml b/docs-xml/smbdotconf/ldap/clientldapsaslwrapping.xml
index 076b05ca1645f6c54461817c785151668b5d7a94..e0ce700079b76a6d2f6e11d0e9ac951a177b220a 100644 (file)
--- a/docs-xml/smbdotconf/ldap/clientldapsaslwrapping.xml
+++ b/docs-xml/smbdotconf/ldap/clientldapsaslwrapping.xml
@@ -34,11 +34,9 @@
        </para>
 
        <para>
-       The default value is <emphasis>plain</emphasis> which is not irritable 
-       to KRB5 clock skew errors. That implies synchronizing the time
-       with the KDC in the case of using <emphasis>sign</emphasis> or 
-       <emphasis>seal</emphasis>.
+       The default value is <emphasis>sign</emphasis>. That implies synchronizing the time
+       with the KDC in the case of using <emphasis>Kerberos</emphasis>.
        </para>
 </description>
-<value type="default">plain</value>
+<value type="default">sign</value>
 </samba:parameter>

diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
index 7b86a1eeb6d8c66221c64c07395ef47866908093..9953053569a03d4e88b1c50b00ba5b201659c490 100644 (file)
--- a/lib/param/loadparm.c
+++ b/lib/param/loadparm.c
@@ -2665,6 +2665,8 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
 
        lpcfg_do_global_parameter(lp_ctx, "ldap debug threshold", "10");
 
+       lpcfg_do_global_parameter(lp_ctx, "client ldap sasl wrapping", "sign");
+
        lpcfg_do_global_parameter(lp_ctx, "follow symlinks", "yes");
 
        lpcfg_do_global_parameter(lp_ctx, "machine password timeout", "604800");

diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index 94d3b8de574e4ec9b8f9179dc17ecca8010566c8..5ab0de71104acccd96d24ab3f044015a7f7d53ed 100644 (file)
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -739,6 +739,8 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals)
        Globals.ldap_debug_level = 0;
        Globals.ldap_debug_threshold = 10;
 
+       Globals.client_ldap_sasl_wrapping = ADS_AUTH_SASL_SIGN;
+
        /* This is what we tell the afs client. in reality we set the token 
         * to never expire, though, when this runs out the afs client will 
         * forget the token. Set to 0 to get NEVERDATE.*/