From d88a2d900f5eaab0acda0d0715a5c8ad7e92b315 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Tue, 16 Apr 2019 11:41:46 +0200
Subject: [PATCH 197/208] s3:param: Force SMB encryption for DECRPC over named
 pipes

If we do not allow weak crypto, we need to secure DCERPC with strong
crypto.

Signed-off-by: Andreas Schneider <asn@samba.org>
---
 source3/param/loadparm.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index 923c2473662..b52e2bcb036 100644
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -1616,6 +1616,11 @@ static bool lp_add_ipc(const char *ipc_name, bool guest_ok)
 	ServicePtrs[i]->browseable = sDefault.browseable;
 	ServicePtrs[i]->autoloaded = false;
 
+	/* Force SMB encryption for DECRPC over named pipes. */
+	if (lp_weak_crypto() == SAMBA_WEAK_CRYPTO_DISALLOWED) {
+		ServicePtrs[i]->smb_encrypt = SMB_SIGNING_REQUIRED;
+	}
+
 	DEBUG(3, ("adding IPC service\n"));
 
 	TALLOC_FREE(comment);
-- 
2.23.0