Encrypted CIFS
Jeremy Allison
jra at samba.org
Tue Sep 19 17:01:17 GMT 2006
On Tue, Sep 19, 2006 at 06:14:46PM +0200, Stefan (metze) Metzmacher wrote:
>
> I think we should implement something like this:
>
> 1.) create a new SMB dialect "Samba 3.0.24" and let the client send that
> by default. When the server also supports it can tell the client
> the connection will be used with this dialect.
I don't want to make this dialect specific. It fits better into
the UNIX capabilities bitmask as it's UNIX CIFS specific.
> 2.) because client and server know that they're not talking to windows
> the session setup could contain some flags to say if the client
> wants plain, sign or sing/seal for the new UserSession.
Again, I think this is better done on UNIX capabilities "set".
> 3.) on further packets we would do the following depending whether
> plain, sign or sign/seal was selected on the UserSession:
>
> - then we would call gensec_seal() on the SMB payload data
> (maybe mutliples times depending on the gensec_max_input_data()
> and gensec_max_wrapped_data()) and append the resulting signatues
> behind the buffer. We could may use SMB signiture field 2 * uint32
> for storing the offset to the first GSSAPI signature and the count
> chunks
I actually like Volker's idea of just doing this on the data
portion of the packet, before the signing is done on the header.
It's simple, and fits easily into the way the signing is already
done.
Jeremy.
More information about the samba-technical
mailing list