encryption on network

Dominic Dougherty dominic.dougherty at protegrity.com
Thu Jul 28 20:11:47 MDT 2011


Thanks guys,

I know this is a interesting one and more than one way to solve it. 

1.) install a vpn server which is natively support by any windows machine (PPTP or L2TP or IPSEC) on the samba server and establish a vpn connection to the samba server.
2.) the newer version of samba supports SSL. However, the only valid client for this is smbclient.  Not support by the "net use" command.
3.) use sshfs on the samba server and install putty on the local windows box and use port forwarding to connect to the samba share.
4.) configure ipsec on the windows network
5.) use webdav on apache with https
6.) using stunnel and Microsoft loopback adapter encrypt traffic.

I was hoping to get something working without installing anything extra on the client and which could be natively support by windows. 

CIFS is supposed to support encryption, I would have to check up on that. 


Dominic


-----Original Message-----
From: Steve French [mailto:smfrench at gmail.com] 
Sent: Thursday, July 28, 2011 9:23 PM
To: Christopher R. Hertel
Cc: Jeremy Allison; Dominic Dougherty; samba-technical at lists.samba.org; linux-cifs at vger.kernel.org
Subject: Re: encryption on network

On Thu, Jul 28, 2011 at 7:26 PM, Christopher R. Hertel <crh at ubiqx.mn.org> wrote:
> Jeremy Allison wrote:
> :
>>> Right, but the question particularly listed WinXP as one of the
>>> participating clients.  Windows clients don't support the Unix extensions,
>>> so they don't support encrypted SMB and that kinda ruins the whole thing,
>>> eh?  [sad face]
>>
>> Yes I realize that. But that's not what you said. You said:
>> "The SMB protocol does not provide any mechanism for encrypting traffic
>> between clients and servers." - but that's not generically true,
>> only between *Microsoft* clients and servers.
>
> Well... technically the SMB protocol (as it exists today) is defined by the
> Microsoft specifications, and they don't include any support for encryption.
>
> There is, unfortunately, no "official" specification of the Unix extensions
> for SMB (only an old draft that doesn't include encryption, IIRC).  Also, as
> their name suggests, they're extensions to the protocol which means that
> they're not part of the protocol itself.
>
>> You made it sound like that was definitive, and you are the
>> acknowledged authority on CIFS/SMB, so I couldn't let that
>> stand. People link to your posts here :-).
>
> Absolutely right to set the record straight.  I should have added the caveat
> that the Unix extensions include support for encryption.
>
>>> Please allow me to join the choir on that.  (I'll sit at the back and not
>>> get in anyone's way.)  [winky face]
>>
>> Maybe if we all wish REALLY HARD, Steve and Jeff will hear
>> us.. :-).
>
> Don't forget to click your heels together and burn the tana leaves when the
> moon is full over Vermont.  ;)

I haven't forgotten ... just queued up behind reviewing ~10 other patches.


-- 
Thanks,

Steve


More information about the samba-technical mailing list