values for "client signing" and "server signing"
Stefan (metze) Metzmacher
metze at samba.org
Wed Nov 2 14:38:22 MDT 2011
Hi Andrew,
>> Then remove SMB_SIGNING_AUTO and map "auto" to SMB_SIGNING_SUPPORTED.
>> Then we could have a new "desired", "if_required" that maps to
>> SMB_SIGNING_DESIRED
>> and lets the client use signing if the server supports it.
>
> I don't see the value in the desired setting, due to historical
> behaviours of Windows clients and servers. It seems to me that SMB
> signing is only ever enabled on DCs, and there it is required. I say
> this because what is the value of negotiated SMB signing, when the
> negotiation is subject to MITM attacks. If SMB signing had been in the
> protocols early enough, we could have required that session setup
> packets be signed, and so had a sensible way to turn this off safely for
> bulk data. However, we don't, and as I understand it even SMB2 didn't
> do this properly.
>
> The choice of what options to present to the client depends on if we
> wish to give users maximum choice, or just the options they can actually
> use to improve network security:
>
> Therefore, for the client, I see three settings:
> - disabled
> - default (use if available or required eg by the DC), matches windows
> default as I recall
> - required (paranoid, for specialist environments)
>
> On the server I see three settings:
> - disabled
> - default (off for normal servers, required for the DC)
> - required
>
> The additional option of 'supported' (available but not required) on the
> server are possible as well, but it would only be helpful for testing,
> it would not improve network security because a MITM can just disable
> it.
>
> On the client, I guess we can have the option of 'only if required' but
> would anyone use it, given no servers set 'supported' due to the
> performance cost?
>
> The only other detail is to ensure that in our DC client code (eg
> winbindd) we should ensure we require smb signing, to protect that
> communication from alteration.
>
> I do appreciate you sorting out the options here, it is important to get
> this in common, both for your work in the client libs, and for the work
> towards a common loadparm. I trust your judgement in working it out
> from here.
I've prepared a branch with the changes, it doesn't pass make test yet,
but I hope you get the idea. (I'll later add SMB_SIGNING_IF_SUPPORTED).
http://gitweb.samba.org/?p=metze/samba/wip.git;a=shortlog;h=refs/heads/master3-signing
If that's done I'll be very close bringing my smb2 client library
changes to master
http://gitweb.samba.org/?p=metze/samba/wip.git;a=shortlog;h=refs/heads/master4-smb2
metze
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20111102/72ed2c52/attachment.pgp>
More information about the samba-technical
mailing list