1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
|
<samba:parameter name="smb encrypt"
context="S"
type="enum"
basic="1"
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
<description>
<para>
This parameter controls whether a remote client is allowed or required
to use SMB encryption. It has different effects depending on whether
the connection uses SMB1 or SMB2 and newer:
</para>
<itemizedlist>
<listitem>
<para>
If the connection uses SMB1, then this option controls the use
of a Samba-specific extension to the SMB protocol introduced in
Samba 3.2 that makes use of the Unix extensions.
</para>
</listitem>
<listitem>
<para>
If the connection uses SMB2 or newer, then this option controls
the use of the SMB-level encryption that is supported in SMB
version 3.0 and above and available in Windows 8 and newer.
</para>
</listitem>
</itemizedlist>
<para>
This parameter can be set globally and on a per-share bases.
Possible values are
<emphasis>off</emphasis> or <emphasis>disabled</emphasis>,
<emphasis>auto</emphasis> or <emphasis>enabled</emphasis>, and
<emphasis>mandatory</emphasis> or <emphasis>required</emphasis>.
A special value is <emphasis>default</emphasis> which is
the implicit default setting.
</para>
<variablelist>
<varlistentry>
<term><emphasis>Effects for SMB1</emphasis></term>
<listitem>
<para>
The Samba-specific encryption of SMB1 connections is an
extension to the SMB protocol negotiated as part of the UNIX
extensions. SMB encryption uses the GSSAPI (SSPI on Windows)
ability to encrypt and sign every request/response in a SMB
protocol stream. When enabled it provides a secure method of
SMB/CIFS communication, similar to an ssh protected session, but
using SMB/CIFS authentication to negotiate encryption and
signing keys. Currently this is only supported smbclient of by
Samba 3.2 and newer, and hopefully soon Linux CIFSFS and MacOS/X
clients. Windows clients do not support this feature.
</para>
<para>This may be set on a per-share
basis, but clients may chose to encrypt the entire session, not
just traffic to a specific share. If this is set to mandatory
then all traffic to a share <emphasis>must</emphasis>
be encrypted once the connection has been made to the share.
The server would return "access denied" to all non-encrypted
requests on such a share. Selecting encrypted traffic reduces
throughput as smaller packet sizes must be used (no huge UNIX
style read/writes allowed) as well as the overhead of encrypting
and signing all the data.
</para>
<para>
If SMB encryption is selected, Windows style SMB signing (see
the <smbconfoption name="server signing"/> option) is no longer
necessary, as the GSSAPI flags use select both signing and
sealing of the data.
</para>
<para>
When set to auto or default, SMB encryption is offered, but not
enforced. When set to mandatory, SMB encryption is required and
if set to disabled, SMB encryption can not be negotiated.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis>Effects for SMB2</emphasis></term>
<listitem>
<para>
Native SMB transport encryption is available in SMB version 3.0
or newer. It is only offered by Samba if
<emphasis>server max protocol</emphasis> is set to
<emphasis>SMB3</emphasis> or newer.
Clients supporting this type of encryption include
Windows 8 and newer,
Windows server 2012 and newer,
and smbclient of Samba 4.1 and newer.
</para>
<para>
The protocol implementation offers various options:
</para>
<itemizedlist>
<listitem>
<para>
The capability to perform SMB encryption can be
negotiated during prorocol negotiation.
</para>
</listitem>
<listitem>
<para>
Data encryption can be enabled globally. In that case,
an encryption-capable connection will have all traffic
in all its sessions encrypted. In particular all share
connections will be encrypted.
</para>
</listitem>
<listitem>
<para>
Data encryption can also be enabled per share if not
enabled globally. For an encryption-capable connection,
all connections to an encryption-enabled share will be
encrypted.
</para>
</listitem>
<listitem>
<para>
Encryption can be enforced. This means that session
setups will be denied on non-encryption-capable
connections if data encryption has been enabled
globally. And tree connections will be denied for
non-encryption capable connections to shares with data
encryption enabled.
</para>
</listitem>
</itemizedlist>
<para>
These features can be crontrolled with settings of
<emphasis>smb encrypt</emphasis> as follows:
</para>
<itemizedlist>
<listitem>
<para>
Leaving it as default or explicitly setting
<emphasis>default</emphasis> globally will enable
negotiation of encryption but will not turn on
data encryption globally or per share.
</para>
</listitem>
<listitem>
<para>
Setting it to <emphasis>enabled</emphasis> globally will
enable negotiation and turn on data encryption globally.
</para>
</listitem>
<listitem>
<para>
Setting it to <emphasis>required</emphasis> globally
will enable negotiation and enforce data encryption
globally.
</para>
</listitem>
<listitem>
<para>
Setting it to <emphasis>off</emphasis> globally will
completely disable the encryption feature.
</para>
</listitem>
<listitem>
<para>
Setting it to <emphasis>enabled</emphasis> on a share
will turn on data encryption for this share if
negotiation has been enabled globally.
</para>
</listitem>
<listitem>
<para>
Setting it to <emphasis>required</emphasis> on a share
will enforce data encryption for this share if
negotiation has been enabled globally. Note that this
allows enforcing to be controlled in Samba more
fine-grainedly than in Windows. This is a small
deviation from the MS-SMB2 protocol document.
</para>
</listitem>
<listitem>
<para>
Setting it to <emphasis>off</emphasis> for a share has
no effect.
</para>
</listitem>
</itemizedlist>
</listitem>
</varlistentry>
</variablelist>
</description>
<value type="default">default</value>
</samba:parameter>
|