1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
|
<samba:parameter name="server smb encrypt"
context="S"
type="enum"
enumlist="enum_smb_encryption_vals"
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
<description>
<para>
This parameter controls whether a remote client is allowed or required
to use SMB encryption. It has different effects depending on whether
the connection uses SMB1 or SMB2 and newer:
</para>
<itemizedlist>
<listitem>
<para>
If the connection uses SMB1, then this option controls the use
of a Samba-specific extension to the SMB protocol introduced in
Samba 3.2 that makes use of the Unix extensions.
</para>
</listitem>
<listitem>
<para>
If the connection uses SMB2 or newer, then this option controls
the use of the SMB-level encryption that is supported in SMB
version 3.0 and above and available in Windows 8 and newer.
</para>
</listitem>
</itemizedlist>
<para>
This parameter can be set globally and on a per-share bases.
Possible values are
<emphasis>off</emphasis>,
<emphasis>if_required</emphasis>,
<emphasis>desired</emphasis>,
and
<emphasis>required</emphasis>.
A special value is <emphasis>default</emphasis> which is
the implicit default setting of <emphasis>if_required</emphasis>.
</para>
<variablelist>
<varlistentry>
<term><emphasis>Effects for SMB1</emphasis></term>
<listitem>
<para>
The Samba-specific encryption of SMB1 connections is an
extension to the SMB protocol negotiated as part of the UNIX
extensions. SMB encryption uses the GSSAPI (SSPI on Windows)
ability to encrypt and sign every request/response in a SMB
protocol stream. When enabled it provides a secure method of
SMB/CIFS communication, similar to an ssh protected session, but
using SMB/CIFS authentication to negotiate encryption and
signing keys. Currently this is only supported smbclient of by
Samba 3.2 and newer, and hopefully soon Linux CIFSFS and MacOS/X
clients. Windows clients do not support this feature.
</para>
<para>This may be set on a per-share
basis, but clients may chose to encrypt the entire session, not
just traffic to a specific share. If this is set to mandatory
then all traffic to a share <emphasis>must</emphasis>
be encrypted once the connection has been made to the share.
The server would return "access denied" to all non-encrypted
requests on such a share. Selecting encrypted traffic reduces
throughput as smaller packet sizes must be used (no huge UNIX
style read/writes allowed) as well as the overhead of encrypting
and signing all the data.
</para>
<para>
If SMB encryption is selected, Windows style SMB signing (see
the <smbconfoption name="server signing"/> option) is no longer
necessary, as the GSSAPI flags use select both signing and
sealing of the data.
</para>
<para>
When set to auto or default, SMB encryption is offered, but not
enforced. When set to mandatory, SMB encryption is required and
if set to disabled, SMB encryption can not be negotiated.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis>Effects for SMB2 and newer</emphasis></term>
<listitem>
<para>
Native SMB transport encryption is available in SMB version 3.0
or newer. It is only offered by Samba if
<emphasis>server max protocol</emphasis> is set to
<emphasis>SMB3</emphasis> or newer.
Clients supporting this type of encryption include
Windows 8 and newer,
Windows server 2012 and newer,
and smbclient of Samba 4.1 and newer.
</para>
<para>
The protocol implementation offers various options:
</para>
<itemizedlist>
<listitem>
<para>
The capability to perform SMB encryption can be
negotiated during protocol negotiation.
</para>
</listitem>
<listitem>
<para>
Data encryption can be enabled globally. In that case,
an encryption-capable connection will have all traffic
in all its sessions encrypted. In particular all share
connections will be encrypted.
</para>
</listitem>
<listitem>
<para>
Data encryption can also be enabled per share if not
enabled globally. For an encryption-capable connection,
all connections to an encryption-enabled share will be
encrypted.
</para>
</listitem>
<listitem>
<para>
Encryption can be enforced. This means that session
setups will be denied on non-encryption-capable
connections if data encryption has been enabled
globally. And tree connections will be denied for
non-encryption capable connections to shares with data
encryption enabled.
</para>
</listitem>
</itemizedlist>
<para>
These features can be controlled with settings of
<emphasis>server smb encrypt</emphasis> as follows:
</para>
<itemizedlist>
<listitem>
<para>
Leaving it as default, explicitly setting
<emphasis>default</emphasis>, or setting it to
<emphasis>if_required</emphasis> globally will enable
negotiation of encryption but will not turn on
data encryption globally or per share.
</para>
</listitem>
<listitem>
<para>
Setting it to <emphasis>desired</emphasis> globally
will enable negotiation and will turn on data encryption
on sessions and share connections for those clients
that support it.
</para>
</listitem>
<listitem>
<para>
Setting it to <emphasis>required</emphasis> globally
will enable negotiation and turn on data encryption
on sessions and share connections. Clients that do
not support encryption will be denied access to the
server.
</para>
</listitem>
<listitem>
<para>
Setting it to <emphasis>off</emphasis> globally will
completely disable the encryption feature for all
connections. Setting <parameter>server smb encrypt =
required</parameter> for individual shares (while it's
globally off) will deny access to this shares for all
clients.
</para>
</listitem>
<listitem>
<para>
Setting it to <emphasis>desired</emphasis> on a share
will turn on data encryption for this share for clients
that support encryption if negotiation has been
enabled globally.
</para>
</listitem>
<listitem>
<para>
Setting it to <emphasis>required</emphasis> on a share
will enforce data encryption for this share if
negotiation has been enabled globally. I.e. clients that
do not support encryption will be denied access to the
share.
</para>
<para>
Note that this allows per-share enforcing to be
controlled in Samba differently from Windows:
In Windows, <emphasis>RejectUnencryptedAccess</emphasis>
is a global setting, and if it is set, all shares with
data encryption turned on
are automatically enforcing encryption. In order to
achieve the same effect in Samba, one
has to globally set <emphasis>server smb encrypt</emphasis> to
<emphasis>if_required</emphasis>, and then set all shares
that should be encrypted to
<emphasis>required</emphasis>.
Additionally, it is possible in Samba to have some
shares with encryption <emphasis>required</emphasis>
and some other shares with encryption only
<emphasis>desired</emphasis>, which is not possible in
Windows.
</para>
</listitem>
<listitem>
<para>
Setting it to <emphasis>off</emphasis> or
<emphasis>if_required</emphasis> for a share has
no effect.
</para>
</listitem>
</itemizedlist>
</listitem>
</varlistentry>
</variablelist>
</description>
<value type="default">default</value>
</samba:parameter>
|
