docs-xml: add "debug encryption" global parm

Add debug option to dump in the log the session id & keys in smbd and
libsmb-based code for offline decryption.

Wireshark can make use of this to decrypt encrypted traffic.

Signed-off-by: Aurelien Aptel <aaptel@suse.com>
Reviewed-by: Noel Power <npower@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>

1 files changed, 22 insertions, 0 deletions

diff --git a/docs-xml/smbdotconf/security/debugencryption.xml b/docs-xml/smbdotconf/security/debugencryption.xml
new file mode 100644
index 00000000000..5b51b4afe0e
--- /dev/null
+++ b/docs-xml/smbdotconf/security/debugencryption.xml
@@ -0,0 +1,22 @@
+<samba:parameter name="debug encryption"
+                 context="G"
+                 type="boolean"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+  <description>
+    <para>
+      This option will make the smbd server and client code using
+      libsmb (smbclient, smbget, smbspool, ...) dump the Session Id,
+      the decrypted Session Key, the Signing Key, the Application Key,
+      the Encryption Key and the Decryption Key every time an SMB3+
+      session is established. This information will be printed in logs
+      at level 0.
+    </para>
+    <para>
+      Warning: access to these values enables the decryption of any
+      encrypted traffic on the dumped sessions. This option should
+      only be enabled for debugging purposes.
+    </para>
+  </description>
+
+  <value type="default">no</value>
+</samba:parameter>