svn commit: samba-docs r1218 - in trunk/smbdotconf/security: .

jra at samba.org jra at samba.org
Mon Dec 31 02:22:27 GMT 2007 

Author: jra
Date: 2007-12-31 02:22:27 +0000 (Mon, 31 Dec 2007)
New Revision: 1218

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba-docs&rev=1218

Log:
Add "smb encrypt" to smb.conf.
Jeremy.

Added:
   trunk/smbdotconf/security/smbencrypt.xml


Changeset:
Added: trunk/smbdotconf/security/smbencrypt.xml
===================================================================
--- trunk/smbdotconf/security/smbencrypt.xml	2007-12-20 10:00:30 UTC (rev 1217)
+++ trunk/smbdotconf/security/smbencrypt.xml	2007-12-31 02:22:27 UTC (rev 1218)
@@ -0,0 +1,45 @@
+<samba:parameter name="smb encrypt"
+                 context="S"
+				 type="enum"
+                 basic="1"
+		 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+
+    <para>This is a new feature introduced with Samba 3.2 and above. It is an
+    extension to the SMB/CIFS protocol negotiated as part of the UNIX extensions.
+    SMB encryption uses the GSSAPI (SSPI on Windows) ability to encrypt
+    and sign every request/response in a SMB protocol stream. When
+    enabled it provides a secure method of SMB/CIFS communication,
+    similar to an ssh protected session, but using SMB/CIFS authentication
+    to negotiate encryption and signing keys. Currently this is only
+    supported by Samba 3.2 smbclient, and hopefully soon Linux CIFSFS
+    and MacOS/X clients. Windows clients do not support this feature.
+    </para>
+
+    <para>This controls whether the server offers or requires
+    the client it talks to to use SMB encryption. Possible values 
+    are <emphasis>auto</emphasis>, <emphasis>mandatory</emphasis> 
+    and <emphasis>disabled</emphasis>. This may be set on a per-share
+    basis, but clients may chose to encrypt the entire session, not
+    just traffic to a specific share. If this is set to mandatory
+    then all traffic to a share <emphasis>must</emphasis> must
+    be encrypted once the connection has been made to the share.
+    The server would return "access denied" to all non-encrypted
+    requests on such a share. Selecting encrypted traffic reduces
+    throughput as smaller packet sizes must be used (no huge UNIX
+    style read/writes allowed) as well as the overhead of encrypting
+    and signing all the data.
+    </para>
+
+    <para>If SMB encryption is selected, Windows style SMB signing (see
+    the <smbconfoption name="server signing"/> option) is no longer necessary,
+    as the GSSAPI flags use select both signing and sealing of the data.
+    </para>
+
+    <para>When set to auto, SMB encryption is offered, but not enforced. 
+    When set to mandatory, SMB encryption is required and if set 
+    to disabled, SMB encryption can not be negotiated.</para>
+</description>
+
+<value type="default">auto</value>
+</samba:parameter>

More information about the samba-cvs mailing list