diff options
author | Andreas Schneider <asn@samba.org> | 2019-10-10 14:18:23 +0200 |
---|---|---|
committer | Andreas Schneider <asn@cryptomilk.org> | 2020-08-19 16:22:40 +0000 |
commit | bd5a888746e15eff0a3f24e2a3e8e853fab0993b (patch) | |
tree | 504e46b92304603bb8ebb0a30712341fd9a8a2f1 | |
parent | e9135035400494ed198e2a1964463c42db7a00c2 (diff) | |
download | samba-bd5a888746e15eff0a3f24e2a3e8e853fab0993b.tar.gz |
param: Add 'server smb encrypt' parameter
And this also makes 'smb encrypt' a synonym of that.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
-rw-r--r-- | docs-xml/smbdotconf/security/serversmbencrypt.xml | 241 | ||||
-rw-r--r-- | docs-xml/smbdotconf/security/smbencrypt.xml | 241 | ||||
-rw-r--r-- | source3/param/loadparm.c | 2 | ||||
-rw-r--r-- | source3/smbd/service.c | 4 | ||||
-rw-r--r-- | source3/smbd/smb2_negprot.c | 2 | ||||
-rw-r--r-- | source3/smbd/smb2_sesssetup.c | 4 | ||||
-rw-r--r-- | source3/smbd/smb2_tcon.c | 4 | ||||
-rw-r--r-- | source3/smbd/trans2.c | 2 |
8 files changed, 257 insertions, 243 deletions
diff --git a/docs-xml/smbdotconf/security/serversmbencrypt.xml b/docs-xml/smbdotconf/security/serversmbencrypt.xml new file mode 100644 index 00000000000..714aacbf1ca --- /dev/null +++ b/docs-xml/smbdotconf/security/serversmbencrypt.xml @@ -0,0 +1,241 @@ +<samba:parameter name="server smb encrypt" + context="S" + type="enum" + enumlist="enum_smb_signing_vals" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + <para> + This parameter controls whether a remote client is allowed or required + to use SMB encryption. It has different effects depending on whether + the connection uses SMB1 or SMB2 and newer: + </para> + + <itemizedlist> + <listitem> + <para> + If the connection uses SMB1, then this option controls the use + of a Samba-specific extension to the SMB protocol introduced in + Samba 3.2 that makes use of the Unix extensions. + </para> + </listitem> + + <listitem> + <para> + If the connection uses SMB2 or newer, then this option controls + the use of the SMB-level encryption that is supported in SMB + version 3.0 and above and available in Windows 8 and newer. + </para> + </listitem> + </itemizedlist> + + <para> + This parameter can be set globally and on a per-share bases. + Possible values are + + <emphasis>off</emphasis>, + <emphasis>if_required</emphasis>, + <emphasis>desired</emphasis>, + and + <emphasis>required</emphasis>. + A special value is <emphasis>default</emphasis> which is + the implicit default setting of <emphasis>if_required</emphasis>. + </para> + + <variablelist> + <varlistentry> + <term><emphasis>Effects for SMB1</emphasis></term> + <listitem> + <para> + The Samba-specific encryption of SMB1 connections is an + extension to the SMB protocol negotiated as part of the UNIX + extensions. SMB encryption uses the GSSAPI (SSPI on Windows) + ability to encrypt and sign every request/response in a SMB + protocol stream. When enabled it provides a secure method of + SMB/CIFS communication, similar to an ssh protected session, but + using SMB/CIFS authentication to negotiate encryption and + signing keys. Currently this is only supported smbclient of by + Samba 3.2 and newer, and hopefully soon Linux CIFSFS and MacOS/X + clients. Windows clients do not support this feature. + </para> + + <para>This may be set on a per-share + basis, but clients may chose to encrypt the entire session, not + just traffic to a specific share. If this is set to mandatory + then all traffic to a share <emphasis>must</emphasis> + be encrypted once the connection has been made to the share. + The server would return "access denied" to all non-encrypted + requests on such a share. Selecting encrypted traffic reduces + throughput as smaller packet sizes must be used (no huge UNIX + style read/writes allowed) as well as the overhead of encrypting + and signing all the data. + </para> + + <para> + If SMB encryption is selected, Windows style SMB signing (see + the <smbconfoption name="server signing"/> option) is no longer + necessary, as the GSSAPI flags use select both signing and + sealing of the data. + </para> + + <para> + When set to auto or default, SMB encryption is offered, but not + enforced. When set to mandatory, SMB encryption is required and + if set to disabled, SMB encryption can not be negotiated. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term><emphasis>Effects for SMB2 and newer</emphasis></term> + <listitem> + <para> + Native SMB transport encryption is available in SMB version 3.0 + or newer. It is only offered by Samba if + <emphasis>server max protocol</emphasis> is set to + <emphasis>SMB3</emphasis> or newer. + Clients supporting this type of encryption include + Windows 8 and newer, + Windows server 2012 and newer, + and smbclient of Samba 4.1 and newer. + </para> + + <para> + The protocol implementation offers various options: + </para> + + <itemizedlist> + <listitem> + <para> + The capability to perform SMB encryption can be + negotiated during protocol negotiation. + </para> + </listitem> + + <listitem> + <para> + Data encryption can be enabled globally. In that case, + an encryption-capable connection will have all traffic + in all its sessions encrypted. In particular all share + connections will be encrypted. + </para> + </listitem> + + <listitem> + <para> + Data encryption can also be enabled per share if not + enabled globally. For an encryption-capable connection, + all connections to an encryption-enabled share will be + encrypted. + </para> + </listitem> + + <listitem> + <para> + Encryption can be enforced. This means that session + setups will be denied on non-encryption-capable + connections if data encryption has been enabled + globally. And tree connections will be denied for + non-encryption capable connections to shares with data + encryption enabled. + </para> + </listitem> + </itemizedlist> + + <para> + These features can be controlled with settings of + <emphasis>server smb encrypt</emphasis> as follows: + </para> + + <itemizedlist> + <listitem> + <para> + Leaving it as default, explicitly setting + <emphasis>default</emphasis>, or setting it to + <emphasis>if_required</emphasis> globally will enable + negotiation of encryption but will not turn on + data encryption globally or per share. + </para> + </listitem> + + <listitem> + <para> + Setting it to <emphasis>desired</emphasis> globally + will enable negotiation and will turn on data encryption + on sessions and share connections for those clients + that support it. + </para> + </listitem> + + <listitem> + <para> + Setting it to <emphasis>required</emphasis> globally + will enable negotiation and turn on data encryption + on sessions and share connections. Clients that do + not support encryption will be denied access to the + server. + </para> + </listitem> + + <listitem> + <para> + Setting it to <emphasis>off</emphasis> globally will + completely disable the encryption feature for all + connections. Setting <parameter>server smb encrypt = + required</parameter> for individual shares (while it's + globally off) will deny access to this shares for all + clients. + </para> + </listitem> + + <listitem> + <para> + Setting it to <emphasis>desired</emphasis> on a share + will turn on data encryption for this share for clients + that support encryption if negotiation has been + enabled globally. + </para> + </listitem> + + <listitem> + <para> + Setting it to <emphasis>required</emphasis> on a share + will enforce data encryption for this share if + negotiation has been enabled globally. I.e. clients that + do not support encryption will be denied access to the + share. + </para> + <para> + Note that this allows per-share enforcing to be + controlled in Samba differently from Windows: + In Windows, <emphasis>RejectUnencryptedAccess</emphasis> + is a global setting, and if it is set, all shares with + data encryption turned on + are automatically enforcing encryption. In order to + achieve the same effect in Samba, one + has to globally set <emphasis>server smb encrypt</emphasis> to + <emphasis>if_required</emphasis>, and then set all shares + that should be encrypted to + <emphasis>required</emphasis>. + Additionally, it is possible in Samba to have some + shares with encryption <emphasis>required</emphasis> + and some other shares with encryption only + <emphasis>desired</emphasis>, which is not possible in + Windows. + </para> + </listitem> + + <listitem> + <para> + Setting it to <emphasis>off</emphasis> or + <emphasis>if_required</emphasis> for a share has + no effect. + </para> + </listitem> + </itemizedlist> + </listitem> + </varlistentry> + </variablelist> +</description> + +<value type="default">default</value> +</samba:parameter> diff --git a/docs-xml/smbdotconf/security/smbencrypt.xml b/docs-xml/smbdotconf/security/smbencrypt.xml index 32a22cb58f5..798e616b765 100644 --- a/docs-xml/smbdotconf/security/smbencrypt.xml +++ b/docs-xml/smbdotconf/security/smbencrypt.xml @@ -1,241 +1,14 @@ <samba:parameter name="smb encrypt" - context="S" - type="enum" - enumlist="enum_smb_signing_vals" - xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> + context="S" + type="enum" + enumlist="enum_smb_signing_vals" + function="server_smb_encrypt" + synonym="1" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> <description> <para> - This parameter controls whether a remote client is allowed or required - to use SMB encryption. It has different effects depending on whether - the connection uses SMB1 or SMB2 and newer: + This is a synonym for <smbconfoption name="server smb encrypt"/>. </para> - - <itemizedlist> - <listitem> - <para> - If the connection uses SMB1, then this option controls the use - of a Samba-specific extension to the SMB protocol introduced in - Samba 3.2 that makes use of the Unix extensions. - </para> - </listitem> - - <listitem> - <para> - If the connection uses SMB2 or newer, then this option controls - the use of the SMB-level encryption that is supported in SMB - version 3.0 and above and available in Windows 8 and newer. - </para> - </listitem> - </itemizedlist> - - <para> - This parameter can be set globally and on a per-share bases. - Possible values are - <emphasis>off</emphasis> (or <emphasis>disabled</emphasis>), - <emphasis>enabled</emphasis> (or <emphasis>auto</emphasis>, or - <emphasis>if_required</emphasis>), - <emphasis>desired</emphasis>, - and - <emphasis>required</emphasis> - (or <emphasis>mandatory</emphasis>). - A special value is <emphasis>default</emphasis> which is - the implicit default setting of <emphasis>enabled</emphasis>. - </para> - - <variablelist> - <varlistentry> - <term><emphasis>Effects for SMB1</emphasis></term> - <listitem> - <para> - The Samba-specific encryption of SMB1 connections is an - extension to the SMB protocol negotiated as part of the UNIX - extensions. SMB encryption uses the GSSAPI (SSPI on Windows) - ability to encrypt and sign every request/response in a SMB - protocol stream. When enabled it provides a secure method of - SMB/CIFS communication, similar to an ssh protected session, but - using SMB/CIFS authentication to negotiate encryption and - signing keys. Currently this is only supported smbclient of by - Samba 3.2 and newer, and hopefully soon Linux CIFSFS and MacOS/X - clients. Windows clients do not support this feature. - </para> - - <para>This may be set on a per-share - basis, but clients may chose to encrypt the entire session, not - just traffic to a specific share. If this is set to mandatory - then all traffic to a share <emphasis>must</emphasis> - be encrypted once the connection has been made to the share. - The server would return "access denied" to all non-encrypted - requests on such a share. Selecting encrypted traffic reduces - throughput as smaller packet sizes must be used (no huge UNIX - style read/writes allowed) as well as the overhead of encrypting - and signing all the data. - </para> - - <para> - If SMB encryption is selected, Windows style SMB signing (see - the <smbconfoption name="server signing"/> option) is no longer - necessary, as the GSSAPI flags use select both signing and - sealing of the data. - </para> - - <para> - When set to auto or default, SMB encryption is offered, but not - enforced. When set to mandatory, SMB encryption is required and - if set to disabled, SMB encryption can not be negotiated. - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term><emphasis>Effects for SMB2</emphasis></term> - <listitem> - <para> - Native SMB transport encryption is available in SMB version 3.0 - or newer. It is only offered by Samba if - <emphasis>server max protocol</emphasis> is set to - <emphasis>SMB3</emphasis> or newer. - Clients supporting this type of encryption include - Windows 8 and newer, - Windows server 2012 and newer, - and smbclient of Samba 4.1 and newer. - </para> - - <para> - The protocol implementation offers various options: - </para> - - <itemizedlist> - <listitem> - <para> - The capability to perform SMB encryption can be - negotiated during protocol negotiation. - </para> - </listitem> - - <listitem> - <para> - Data encryption can be enabled globally. In that case, - an encryption-capable connection will have all traffic - in all its sessions encrypted. In particular all share - connections will be encrypted. - </para> - </listitem> - - <listitem> - <para> - Data encryption can also be enabled per share if not - enabled globally. For an encryption-capable connection, - all connections to an encryption-enabled share will be - encrypted. - </para> - </listitem> - - <listitem> - <para> - Encryption can be enforced. This means that session - setups will be denied on non-encryption-capable - connections if data encryption has been enabled - globally. And tree connections will be denied for - non-encryption capable connections to shares with data - encryption enabled. - </para> - </listitem> - </itemizedlist> - - <para> - These features can be controlled with settings of - <emphasis>smb encrypt</emphasis> as follows: - </para> - - <itemizedlist> - <listitem> - <para> - Leaving it as default, explicitly setting - <emphasis>default</emphasis>, or setting it to - <emphasis>enabled</emphasis> globally will enable - negotiation of encryption but will not turn on - data encryption globally or per share. - </para> - </listitem> - - <listitem> - <para> - Setting it to <emphasis>desired</emphasis> globally - will enable negotiation and will turn on data encryption - on sessions and share connections for those clients - that support it. - </para> - </listitem> - - <listitem> - <para> - Setting it to <emphasis>required</emphasis> globally - will enable negotiation and turn on data encryption - on sessions and share connections. Clients that do - not support encryption will be denied access to the - server. - </para> - </listitem> - - <listitem> - <para> - Setting it to <emphasis>off</emphasis> globally will - completely disable the encryption feature for all - connections. Setting <parameter>smb encrypt = - required</parameter> for individual shares (while it's - globally off) will deny access to this shares for all - clients. - </para> - </listitem> - - <listitem> - <para> - Setting it to <emphasis>desired</emphasis> on a share - will turn on data encryption for this share for clients - that support encryption if negotiation has been - enabled globally. - </para> - </listitem> - - <listitem> - <para> - Setting it to <emphasis>required</emphasis> on a share - will enforce data encryption for this share if - negotiation has been enabled globally. I.e. clients that - do not support encryption will be denied access to the - share. - </para> - <para> - Note that this allows per-share enforcing to be - controlled in Samba differently from Windows: - In Windows, <emphasis>RejectUnencryptedAccess</emphasis> - is a global setting, and if it is set, all shares with - data encryption turned on - are automatically enforcing encryption. In order to - achieve the same effect in Samba, one - has to globally set <emphasis>smb encrypt</emphasis> to - <emphasis>enabled</emphasis>, and then set all shares - that should be encrypted to - <emphasis>required</emphasis>. - Additionally, it is possible in Samba to have some - shares with encryption <emphasis>required</emphasis> - and some other shares with encryption only - <emphasis>desired</emphasis>, which is not possible in - Windows. - </para> - </listitem> - - <listitem> - <para> - Setting it to <emphasis>off</emphasis> or - <emphasis>enabled</emphasis> for a share has - no effect. - </para> - </listitem> - </itemizedlist> - </listitem> - </varlistentry> - </variablelist> </description> <value type="default">default</value> diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c index 73f7c065e09..a2cb0fca16d 100644 --- a/source3/param/loadparm.c +++ b/source3/param/loadparm.c @@ -241,7 +241,7 @@ static const struct loadparm_service _sDefault = .aio_write_size = 1, .map_readonly = MAP_READONLY_NO, .directory_name_cache_size = 100, - .smb_encrypt = SMB_SIGNING_DEFAULT, + .server_smb_encrypt = SMB_SIGNING_DEFAULT, .kernel_share_modes = true, .durable_handles = true, .check_parent_directory_delete_on_close = false, diff --git a/source3/smbd/service.c b/source3/smbd/service.c index ed38121f292..a263c33b7e2 100644 --- a/source3/smbd/service.c +++ b/source3/smbd/service.c @@ -567,9 +567,9 @@ static NTSTATUS make_connection_snum(struct smbXsrv_connection *xconn, conn->case_preserve = lp_preserve_case(snum); conn->short_case_preserve = lp_short_preserve_case(snum); - conn->encrypt_level = lp_smb_encrypt(snum); + conn->encrypt_level = lp_server_smb_encrypt(snum); if (conn->encrypt_level > SMB_SIGNING_OFF) { - if (lp_smb_encrypt(-1) == SMB_SIGNING_OFF) { + if (lp_server_smb_encrypt(-1) == SMB_SIGNING_OFF) { if (conn->encrypt_level == SMB_SIGNING_REQUIRED) { DBG_ERR("Service [%s] requires encryption, but " "it is disabled globally!\n", diff --git a/source3/smbd/smb2_negprot.c b/source3/smbd/smb2_negprot.c index 4071f42b5e0..674942b71de 100644 --- a/source3/smbd/smb2_negprot.c +++ b/source3/smbd/smb2_negprot.c @@ -335,7 +335,7 @@ NTSTATUS smbd_smb2_request_process_negprot(struct smbd_smb2_request *req) } if ((protocol >= PROTOCOL_SMB2_24) && - (lp_smb_encrypt(-1) != SMB_SIGNING_OFF) && + (lp_server_smb_encrypt(-1) != SMB_SIGNING_OFF) && (in_capabilities & SMB2_CAP_ENCRYPTION)) { capabilities |= SMB2_CAP_ENCRYPTION; } diff --git a/source3/smbd/smb2_sesssetup.c b/source3/smbd/smb2_sesssetup.c index 2b6b3a820d4..8957411e167 100644 --- a/source3/smbd/smb2_sesssetup.c +++ b/source3/smbd/smb2_sesssetup.c @@ -292,12 +292,12 @@ static NTSTATUS smbd_smb2_auth_generic_return(struct smbXsrv_session *session, x->global->signing_flags = SMBXSRV_SIGNING_REQUIRED; } - if ((lp_smb_encrypt(-1) >= SMB_SIGNING_DESIRED) && + if ((lp_server_smb_encrypt(-1) >= SMB_SIGNING_DESIRED) && (xconn->smb2.client.capabilities & SMB2_CAP_ENCRYPTION)) { x->global->encryption_flags = SMBXSRV_ENCRYPTION_DESIRED; } - if (lp_smb_encrypt(-1) == SMB_SIGNING_REQUIRED) { + if (lp_server_smb_encrypt(-1) == SMB_SIGNING_REQUIRED) { x->global->encryption_flags = SMBXSRV_ENCRYPTION_REQUIRED | SMBXSRV_ENCRYPTION_DESIRED; } diff --git a/source3/smbd/smb2_tcon.c b/source3/smbd/smb2_tcon.c index 76112d04889..0dd3c653b4b 100644 --- a/source3/smbd/smb2_tcon.c +++ b/source3/smbd/smb2_tcon.c @@ -302,13 +302,13 @@ static NTSTATUS smbd_smb2_tree_connect(struct smbd_smb2_request *req, TALLOC_FREE(proxy); } - if ((lp_smb_encrypt(snum) >= SMB_SIGNING_DESIRED) && + if ((lp_server_smb_encrypt(snum) >= SMB_SIGNING_DESIRED) && (conn->smb2.server.cipher != 0)) { encryption_desired = true; } - if (lp_smb_encrypt(snum) == SMB_SIGNING_REQUIRED) { + if (lp_server_smb_encrypt(snum) == SMB_SIGNING_REQUIRED) { encryption_desired = true; encryption_required = true; } diff --git a/source3/smbd/trans2.c b/source3/smbd/trans2.c index e2bafc64d74..251bc4c3e66 100644 --- a/source3/smbd/trans2.c +++ b/source3/smbd/trans2.c @@ -4491,7 +4491,7 @@ static void call_trans2setfsinfo(connection_struct *conn, return; } - if (lp_smb_encrypt(SNUM(conn)) == SMB_SIGNING_OFF) { + if (lp_server_smb_encrypt(SNUM(conn)) == SMB_SIGNING_OFF) { reply_nterror( req, NT_STATUS_NOT_SUPPORTED); |