From: Andreas Schneider Date: Thu, 9 Apr 2020 08:38:41 +0000 (+0200) Subject: docs-xml: Add 'client smb encrypt' X-Git-Tag: talloc-2.3.2~810 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=5a733c3c1ba7bb7ca7770bd0edb648b461f03cd9;p=thirdparty%2Fsamba.git docs-xml: Add 'client smb encrypt' Signed-off-by: Andreas Schneider Reviewed-by: Stefan Metzmacher --- diff --git a/docs-xml/smbdotconf/security/clientsmbencrypt.xml b/docs-xml/smbdotconf/security/clientsmbencrypt.xml new file mode 100644 index 00000000000..05df152e734 --- /dev/null +++ b/docs-xml/smbdotconf/security/clientsmbencrypt.xml @@ -0,0 +1,126 @@ + + + + This parameter controls whether a client should try or is required + to use SMB encryption. It has different effects depending on whether + the connection uses SMB1 or SMB3: + + + + + + If the connection uses SMB1, then this option controls the use + of a Samba-specific extension to the SMB protocol introduced in + Samba 3.2 that makes use of the Unix extensions. + + + + + + If the connection uses SMB2 or newer, then this option controls + the use of the SMB-level encryption that is supported in SMB + version 3.0 and above and available in Windows 8 and newer. + + + + + + This parameter can be set globally. Possible values are + + off, + if_required, + desired, + and + required. + A special value is default which is + the implicit default setting of if_required. + + + + + Effects for SMB1 + + + The Samba-specific encryption of SMB1 connections is an + extension to the SMB protocol negotiated as part of the UNIX + extensions. SMB encryption uses the GSSAPI (SSPI on Windows) + ability to encrypt and sign every request/response in a SMB + protocol stream. When enabled it provides a secure method of + SMB/CIFS communication, similar to an ssh protected session, but + using SMB/CIFS authentication to negotiate encryption and + signing keys. Currently this is only supported smbclient of by + Samba 3.2 and newer. Windows does not support this feature. + + + + When set to default, SMB encryption is probed, but not + enforced. When set to required, SMB encryption is required and + if set to disabled, SMB encryption can not be negotiated. + + + + + + Effects for SMB3 and newer + + + Native SMB transport encryption is available in SMB version 3.0 + or newer. It is only used by Samba if + client max protocol is set to + SMB3 or newer. + + + + These features can be controlled with settings of + client smb encrypt as follows: + + + + + + Leaving it as default, explicitly setting + default, or setting it to + if_required globally will enable + negotiation of encryption but will not turn on + data encryption globally. + + + + + + Setting it to desired globally + will enable negotiation and will turn on data encryption + on sessions and share connections for those servers + that support it. + + + + + + Setting it to required globally + will enable negotiation and turn on data encryption + on sessions and share connections. Clients that do + not support encryption will be denied access to the + server. + + + + + + Setting it to off globally will + completely disable the encryption feature for all + connections. + + + + + + + + +default + diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c index 3d4033eb2a4..0511bdb41e4 100644 --- a/lib/param/loadparm.c +++ b/lib/param/loadparm.c @@ -3083,6 +3083,10 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx) /* Async DNS query timeout in seconds. */ lpcfg_do_global_parameter(lp_ctx, "async dns timeout", "10"); + lpcfg_do_global_parameter(lp_ctx, + "client smb encrypt", + "default"); + for (i = 0; parm_table[i].label; i++) { if (!(lp_ctx->flags[i] & FLAG_CMDLINE)) { lp_ctx->flags[i] |= FLAG_DEFAULT; diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c index f4f3bce031c..9c2d7634d36 100644 --- a/source3/param/loadparm.c +++ b/source3/param/loadparm.c @@ -963,6 +963,8 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals) /* Async DNS query timeout (in seconds). */ Globals.async_dns_timeout = 10; + Globals.client_smb_encrypt = SMB_ENCRYPTION_DEFAULT; + /* Now put back the settings that were set with lp_set_cmdline() */ apply_lp_set_cmdline(); }