From: Michael Adam Date: Tue, 30 Jun 2015 15:46:36 +0000 (+0200) Subject: docs:smb.conf: explain effect of new setting 'desired' of smb encrypt X-Git-Tag: samba-4.1.20~12 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a55bed3f8ceccd06a6f73bbec752d9fbc7b97001;p=thirdparty%2Fsamba.git docs:smb.conf: explain effect of new setting 'desired' of smb encrypt Thereby clarify some details. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11372 Signed-off-by: Michael Adam Reviewed-by: Guenther Deschner (cherry picked from commit 365d9d8bdfe9759ef9662d0080cf9c9a0767dbf2) --- diff --git a/docs-xml/smbdotconf/security/smbencrypt.xml b/docs-xml/smbdotconf/security/smbencrypt.xml index 14b32c2b675..284fe9e4e98 100644 --- a/docs-xml/smbdotconf/security/smbencrypt.xml +++ b/docs-xml/smbdotconf/security/smbencrypt.xml @@ -31,11 +31,15 @@ This parameter can be set globally and on a per-share bases. Possible values are - off or disabled, - auto or enabled, and - mandatory or required. + off (or disabled), + enabled (or auto, or + if_required), + desired, + and + required + (or mandatory). A special value is default which is - the implicit default setting. + the implicit default setting of enabled. @@ -104,7 +108,7 @@ The capability to perform SMB encryption can be - negotiated during prorocol negotiation. + negotiated during protocol negotiation. @@ -146,8 +150,9 @@ - Leaving it as default or explicitly setting - default globally will enable + Leaving it as default, explicitly setting + default, or setting it to + enabled globally will enable negotiation of encryption but will not turn on data encryption globally or per share. @@ -155,16 +160,20 @@ - Setting it to enabled globally will - enable negotiation and turn on data encryption globally. + Setting it to desired globally + will enable negotiation and will turn on data encryption + on sessions and share connections for those clients + that support it. Setting it to required globally - will enable negotiation and enforce data encryption - globally. + will enable negotiation and turn on data encryption + on sessions and share connections. Clients that do + not support encryption will be denied access to the + server. @@ -177,9 +186,10 @@ - Setting it to enabled on a share - will turn on data encryption for this share if - negotiation has been enabled globally. + Setting it to desired on a share + will turn on data encryption for this share for clients + that support encryption if negotiation has been + enabled globally. @@ -187,16 +197,34 @@ Setting it to required on a share will enforce data encryption for this share if - negotiation has been enabled globally. Note that this - allows enforcing to be controlled in Samba more - fine-grainedly than in Windows. This is a small - deviation from the MS-SMB2 protocol document. + negotiation has been enabled globally. I.e. clients that + do not support encryption will be denied access to the + share. + + + Note that this allows per-share enforcing to be + controlled in Samba differently from Windows: + In Windows, RejectUnencryptedAccess + is a global setting, and if it is set, all shares with + data encryption turned on + are automatically enforcing encryption. In order to + achieve the same effect in Samba, one + has to globally set smb encrypt to + enabled, and then set all shares + that should be encrypted to + required. + Additionally, it is possible in Samba to have some + shares with encryption required + and some other shares with encryption only + desired, which is not possible in + Windows. - Setting it to off for a share has + Setting it to off or + enabled for a share has no effect.