s3/utils: Add warning to testparm for "client ipc signing" param values

We should warn about security sensitive settings where we can,
client ipc signing has 2 values that can allow connections to proceed
without SMB signing. This may be unavoidable (e.g. connecting to legacy
systems) but nevertheless it is worthwhile to warn.

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Jun  6 22:40:12 CEST 2017 on sn-devel-144

diff --git a/source3/utils/testparm.c b/source3/utils/testparm.c
index 7883bca135cbbc562bfa071c8f171fd0d58c8e99..9589201d79096e7ebb48697d7512c3c85f60ded1 100644 (file)
--- a/source3/utils/testparm.c
+++ b/source3/utils/testparm.c
@@ -229,6 +229,18 @@ static int do_global_checks(void)
                                "must differ.\n\n");
        }
 
+       if (lp_client_ipc_signing() == SMB_SIGNING_IF_REQUIRED
+        || lp_client_ipc_signing() == SMB_SIGNING_OFF) {
+               fprintf(stderr, "WARNING: The 'client ipc signing' value "
+                       "%s SMB signing is not used when contacting a "
+                       "domain controller or other server. "
+                       "This setting is not recommended; please be "
+                       "aware of the security implications when using "
+                       "this configuration setting.\n\n",
+                       lp_client_ipc_signing() == SMB_SIGNING_OFF ?
+                       "ensures" : "may mean");
+       }
+
        if (strlen(lp_netbios_name()) > 15) {
                fprintf(stderr, "WARNING: The 'netbios name' is too long "
                                "(max. 15 chars).\n\n");