values for "client signing" and "server signing"

Stefan (metze) Metzmacher metze at
Wed Nov 2 14:38:22 MDT 2011

Hi Andrew,

>> Then remove SMB_SIGNING_AUTO and map "auto" to SMB_SIGNING_SUPPORTED.
>> Then we could have a new "desired", "if_required" that maps to
>> and lets the client use signing if the server supports it.
> I don't see the value in the desired setting, due to historical
> behaviours of Windows clients and servers.  It seems to me that SMB
> signing is only ever enabled on DCs, and there it is required.  I say
> this because what is the value of negotiated SMB signing, when the
> negotiation is subject to MITM attacks.  If SMB signing had been in the
> protocols early enough, we could have required that session setup
> packets be signed, and so had a sensible way to turn this off safely for
> bulk data.  However, we don't, and as I understand it even SMB2 didn't
> do this properly.
> The choice of what options to present to the client depends on if we
> wish to give users maximum choice, or just the options they can actually
> use to improve network security:
> Therefore, for the client, I see three settings:
>  - disabled
>  - default (use if available or required eg by the DC), matches windows
> default as I recall
>  - required (paranoid, for specialist environments)
> On the server I see three settings:
>  - disabled
>  - default (off for normal servers, required for the DC)
>  - required
> The additional option of 'supported' (available but not required) on the
> server are possible as well, but it would only be helpful for testing,
> it would not improve network security because a MITM can just disable
> it.  
> On the client, I guess we can have the option of 'only if required' but
> would anyone use it, given no servers set 'supported' due to the
> performance cost?
> The only other detail is to ensure that in our DC client code (eg
> winbindd) we should ensure we require smb signing, to protect that
> communication from alteration. 
> I do appreciate you sorting out the options here, it is important to get
> this in common, both for your work in the client libs, and for the work
> towards a common loadparm.  I trust your judgement in working it out
> from here.

I've prepared a branch with the changes, it doesn't pass make test yet,
but I hope you get the idea. (I'll later add SMB_SIGNING_IF_SUPPORTED).;a=shortlog;h=refs/heads/master3-signing

If that's done I'll be very close bringing my smb2 client library
changes to master;a=shortlog;h=refs/heads/master4-smb2


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the samba-technical mailing list