Samba CVE-2016-2115: SMB client connections for IPC traffic are not integrity protected

Samba has an option called "client signing", this is turned off by default for performance reasons on file transfers.

This option is also used when using DCERPC with ncacn_np.

In order to get integrity protection for ipc related communication by default the "client ipc signing" option is introduced. The effective default for this new option is "mandatory".

In order to be compatible with more SMB server implementations, the following additional options are introduced: "client ipc min protocol" ("NT1" by default) and "client ipc max protocol" (the highest support SMB2/3 dialect by default). These options overwrite the "client min protocol" and "client max protocol" options, because the default for "client max protocol" is still "NT1". The reason for this is the fact that all SMB2/3 support SMB signing, while there are still SMB1 implementations which don't offer SMB signing by default (this includes Samba versions before 4.0.0).

Note that winbindd (in versions 4.2.0 and higher) enforces SMB signing against active directory domain controllers despite of the "client signing" and "client ipc signing" options.