From: Andreas Schneider Date: Thu, 10 Oct 2019 12:18:23 +0000 (+0200) Subject: param: Add 'server smb encrypt' parameter X-Git-Tag: talloc-2.3.2~813 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=bd5a888746e15eff0a3f24e2a3e8e853fab0993b;p=thirdparty%2Fsamba.git param: Add 'server smb encrypt' parameter And this also makes 'smb encrypt' a synonym of that. Signed-off-by: Andreas Schneider Reviewed-by: Stefan Metzmacher --- diff --git a/docs-xml/smbdotconf/security/serversmbencrypt.xml b/docs-xml/smbdotconf/security/serversmbencrypt.xml new file mode 100644 index 00000000000..714aacbf1ca --- /dev/null +++ b/docs-xml/smbdotconf/security/serversmbencrypt.xml @@ -0,0 +1,241 @@ + + + + This parameter controls whether a remote client is allowed or required + to use SMB encryption. It has different effects depending on whether + the connection uses SMB1 or SMB2 and newer: + + + + + + If the connection uses SMB1, then this option controls the use + of a Samba-specific extension to the SMB protocol introduced in + Samba 3.2 that makes use of the Unix extensions. + + + + + + If the connection uses SMB2 or newer, then this option controls + the use of the SMB-level encryption that is supported in SMB + version 3.0 and above and available in Windows 8 and newer. + + + + + + This parameter can be set globally and on a per-share bases. + Possible values are + + off, + if_required, + desired, + and + required. + A special value is default which is + the implicit default setting of if_required. + + + + + Effects for SMB1 + + + The Samba-specific encryption of SMB1 connections is an + extension to the SMB protocol negotiated as part of the UNIX + extensions. SMB encryption uses the GSSAPI (SSPI on Windows) + ability to encrypt and sign every request/response in a SMB + protocol stream. When enabled it provides a secure method of + SMB/CIFS communication, similar to an ssh protected session, but + using SMB/CIFS authentication to negotiate encryption and + signing keys. Currently this is only supported smbclient of by + Samba 3.2 and newer, and hopefully soon Linux CIFSFS and MacOS/X + clients. Windows clients do not support this feature. + + + This may be set on a per-share + basis, but clients may chose to encrypt the entire session, not + just traffic to a specific share. If this is set to mandatory + then all traffic to a share must + be encrypted once the connection has been made to the share. + The server would return "access denied" to all non-encrypted + requests on such a share. Selecting encrypted traffic reduces + throughput as smaller packet sizes must be used (no huge UNIX + style read/writes allowed) as well as the overhead of encrypting + and signing all the data. + + + + If SMB encryption is selected, Windows style SMB signing (see + the option) is no longer + necessary, as the GSSAPI flags use select both signing and + sealing of the data. + + + + When set to auto or default, SMB encryption is offered, but not + enforced. When set to mandatory, SMB encryption is required and + if set to disabled, SMB encryption can not be negotiated. + + + + + + Effects for SMB2 and newer + + + Native SMB transport encryption is available in SMB version 3.0 + or newer. It is only offered by Samba if + server max protocol is set to + SMB3 or newer. + Clients supporting this type of encryption include + Windows 8 and newer, + Windows server 2012 and newer, + and smbclient of Samba 4.1 and newer. + + + + The protocol implementation offers various options: + + + + + + The capability to perform SMB encryption can be + negotiated during protocol negotiation. + + + + + + Data encryption can be enabled globally. In that case, + an encryption-capable connection will have all traffic + in all its sessions encrypted. In particular all share + connections will be encrypted. + + + + + + Data encryption can also be enabled per share if not + enabled globally. For an encryption-capable connection, + all connections to an encryption-enabled share will be + encrypted. + + + + + + Encryption can be enforced. This means that session + setups will be denied on non-encryption-capable + connections if data encryption has been enabled + globally. And tree connections will be denied for + non-encryption capable connections to shares with data + encryption enabled. + + + + + + These features can be controlled with settings of + server smb encrypt as follows: + + + + + + Leaving it as default, explicitly setting + default, or setting it to + if_required globally will enable + negotiation of encryption but will not turn on + data encryption globally or per share. + + + + + + Setting it to desired globally + will enable negotiation and will turn on data encryption + on sessions and share connections for those clients + that support it. + + + + + + Setting it to required globally + will enable negotiation and turn on data encryption + on sessions and share connections. Clients that do + not support encryption will be denied access to the + server. + + + + + + Setting it to off globally will + completely disable the encryption feature for all + connections. Setting server smb encrypt = + required for individual shares (while it's + globally off) will deny access to this shares for all + clients. + + + + + + Setting it to desired on a share + will turn on data encryption for this share for clients + that support encryption if negotiation has been + enabled globally. + + + + + + Setting it to required on a share + will enforce data encryption for this share if + negotiation has been enabled globally. I.e. clients that + do not support encryption will be denied access to the + share. + + + Note that this allows per-share enforcing to be + controlled in Samba differently from Windows: + In Windows, RejectUnencryptedAccess + is a global setting, and if it is set, all shares with + data encryption turned on + are automatically enforcing encryption. In order to + achieve the same effect in Samba, one + has to globally set server smb encrypt to + if_required, and then set all shares + that should be encrypted to + required. + Additionally, it is possible in Samba to have some + shares with encryption required + and some other shares with encryption only + desired, which is not possible in + Windows. + + + + + + Setting it to off or + if_required for a share has + no effect. + + + + + + + + +default + diff --git a/docs-xml/smbdotconf/security/smbencrypt.xml b/docs-xml/smbdotconf/security/smbencrypt.xml index 32a22cb58f5..798e616b765 100644 --- a/docs-xml/smbdotconf/security/smbencrypt.xml +++ b/docs-xml/smbdotconf/security/smbencrypt.xml @@ -1,241 +1,14 @@ + context="S" + type="enum" + enumlist="enum_smb_signing_vals" + function="server_smb_encrypt" + synonym="1" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> - This parameter controls whether a remote client is allowed or required - to use SMB encryption. It has different effects depending on whether - the connection uses SMB1 or SMB2 and newer: + This is a synonym for . - - - - - If the connection uses SMB1, then this option controls the use - of a Samba-specific extension to the SMB protocol introduced in - Samba 3.2 that makes use of the Unix extensions. - - - - - - If the connection uses SMB2 or newer, then this option controls - the use of the SMB-level encryption that is supported in SMB - version 3.0 and above and available in Windows 8 and newer. - - - - - - This parameter can be set globally and on a per-share bases. - Possible values are - off (or disabled), - enabled (or auto, or - if_required), - desired, - and - required - (or mandatory). - A special value is default which is - the implicit default setting of enabled. - - - - - Effects for SMB1 - - - The Samba-specific encryption of SMB1 connections is an - extension to the SMB protocol negotiated as part of the UNIX - extensions. SMB encryption uses the GSSAPI (SSPI on Windows) - ability to encrypt and sign every request/response in a SMB - protocol stream. When enabled it provides a secure method of - SMB/CIFS communication, similar to an ssh protected session, but - using SMB/CIFS authentication to negotiate encryption and - signing keys. Currently this is only supported smbclient of by - Samba 3.2 and newer, and hopefully soon Linux CIFSFS and MacOS/X - clients. Windows clients do not support this feature. - - - This may be set on a per-share - basis, but clients may chose to encrypt the entire session, not - just traffic to a specific share. If this is set to mandatory - then all traffic to a share must - be encrypted once the connection has been made to the share. - The server would return "access denied" to all non-encrypted - requests on such a share. Selecting encrypted traffic reduces - throughput as smaller packet sizes must be used (no huge UNIX - style read/writes allowed) as well as the overhead of encrypting - and signing all the data. - - - - If SMB encryption is selected, Windows style SMB signing (see - the option) is no longer - necessary, as the GSSAPI flags use select both signing and - sealing of the data. - - - - When set to auto or default, SMB encryption is offered, but not - enforced. When set to mandatory, SMB encryption is required and - if set to disabled, SMB encryption can not be negotiated. - - - - - - Effects for SMB2 - - - Native SMB transport encryption is available in SMB version 3.0 - or newer. It is only offered by Samba if - server max protocol is set to - SMB3 or newer. - Clients supporting this type of encryption include - Windows 8 and newer, - Windows server 2012 and newer, - and smbclient of Samba 4.1 and newer. - - - - The protocol implementation offers various options: - - - - - - The capability to perform SMB encryption can be - negotiated during protocol negotiation. - - - - - - Data encryption can be enabled globally. In that case, - an encryption-capable connection will have all traffic - in all its sessions encrypted. In particular all share - connections will be encrypted. - - - - - - Data encryption can also be enabled per share if not - enabled globally. For an encryption-capable connection, - all connections to an encryption-enabled share will be - encrypted. - - - - - - Encryption can be enforced. This means that session - setups will be denied on non-encryption-capable - connections if data encryption has been enabled - globally. And tree connections will be denied for - non-encryption capable connections to shares with data - encryption enabled. - - - - - - These features can be controlled with settings of - smb encrypt as follows: - - - - - - Leaving it as default, explicitly setting - default, or setting it to - enabled globally will enable - negotiation of encryption but will not turn on - data encryption globally or per share. - - - - - - Setting it to desired globally - will enable negotiation and will turn on data encryption - on sessions and share connections for those clients - that support it. - - - - - - Setting it to required globally - will enable negotiation and turn on data encryption - on sessions and share connections. Clients that do - not support encryption will be denied access to the - server. - - - - - - Setting it to off globally will - completely disable the encryption feature for all - connections. Setting smb encrypt = - required for individual shares (while it's - globally off) will deny access to this shares for all - clients. - - - - - - Setting it to desired on a share - will turn on data encryption for this share for clients - that support encryption if negotiation has been - enabled globally. - - - - - - Setting it to required on a share - will enforce data encryption for this share if - negotiation has been enabled globally. I.e. clients that - do not support encryption will be denied access to the - share. - - - Note that this allows per-share enforcing to be - controlled in Samba differently from Windows: - In Windows, RejectUnencryptedAccess - is a global setting, and if it is set, all shares with - data encryption turned on - are automatically enforcing encryption. In order to - achieve the same effect in Samba, one - has to globally set smb encrypt to - enabled, and then set all shares - that should be encrypted to - required. - Additionally, it is possible in Samba to have some - shares with encryption required - and some other shares with encryption only - desired, which is not possible in - Windows. - - - - - - Setting it to off or - enabled for a share has - no effect. - - - - - - default diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c index 73f7c065e09..a2cb0fca16d 100644 --- a/source3/param/loadparm.c +++ b/source3/param/loadparm.c @@ -241,7 +241,7 @@ static const struct loadparm_service _sDefault = .aio_write_size = 1, .map_readonly = MAP_READONLY_NO, .directory_name_cache_size = 100, - .smb_encrypt = SMB_SIGNING_DEFAULT, + .server_smb_encrypt = SMB_SIGNING_DEFAULT, .kernel_share_modes = true, .durable_handles = true, .check_parent_directory_delete_on_close = false, diff --git a/source3/smbd/service.c b/source3/smbd/service.c index ed38121f292..a263c33b7e2 100644 --- a/source3/smbd/service.c +++ b/source3/smbd/service.c @@ -567,9 +567,9 @@ static NTSTATUS make_connection_snum(struct smbXsrv_connection *xconn, conn->case_preserve = lp_preserve_case(snum); conn->short_case_preserve = lp_short_preserve_case(snum); - conn->encrypt_level = lp_smb_encrypt(snum); + conn->encrypt_level = lp_server_smb_encrypt(snum); if (conn->encrypt_level > SMB_SIGNING_OFF) { - if (lp_smb_encrypt(-1) == SMB_SIGNING_OFF) { + if (lp_server_smb_encrypt(-1) == SMB_SIGNING_OFF) { if (conn->encrypt_level == SMB_SIGNING_REQUIRED) { DBG_ERR("Service [%s] requires encryption, but " "it is disabled globally!\n", diff --git a/source3/smbd/smb2_negprot.c b/source3/smbd/smb2_negprot.c index 4071f42b5e0..674942b71de 100644 --- a/source3/smbd/smb2_negprot.c +++ b/source3/smbd/smb2_negprot.c @@ -335,7 +335,7 @@ NTSTATUS smbd_smb2_request_process_negprot(struct smbd_smb2_request *req) } if ((protocol >= PROTOCOL_SMB2_24) && - (lp_smb_encrypt(-1) != SMB_SIGNING_OFF) && + (lp_server_smb_encrypt(-1) != SMB_SIGNING_OFF) && (in_capabilities & SMB2_CAP_ENCRYPTION)) { capabilities |= SMB2_CAP_ENCRYPTION; } diff --git a/source3/smbd/smb2_sesssetup.c b/source3/smbd/smb2_sesssetup.c index 2b6b3a820d4..8957411e167 100644 --- a/source3/smbd/smb2_sesssetup.c +++ b/source3/smbd/smb2_sesssetup.c @@ -292,12 +292,12 @@ static NTSTATUS smbd_smb2_auth_generic_return(struct smbXsrv_session *session, x->global->signing_flags = SMBXSRV_SIGNING_REQUIRED; } - if ((lp_smb_encrypt(-1) >= SMB_SIGNING_DESIRED) && + if ((lp_server_smb_encrypt(-1) >= SMB_SIGNING_DESIRED) && (xconn->smb2.client.capabilities & SMB2_CAP_ENCRYPTION)) { x->global->encryption_flags = SMBXSRV_ENCRYPTION_DESIRED; } - if (lp_smb_encrypt(-1) == SMB_SIGNING_REQUIRED) { + if (lp_server_smb_encrypt(-1) == SMB_SIGNING_REQUIRED) { x->global->encryption_flags = SMBXSRV_ENCRYPTION_REQUIRED | SMBXSRV_ENCRYPTION_DESIRED; } diff --git a/source3/smbd/smb2_tcon.c b/source3/smbd/smb2_tcon.c index 76112d04889..0dd3c653b4b 100644 --- a/source3/smbd/smb2_tcon.c +++ b/source3/smbd/smb2_tcon.c @@ -302,13 +302,13 @@ static NTSTATUS smbd_smb2_tree_connect(struct smbd_smb2_request *req, TALLOC_FREE(proxy); } - if ((lp_smb_encrypt(snum) >= SMB_SIGNING_DESIRED) && + if ((lp_server_smb_encrypt(snum) >= SMB_SIGNING_DESIRED) && (conn->smb2.server.cipher != 0)) { encryption_desired = true; } - if (lp_smb_encrypt(snum) == SMB_SIGNING_REQUIRED) { + if (lp_server_smb_encrypt(snum) == SMB_SIGNING_REQUIRED) { encryption_desired = true; encryption_required = true; } diff --git a/source3/smbd/trans2.c b/source3/smbd/trans2.c index e2bafc64d74..251bc4c3e66 100644 --- a/source3/smbd/trans2.c +++ b/source3/smbd/trans2.c @@ -4491,7 +4491,7 @@ static void call_trans2setfsinfo(connection_struct *conn, return; } - if (lp_smb_encrypt(SNUM(conn)) == SMB_SIGNING_OFF) { + if (lp_server_smb_encrypt(SNUM(conn)) == SMB_SIGNING_OFF) { reply_nterror( req, NT_STATUS_NOT_SUPPORTED);