From 365d9d8bdfe9759ef9662d0080cf9c9a0767dbf2 Mon Sep 17 00:00:00 2001 From: Michael Adam Date: Tue, 30 Jun 2015 17:46:36 +0200 Subject: [PATCH] docs:smb.conf: explain effect of new setting 'desired' of smb encrypt Thereby clarify some details. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11372 Signed-off-by: Michael Adam Reviewed-by: Guenther Deschner --- docs-xml/smbdotconf/security/smbencrypt.xml | 66 +++++++++++++++------ 1 file changed, 47 insertions(+), 19 deletions(-) diff --git a/docs-xml/smbdotconf/security/smbencrypt.xml b/docs-xml/smbdotconf/security/smbencrypt.xml index 17248e6c46d..ae0682bb53c 100644 --- a/docs-xml/smbdotconf/security/smbencrypt.xml +++ b/docs-xml/smbdotconf/security/smbencrypt.xml @@ -30,11 +30,15 @@ This parameter can be set globally and on a per-share bases. Possible values are - off or disabled, - auto or enabled, and - mandatory or required. + off (or disabled), + enabled (or auto, or + if_required), + desired, + and + required + (or mandatory). A special value is default which is - the implicit default setting. + the implicit default setting of enabled. @@ -103,7 +107,7 @@ The capability to perform SMB encryption can be - negotiated during prorocol negotiation. + negotiated during protocol negotiation. @@ -145,8 +149,9 @@ - Leaving it as default or explicitly setting - default globally will enable + Leaving it as default, explicitly setting + default, or setting it to + enabled globally will enable negotiation of encryption but will not turn on data encryption globally or per share. @@ -154,16 +159,20 @@ - Setting it to enabled globally will - enable negotiation and turn on data encryption globally. + Setting it to desired globally + will enable negotiation and will turn on data encryption + on sessions and share connections for those clients + that support it. Setting it to required globally - will enable negotiation and enforce data encryption - globally. + will enable negotiation and turn on data encryption + on sessions and share connections. Clients that do + not support encryption will be denied access to the + server. @@ -176,9 +185,10 @@ - Setting it to enabled on a share - will turn on data encryption for this share if - negotiation has been enabled globally. + Setting it to desired on a share + will turn on data encryption for this share for clients + that support encryption if negotiation has been + enabled globally. @@ -186,16 +196,34 @@ Setting it to required on a share will enforce data encryption for this share if - negotiation has been enabled globally. Note that this - allows enforcing to be controlled in Samba more - fine-grainedly than in Windows. This is a small - deviation from the MS-SMB2 protocol document. + negotiation has been enabled globally. I.e. clients that + do not support encryption will be denied access to the + share. + + + Note that this allows per-share enforcing to be + controlled in Samba differently from Windows: + In Windows, RejectUnencryptedAccess + is a global setting, and if it is set, all shares with + data encryption turned on + are automatically enforcing encryption. In order to + achieve the same effect in Samba, one + has to globally set smb encrypt to + enabled, and then set all shares + that should be encrypted to + required. + Additionally, it is possible in Samba to have some + shares with encryption required + and some other shares with encryption only + desired, which is not possible in + Windows. - Setting it to off for a share has + Setting it to off or + enabled for a share has no effect. -- 2.47.3