]> git.ipfire.org Git - thirdparty/samba.git/commitdiff
docs-xml: Add 'client smb encrypt'
authorAndreas Schneider <asn@samba.org>
Thu, 9 Apr 2020 08:38:41 +0000 (10:38 +0200)
committerAndreas Schneider <asn@cryptomilk.org>
Wed, 19 Aug 2020 16:22:40 +0000 (16:22 +0000)
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
docs-xml/smbdotconf/security/clientsmbencrypt.xml [new file with mode: 0644]
lib/param/loadparm.c
source3/param/loadparm.c

diff --git a/docs-xml/smbdotconf/security/clientsmbencrypt.xml b/docs-xml/smbdotconf/security/clientsmbencrypt.xml
new file mode 100644 (file)
index 0000000..05df152
--- /dev/null
@@ -0,0 +1,126 @@
+<samba:parameter name="client smb encrypt"
+                context="G"
+                type="enum"
+                enumlist="enum_smb_encryption_vals"
+                xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+       <para>
+       This parameter controls whether a client should try or is required
+       to use SMB encryption. It has different effects depending on whether
+       the connection uses SMB1 or SMB3:
+       </para>
+
+       <itemizedlist>
+       <listitem>
+               <para>
+               If the connection uses SMB1, then this option controls the use
+               of a Samba-specific extension to the SMB protocol introduced in
+               Samba 3.2 that makes use of the Unix extensions.
+               </para>
+       </listitem>
+
+       <listitem>
+               <para>
+               If the connection uses SMB2 or newer, then this option controls
+               the use of the SMB-level encryption that is supported in SMB
+               version 3.0 and above and available in Windows 8 and newer.
+               </para>
+       </listitem>
+       </itemizedlist>
+
+       <para>
+               This parameter can be set globally. Possible values are
+
+               <emphasis>off</emphasis>,
+               <emphasis>if_required</emphasis>,
+               <emphasis>desired</emphasis>,
+               and
+               <emphasis>required</emphasis>.
+               A special value is <emphasis>default</emphasis> which is
+               the implicit default setting of <emphasis>if_required</emphasis>.
+       </para>
+
+       <variablelist>
+               <varlistentry>
+               <term><emphasis>Effects for SMB1</emphasis></term>
+               <listitem>
+               <para>
+               The Samba-specific encryption of SMB1 connections is an
+               extension to the SMB protocol negotiated as part of the UNIX
+               extensions.  SMB encryption uses the GSSAPI (SSPI on Windows)
+               ability to encrypt and sign every request/response in a SMB
+               protocol stream. When enabled it provides a secure method of
+               SMB/CIFS communication, similar to an ssh protected session, but
+               using SMB/CIFS authentication to negotiate encryption and
+               signing keys. Currently this is only supported smbclient of by
+               Samba 3.2 and newer. Windows does not support this feature.
+               </para>
+
+               <para>
+               When set to default, SMB encryption is probed, but not
+               enforced.  When set to required, SMB encryption is required and
+               if set to disabled, SMB encryption can not be negotiated.
+               </para>
+               </listitem>
+               </varlistentry>
+
+               <varlistentry>
+               <term><emphasis>Effects for SMB3 and newer</emphasis></term>
+               <listitem>
+               <para>
+               Native SMB transport encryption is available in SMB version 3.0
+               or newer. It is only used by Samba if
+               <emphasis>client max protocol</emphasis> is set to
+               <emphasis>SMB3</emphasis> or newer.
+               </para>
+
+               <para>
+               These features can be controlled with settings of
+               <emphasis>client smb encrypt</emphasis> as follows:
+               </para>
+
+               <itemizedlist>
+                       <listitem>
+                       <para>
+                       Leaving it as default, explicitly setting
+                       <emphasis>default</emphasis>, or setting it to
+                       <emphasis>if_required</emphasis> globally will enable
+                       negotiation of encryption but will not turn on
+                       data encryption globally.
+                       </para>
+                       </listitem>
+
+                       <listitem>
+                       <para>
+                       Setting it to <emphasis>desired</emphasis> globally
+                       will enable negotiation and will turn on data encryption
+                       on sessions and share connections for those servers
+                       that support it.
+                       </para>
+                       </listitem>
+
+                       <listitem>
+                       <para>
+                       Setting it to <emphasis>required</emphasis> globally
+                       will enable negotiation and turn on data encryption
+                       on sessions and share connections. Clients that do
+                       not support encryption will be denied access to the
+                       server.
+                       </para>
+                       </listitem>
+
+                       <listitem>
+                       <para>
+                       Setting it to <emphasis>off</emphasis> globally will
+                       completely disable the encryption feature for all
+                       connections.
+                       </para>
+                       </listitem>
+               </itemizedlist>
+               </listitem>
+               </varlistentry>
+       </variablelist>
+</description>
+
+<value type="default">default</value>
+</samba:parameter>
index 3d4033eb2a4f5866932a4a765736cdc80c6f9837..0511bdb41e4f5703478550f82a8765d9f9ab9673 100644 (file)
@@ -3083,6 +3083,10 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
        /* Async DNS query timeout in seconds. */
        lpcfg_do_global_parameter(lp_ctx, "async dns timeout", "10");
 
+       lpcfg_do_global_parameter(lp_ctx,
+                                 "client smb encrypt",
+                                 "default");
+
        for (i = 0; parm_table[i].label; i++) {
                if (!(lp_ctx->flags[i] & FLAG_CMDLINE)) {
                        lp_ctx->flags[i] |= FLAG_DEFAULT;
index f4f3bce031cd058f87d2f6f1f1bebd4ab29f6a00..9c2d7634d36a4c7010a6b9ad2b1a92f3172f17cf 100644 (file)
@@ -963,6 +963,8 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals)
        /* Async DNS query timeout (in seconds). */
        Globals.async_dns_timeout = 10;
 
+       Globals.client_smb_encrypt = SMB_ENCRYPTION_DEFAULT;
+
        /* Now put back the settings that were set with lp_set_cmdline() */
        apply_lp_set_cmdline();
 }