param: Add 'server smb encrypt' parameter

And this also makes 'smb encrypt' a synonym of that.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

8 files changed, 257 insertions, 243 deletions

diff --git a/docs-xml/smbdotconf/security/serversmbencrypt.xml b/docs-xml/smbdotconf/security/serversmbencrypt.xml
new file mode 100644
index 00000000000..714aacbf1ca
--- /dev/null
+++ b/docs-xml/smbdotconf/security/serversmbencrypt.xml
@@ -0,0 +1,241 @@
+<samba:parameter name="server smb encrypt"
+		 context="S"
+		 type="enum"
+		 enumlist="enum_smb_signing_vals"
+		 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+	<para>
+	This parameter controls whether a remote client is allowed or required
+	to use SMB encryption. It has different effects depending on whether
+	the connection uses SMB1 or SMB2 and newer:
+	</para>
+
+	<itemizedlist>
+	<listitem>
+		<para>
+		If the connection uses SMB1, then this option controls the use
+		of a Samba-specific extension to the SMB protocol introduced in
+		Samba 3.2 that makes use of the Unix extensions.
+		</para>
+	</listitem>
+
+	<listitem>
+		<para>
+		If the connection uses SMB2 or newer, then this option controls
+		the use of the SMB-level encryption that is supported in SMB
+		version 3.0 and above and available in Windows 8 and newer.
+		</para>
+	</listitem>
+	</itemizedlist>
+
+	<para>
+		This parameter can be set globally and on a per-share bases.
+		Possible values are
+
+		<emphasis>off</emphasis>,
+		<emphasis>if_required</emphasis>,
+		<emphasis>desired</emphasis>,
+		and
+		<emphasis>required</emphasis>.
+		A special value is <emphasis>default</emphasis> which is
+		the implicit default setting of <emphasis>if_required</emphasis>.
+	</para>
+
+	<variablelist>
+		<varlistentry>
+		<term><emphasis>Effects for SMB1</emphasis></term>
+		<listitem>
+		<para>
+		The Samba-specific encryption of SMB1 connections is an
+		extension to the SMB protocol negotiated as part of the UNIX
+		extensions.  SMB encryption uses the GSSAPI (SSPI on Windows)
+		ability to encrypt and sign every request/response in a SMB
+		protocol stream. When enabled it provides a secure method of
+		SMB/CIFS communication, similar to an ssh protected session, but
+		using SMB/CIFS authentication to negotiate encryption and
+		signing keys. Currently this is only supported smbclient of by
+		Samba 3.2 and newer, and hopefully soon Linux CIFSFS and MacOS/X
+		clients. Windows clients do not support this feature.
+		</para>
+
+		<para>This may be set on a per-share
+		basis, but clients may chose to encrypt the entire session, not
+		just traffic to a specific share. If this is set to mandatory
+		then all traffic to a share <emphasis>must</emphasis>
+		be encrypted once the connection has been made to the share.
+		The server would return "access denied" to all non-encrypted
+		requests on such a share. Selecting encrypted traffic reduces
+		throughput as smaller packet sizes must be used (no huge UNIX
+		style read/writes allowed) as well as the overhead of encrypting
+		and signing all the data.
+		</para>
+
+		<para>
+		If SMB encryption is selected, Windows style SMB signing (see
+		the <smbconfoption name="server signing"/> option) is no longer
+		necessary, as the GSSAPI flags use select both signing and
+		sealing of the data.
+		</para>
+
+		<para>
+		When set to auto or default, SMB encryption is offered, but not
+		enforced.  When set to mandatory, SMB encryption is required and
+		if set to disabled, SMB encryption can not be negotiated.
+		</para>
+		</listitem>
+		</varlistentry>
+
+		<varlistentry>
+		<term><emphasis>Effects for SMB2 and newer</emphasis></term>
+		<listitem>
+		<para>
+		Native SMB transport encryption is available in SMB version 3.0
+		or newer. It is only offered by Samba if
+		<emphasis>server max protocol</emphasis> is set to
+		<emphasis>SMB3</emphasis> or newer.
+		Clients supporting this type of encryption include
+		Windows 8 and newer,
+		Windows server 2012 and newer,
+		and smbclient of Samba 4.1 and newer.
+		</para>
+
+		<para>
+		The protocol implementation offers various options:
+		</para>
+
+		<itemizedlist>
+			<listitem>
+			<para>
+			The capability to perform SMB encryption can be
+			negotiated during protocol negotiation.
+			</para>
+			</listitem>
+
+			<listitem>
+			<para>
+			Data encryption can be enabled globally. In that case,
+			an encryption-capable connection will have all traffic
+			in all its sessions encrypted. In particular all share
+			connections will be encrypted.
+			</para>
+			</listitem>
+
+			<listitem>
+			<para>
+			Data encryption can also be enabled per share if not
+			enabled globally. For an encryption-capable connection,
+			all connections to an encryption-enabled share will be
+			encrypted.
+			</para>
+			</listitem>
+
+			<listitem>
+			<para>
+			Encryption can be enforced. This means that session
+			setups will be denied on non-encryption-capable
+			connections if data encryption has been enabled
+			globally. And tree connections will be denied for
+			non-encryption capable connections to shares with data
+			encryption enabled.
+			</para>
+			</listitem>
+		</itemizedlist>
+
+		<para>
+		These features can be controlled with settings of
+		<emphasis>server smb encrypt</emphasis> as follows:
+		</para>
+
+		<itemizedlist>
+			<listitem>
+			<para>
+			Leaving it as default, explicitly setting
+			<emphasis>default</emphasis>, or setting it to
+			<emphasis>if_required</emphasis> globally will enable
+			negotiation of encryption but will not turn on
+			data encryption globally or per share.
+			</para>
+			</listitem>
+
+			<listitem>
+			<para>
+			Setting it to <emphasis>desired</emphasis> globally
+			will enable negotiation and will turn on data encryption
+			on sessions and share connections for those clients
+			that support it.
+			</para>
+			</listitem>
+
+			<listitem>
+			<para>
+			Setting it to <emphasis>required</emphasis> globally
+			will enable negotiation and turn on data encryption
+			on sessions and share connections. Clients that do
+			not support encryption will be denied access to the
+			server.
+			</para>
+			</listitem>
+
+			<listitem>
+			<para>
+			Setting it to <emphasis>off</emphasis> globally will
+			completely disable the encryption feature for all
+			connections. Setting <parameter>server smb encrypt =
+			required</parameter> for individual shares (while it's
+			globally off) will deny access to this shares for all
+			clients.
+			</para>
+			</listitem>
+
+			<listitem>
+			<para>
+			Setting it to <emphasis>desired</emphasis> on a share
+			will turn on data encryption for this share for clients
+			that support encryption if negotiation has been
+			enabled globally.
+			</para>
+			</listitem>
+
+			<listitem>
+			<para>
+			Setting it to <emphasis>required</emphasis> on a share
+			will enforce data encryption for this share if
+			negotiation has been enabled globally. I.e. clients that
+			do not support encryption will be denied access to the
+			share.
+			</para>
+			<para>
+			Note that this allows per-share enforcing to be
+			controlled in Samba differently from Windows:
+			In Windows, <emphasis>RejectUnencryptedAccess</emphasis>
+			is a global setting, and if it is set, all shares with
+			data encryption turned on
+			are automatically enforcing encryption. In order to
+			achieve the same effect in Samba, one
+			has to globally set <emphasis>server smb encrypt</emphasis> to
+			<emphasis>if_required</emphasis>, and then set all shares
+			that should be encrypted to
+			<emphasis>required</emphasis>.
+			Additionally, it is possible in Samba to have some
+			shares with encryption <emphasis>required</emphasis>
+			and some other shares with encryption only
+			<emphasis>desired</emphasis>, which is not possible in
+			Windows.
+			</para>
+			</listitem>
+
+			<listitem>
+			<para>
+			Setting it to <emphasis>off</emphasis> or
+			<emphasis>if_required</emphasis> for a share has
+			no effect.
+			</para>
+			</listitem>
+		</itemizedlist>
+		</listitem>
+		</varlistentry>
+	</variablelist>
+</description>
+
+<value type="default">default</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/smbencrypt.xml b/docs-xml/smbdotconf/security/smbencrypt.xml
index 32a22cb58f5..798e616b765 100644
--- a/docs-xml/smbdotconf/security/smbencrypt.xml
+++ b/docs-xml/smbdotconf/security/smbencrypt.xml
@@ -1,241 +1,14 @@
 <samba:parameter name="smb encrypt"
-                 context="S"
-                 type="enum"
-                 enumlist="enum_smb_signing_vals"
-                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+		 context="S"
+		 type="enum"
+		 enumlist="enum_smb_signing_vals"
+		 function="server_smb_encrypt"
+		 synonym="1"
+		 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
 <description>
 	<para>
-	This parameter controls whether a remote client is allowed or required
-	to use SMB encryption. It has different effects depending on whether
-	the connection uses SMB1 or SMB2 and newer:
+		This is a synonym for <smbconfoption name="server smb encrypt"/>.
 	</para>
-
-	<itemizedlist>
-	<listitem>
-		<para>
-		If the connection uses SMB1, then this option controls the use
-		of a Samba-specific extension to the SMB protocol introduced in
-		Samba 3.2 that makes use of the Unix extensions.
-		</para>
-	</listitem>
-
-	<listitem>
-		<para>
-		If the connection uses SMB2 or newer, then this option controls
-		the use of the SMB-level encryption that is supported in SMB
-		version 3.0 and above and available in Windows 8 and newer.
-		</para>
-	</listitem>
-	</itemizedlist>
-
-	<para>
-		This parameter can be set globally and on a per-share bases.
-		Possible values are
-		<emphasis>off</emphasis> (or <emphasis>disabled</emphasis>),
-		<emphasis>enabled</emphasis> (or <emphasis>auto</emphasis>, or
-		<emphasis>if_required</emphasis>),
-		<emphasis>desired</emphasis>,
-		and
-		<emphasis>required</emphasis>
-		(or <emphasis>mandatory</emphasis>).
-		A special value is <emphasis>default</emphasis> which is
-		the implicit default setting of <emphasis>enabled</emphasis>.
-	</para>
-
-	<variablelist>
-		<varlistentry>
-		<term><emphasis>Effects for SMB1</emphasis></term>
-		<listitem>
-		<para>
-		The Samba-specific encryption of SMB1 connections is an
-		extension to the SMB protocol negotiated as part of the UNIX
-		extensions.  SMB encryption uses the GSSAPI (SSPI on Windows)
-		ability to encrypt and sign every request/response in a SMB
-		protocol stream. When enabled it provides a secure method of
-		SMB/CIFS communication, similar to an ssh protected session, but
-		using SMB/CIFS authentication to negotiate encryption and
-		signing keys. Currently this is only supported smbclient of by
-		Samba 3.2 and newer, and hopefully soon Linux CIFSFS and MacOS/X
-		clients. Windows clients do not support this feature.
-		</para>
-
-		<para>This may be set on a per-share
-		basis, but clients may chose to encrypt the entire session, not
-		just traffic to a specific share. If this is set to mandatory
-		then all traffic to a share <emphasis>must</emphasis>
-		be encrypted once the connection has been made to the share.
-		The server would return "access denied" to all non-encrypted
-		requests on such a share. Selecting encrypted traffic reduces
-		throughput as smaller packet sizes must be used (no huge UNIX
-		style read/writes allowed) as well as the overhead of encrypting
-		and signing all the data.
-		</para>
-
-		<para>
-		If SMB encryption is selected, Windows style SMB signing (see
-		the <smbconfoption name="server signing"/> option) is no longer
-		necessary, as the GSSAPI flags use select both signing and
-		sealing of the data.
-		</para>
-
-		<para>
-		When set to auto or default, SMB encryption is offered, but not
-		enforced.  When set to mandatory, SMB encryption is required and
-		if set to disabled, SMB encryption can not be negotiated.
-		</para>
-		</listitem>
-		</varlistentry>
-
-		<varlistentry>
-		<term><emphasis>Effects for SMB2</emphasis></term>
-		<listitem>
-		<para>
-		Native SMB transport encryption is available in SMB version 3.0
-		or newer. It is only offered by Samba if
-		<emphasis>server max protocol</emphasis> is set to
-		<emphasis>SMB3</emphasis> or newer.
-		Clients supporting this type of encryption include
-		Windows 8 and newer,
-		Windows server 2012 and newer,
-		and smbclient of Samba 4.1 and newer.
-		</para>
-
-		<para>
-		The protocol implementation offers various options:
-		</para>
-
-		<itemizedlist>
-			<listitem>
-			<para>
-			The capability to perform SMB encryption can be
-			negotiated during protocol negotiation.
-			</para>
-			</listitem>
-
-			<listitem>
-			<para>
-			Data encryption can be enabled globally. In that case,
-			an encryption-capable connection will have all traffic
-			in all its sessions encrypted. In particular all share
-			connections will be encrypted.
-			</para>
-			</listitem>
-
-			<listitem>
-			<para>
-			Data encryption can also be enabled per share if not
-			enabled globally. For an encryption-capable connection,
-			all connections to an encryption-enabled share will be
-			encrypted.
-			</para>
-			</listitem>
-
-			<listitem>
-			<para>
-			Encryption can be enforced. This means that session
-			setups will be denied on non-encryption-capable
-			connections if data encryption has been enabled
-			globally. And tree connections will be denied for
-			non-encryption capable connections to shares with data
-			encryption enabled.
-			</para>
-			</listitem>
-		</itemizedlist>
-
-		<para>
-		These features can be controlled with settings of
-		<emphasis>smb encrypt</emphasis> as follows:
-		</para>
-
-		<itemizedlist>
-			<listitem>
-			<para>
-			Leaving it as default, explicitly setting
-			<emphasis>default</emphasis>, or setting it to
-			<emphasis>enabled</emphasis> globally will enable
-			negotiation of encryption but will not turn on
-			data encryption globally or per share.
-			</para>
-			</listitem>
-
-			<listitem>
-			<para>
-			Setting it to <emphasis>desired</emphasis> globally
-			will enable negotiation and will turn on data encryption
-			on sessions and share connections for those clients
-			that support it.
-			</para>
-			</listitem>
-
-			<listitem>
-			<para>
-			Setting it to <emphasis>required</emphasis> globally
-			will enable negotiation and turn on data encryption
-			on sessions and share connections. Clients that do
-			not support encryption will be denied access to the
-			server.
-			</para>
-			</listitem>
-
-			<listitem>
-			<para>
-			Setting it to <emphasis>off</emphasis> globally will
-			completely disable the encryption feature for all
-			connections. Setting <parameter>smb encrypt =
-			required</parameter> for individual shares (while it's
-			globally off) will deny access to this shares for all
-			clients.
-			</para>
-			</listitem>
-
-			<listitem>
-			<para>
-			Setting it to <emphasis>desired</emphasis> on a share
-			will turn on data encryption for this share for clients
-			that support encryption if negotiation has been
-			enabled globally.
-			</para>
-			</listitem>
-
-			<listitem>
-			<para>
-			Setting it to <emphasis>required</emphasis> on a share
-			will enforce data encryption for this share if
-			negotiation has been enabled globally. I.e. clients that
-			do not support encryption will be denied access to the
-			share.
-			</para>
-			<para>
-			Note that this allows per-share enforcing to be
-			controlled in Samba differently from Windows:
-			In Windows, <emphasis>RejectUnencryptedAccess</emphasis>
-			is a global setting, and if it is set, all shares with
-			data encryption turned on
-			are automatically enforcing encryption. In order to
-			achieve the same effect in Samba, one
-			has to globally set <emphasis>smb encrypt</emphasis> to
-			<emphasis>enabled</emphasis>, and then set all shares
-			that should be encrypted to
-			<emphasis>required</emphasis>.
-			Additionally, it is possible in Samba to have some
-			shares with encryption <emphasis>required</emphasis>
-			and some other shares with encryption only
-			<emphasis>desired</emphasis>, which is not possible in
-			Windows.
-			</para>
-			</listitem>
-
-			<listitem>
-			<para>
-			Setting it to <emphasis>off</emphasis> or
-			<emphasis>enabled</emphasis> for a share has
-			no effect.
-			</para>
-			</listitem>
-		</itemizedlist>
-		</listitem>
-		</varlistentry>
-	</variablelist>
 </description>
 
 <value type="default">default</value>
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index 73f7c065e09..a2cb0fca16d 100644
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -241,7 +241,7 @@ static const struct loadparm_service _sDefault =
 	.aio_write_size = 1,
 	.map_readonly = MAP_READONLY_NO,
 	.directory_name_cache_size = 100,
-	.smb_encrypt = SMB_SIGNING_DEFAULT,
+	.server_smb_encrypt = SMB_SIGNING_DEFAULT,
 	.kernel_share_modes = true,
 	.durable_handles = true,
 	.check_parent_directory_delete_on_close = false,
diff --git a/source3/smbd/service.c b/source3/smbd/service.c
index ed38121f292..a263c33b7e2 100644
--- a/source3/smbd/service.c
+++ b/source3/smbd/service.c
@@ -567,9 +567,9 @@ static NTSTATUS make_connection_snum(struct smbXsrv_connection *xconn,
 	conn->case_preserve = lp_preserve_case(snum);
 	conn->short_case_preserve = lp_short_preserve_case(snum);
 
-	conn->encrypt_level = lp_smb_encrypt(snum);
+	conn->encrypt_level = lp_server_smb_encrypt(snum);
 	if (conn->encrypt_level > SMB_SIGNING_OFF) {
-		if (lp_smb_encrypt(-1) == SMB_SIGNING_OFF) {
+		if (lp_server_smb_encrypt(-1) == SMB_SIGNING_OFF) {
 			if (conn->encrypt_level == SMB_SIGNING_REQUIRED) {
 				DBG_ERR("Service [%s] requires encryption, but "
 					"it is disabled globally!\n",
diff --git a/source3/smbd/smb2_negprot.c b/source3/smbd/smb2_negprot.c
index 4071f42b5e0..674942b71de 100644
--- a/source3/smbd/smb2_negprot.c
+++ b/source3/smbd/smb2_negprot.c
@@ -335,7 +335,7 @@ NTSTATUS smbd_smb2_request_process_negprot(struct smbd_smb2_request *req)
 	}
 
 	if ((protocol >= PROTOCOL_SMB2_24) &&
-	    (lp_smb_encrypt(-1) != SMB_SIGNING_OFF) &&
+	    (lp_server_smb_encrypt(-1) != SMB_SIGNING_OFF) &&
 	    (in_capabilities & SMB2_CAP_ENCRYPTION)) {
 		capabilities |= SMB2_CAP_ENCRYPTION;
 	}
diff --git a/source3/smbd/smb2_sesssetup.c b/source3/smbd/smb2_sesssetup.c
index 2b6b3a820d4..8957411e167 100644
--- a/source3/smbd/smb2_sesssetup.c
+++ b/source3/smbd/smb2_sesssetup.c
@@ -292,12 +292,12 @@ static NTSTATUS smbd_smb2_auth_generic_return(struct smbXsrv_session *session,
 		x->global->signing_flags = SMBXSRV_SIGNING_REQUIRED;
 	}
 
-	if ((lp_smb_encrypt(-1) >= SMB_SIGNING_DESIRED) &&
+	if ((lp_server_smb_encrypt(-1) >= SMB_SIGNING_DESIRED) &&
 	    (xconn->smb2.client.capabilities & SMB2_CAP_ENCRYPTION)) {
 		x->global->encryption_flags = SMBXSRV_ENCRYPTION_DESIRED;
 	}
 
-	if (lp_smb_encrypt(-1) == SMB_SIGNING_REQUIRED) {
+	if (lp_server_smb_encrypt(-1) == SMB_SIGNING_REQUIRED) {
 		x->global->encryption_flags = SMBXSRV_ENCRYPTION_REQUIRED |
 			SMBXSRV_ENCRYPTION_DESIRED;
 	}
diff --git a/source3/smbd/smb2_tcon.c b/source3/smbd/smb2_tcon.c
index 76112d04889..0dd3c653b4b 100644
--- a/source3/smbd/smb2_tcon.c
+++ b/source3/smbd/smb2_tcon.c
@@ -302,13 +302,13 @@ static NTSTATUS smbd_smb2_tree_connect(struct smbd_smb2_request *req,
 		TALLOC_FREE(proxy);
 	}
 
-	if ((lp_smb_encrypt(snum) >= SMB_SIGNING_DESIRED) &&
+	if ((lp_server_smb_encrypt(snum) >= SMB_SIGNING_DESIRED) &&
 	    (conn->smb2.server.cipher != 0))
 	{
 		encryption_desired = true;
 	}
 
-	if (lp_smb_encrypt(snum) == SMB_SIGNING_REQUIRED) {
+	if (lp_server_smb_encrypt(snum) == SMB_SIGNING_REQUIRED) {
 		encryption_desired = true;
 		encryption_required = true;
 	}
diff --git a/source3/smbd/trans2.c b/source3/smbd/trans2.c
index e2bafc64d74..251bc4c3e66 100644
--- a/source3/smbd/trans2.c
+++ b/source3/smbd/trans2.c
@@ -4491,7 +4491,7 @@ static void call_trans2setfsinfo(connection_struct *conn,
 					return;
 				}
 
-				if (lp_smb_encrypt(SNUM(conn)) == SMB_SIGNING_OFF) {
+				if (lp_server_smb_encrypt(SNUM(conn)) == SMB_SIGNING_OFF) {
 					reply_nterror(
 						req,
 						NT_STATUS_NOT_SUPPORTED);