values for "client signing" and "server signing"
abartlet at samba.org
Wed Nov 2 23:51:58 MDT 2011
On Wed, 2011-11-02 at 21:38 +0100, Stefan (metze) Metzmacher wrote:
> Hi Andrew,
> >> Then remove SMB_SIGNING_AUTO and map "auto" to SMB_SIGNING_SUPPORTED.
> >> Then we could have a new "desired", "if_required" that maps to
> >> SMB_SIGNING_DESIRED
> >> and lets the client use signing if the server supports it.
> > I don't see the value in the desired setting, due to historical
> > behaviours of Windows clients and servers. It seems to me that SMB
> > signing is only ever enabled on DCs, and there it is required. I say
> > this because what is the value of negotiated SMB signing, when the
> > negotiation is subject to MITM attacks. If SMB signing had been in the
> > protocols early enough, we could have required that session setup
> > packets be signed, and so had a sensible way to turn this off safely for
> > bulk data. However, we don't, and as I understand it even SMB2 didn't
> > do this properly.
> > The choice of what options to present to the client depends on if we
> > wish to give users maximum choice, or just the options they can actually
> > use to improve network security:
> > Therefore, for the client, I see three settings:
> > - disabled
> > - default (use if available or required eg by the DC), matches windows
> > default as I recall
> > - required (paranoid, for specialist environments)
> > On the server I see three settings:
> > - disabled
> > - default (off for normal servers, required for the DC)
> > - required
> > The additional option of 'supported' (available but not required) on the
> > server are possible as well, but it would only be helpful for testing,
> > it would not improve network security because a MITM can just disable
> > it.
> > On the client, I guess we can have the option of 'only if required' but
> > would anyone use it, given no servers set 'supported' due to the
> > performance cost?
> > The only other detail is to ensure that in our DC client code (eg
> > winbindd) we should ensure we require smb signing, to protect that
> > communication from alteration.
> > I do appreciate you sorting out the options here, it is important to get
> > this in common, both for your work in the client libs, and for the work
> > towards a common loadparm. I trust your judgement in working it out
> > from here.
> I've prepared a branch with the changes, it doesn't pass make test yet,
> but I hope you get the idea. (I'll later add SMB_SIGNING_IF_SUPPORTED).
Wow, that is a big patch stream.
I've looked over the approach (and each patch, but not in detail), and
it seems to be exactly the right idea. Thanks for using the
SMB_SIGNING_ prefix as the long-term name of the constants.
The final stage will be to share the enumeration in the loadparm libs.
I'll try to prepare a demo of that for 'security=' to show you how to do
> If that's done I'll be very close bringing my smb2 client library
> changes to master
I had a harder time making sense of this branch, but I'll take it on
trust that it's a good thing. Let me know if there is anything more I
can do to help.
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
More information about the samba-technical