smbclient and negotiating encryption support when smb encryption is mandatory
smfrench at gmail.com
Wed May 11 02:05:05 MDT 2011
On Wed, May 11, 2011 at 12:52 AM, Jeremy Allison <jra at samba.org> wrote:
> On Tue, May 10, 2011 at 06:10:01PM -0500, Steve French wrote:
>> Connecting to Samba 3.6 with smbclient to test per-share encryption, I
>> noticed that smbclient worked when I specified "-e" (and does send the
>> required query fs unix info and set fs calls). I don't see those
>> calls when -e is not specified in smbclient (so the server closes the
>> session after the first SMB echo is sent, presumably because it is not
>> encrypted) and if a querypathinfo is sent first it gets access denied.
>> Why would smbclient only negotiate unix extensions when "-e" is
>> specified - how else would it know that "smb encryption" is mandatory?
>> I have "smb encryption = mandatory" under the definition for the share
>> in smb.conf
> That's to be expected. The -e specifies "use encryption". There
> is no way to know the server has a share set as "smb encryption = mandatory"
> other than that connections without encryption will fail.
> This has to be a client-set parameter. You have to know you're
> connecting to an encrypted share.
Why? Query fs unix info reports capabilities (including locking and
acl support) and whether encryption is mandatory or optional or not
supported on the share:
#define CIFS_UNIX_TRANSPORT_ENCRYPTION_CAP 0x00000100 /* can do SPNEGO crypt */
#define CIFS_UNIX_TRANSPORT_ENCRYPTION_MANDATORY_CAP 0x00000200 /* must do */
More information about the samba-technical