values for "client signing" and "server signing"
Stefan (metze) Metzmacher
metze at samba.org
Wed Oct 26 08:15:38 MDT 2011
Hi,
the values for "client signing" and "server signing" are not very
well defined (at least for me they are confusing).
static const struct enum_list enum_smb_signing_vals[] = {
{False, "No"},
{False, "False"},
{False, "0"},
{False, "Off"},
{False, "disabled"},
{True, "Yes"},
{True, "True"},
{True, "1"},
{True, "On"},
{True, "enabled"},
{Auto, "auto"},
{Required, "required"},
{Required, "mandatory"},
{Required, "force"},
{Required, "forced"},
{Required, "enforced"},
{-1, NULL}
};
Globals.client_signing = Auto;
Globals.server_signing = False;
From the smb.conf manpage:
client signing (G)
This controls whether the client is allowed or required to
use SMB signing. Possible values are auto,
mandatory and disabled.
When set to auto, SMB signing is offered, but not enforced.
When set to mandatory, SMB signing is
required and if set to disabled, SMB signing is not offered
either.
Default: client signing = auto
server signing (G)
This controls whether the client is allowed or required to
use SMB signing. Possible values are auto,
mandatory and disabled.
When set to auto, SMB signing is offered, but not enforced.
When set to mandatory, SMB signing is
required and if set to disabled, SMB signing is not offered
either.
Default: server signing = Disabled
"enabled" is not documented and seems to have the same behavior as "auto"
in release up to 3.6.x.
However on the client side I see 4 possible states instead of 3:
1. never use signing
2. use signing if the server requires it
3. use signing if the server supports it
4. require smb signing
In master we support 4 possible states and we use the following logic:
switch (signing_state) {
case false:
/* never */
allow_smb_signing = false;
desire_smb_signing = false;
mandatory_signing = false;
break;
case true:
/* if the server supports it */
allow_smb_signing = true;
desire_smb_signing = true;
mandatory_signing = false;
break;
default:
case Undefined:
case Auto:
/* if the server requires it */
allow_smb_signing = true;
desire_smb_signing = false;
mandatory_signing = false;
break;
case Required:
/* always */
allow_smb_signing = true;
desire_smb_signing = true;
mandatory_signing = true;
break;
}
In source4 we have this:
static const struct enum_list enum_smb_signing_vals[] = {
{SMB_SIGNING_OFF, "No"},
{SMB_SIGNING_OFF, "False"},
{SMB_SIGNING_OFF, "0"},
{SMB_SIGNING_OFF, "Off"},
{SMB_SIGNING_OFF, "disabled"},
{SMB_SIGNING_SUPPORTED, "Yes"},
{SMB_SIGNING_SUPPORTED, "True"},
{SMB_SIGNING_SUPPORTED, "1"},
{SMB_SIGNING_SUPPORTED, "On"},
{SMB_SIGNING_SUPPORTED, "enabled"},
{SMB_SIGNING_REQUIRED, "required"},
{SMB_SIGNING_REQUIRED, "mandatory"},
{SMB_SIGNING_REQUIRED, "force"},
{SMB_SIGNING_REQUIRED, "forced"},
{SMB_SIGNING_REQUIRED, "enforced"},
{SMB_SIGNING_AUTO, "auto"},
{-1, NULL}
};
In the client SMB_SIGNING_AUTO and SMB_SIGNING_SUPPORTED have the same
behavior.
But in the server SMB_SIGNING_AUTO triggers behavior depending on the
server role,
a dc requires signing, while other roles disable it by default.
Maybe we should add a SMB_SIGNING_DEFAULT "default" setting, which
indicates the default
value if not specified in the configuration.
Then remove SMB_SIGNING_AUTO and map "auto" to SMB_SIGNING_SUPPORTED.
Then we could have a new "desired", "if_required" that maps to
SMB_SIGNING_DESIRED
and lets the client use signing if the server supports it.
Comments please:-)
metze
H
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20111026/2bbd66ba/attachment.pgp>
More information about the samba-technical
mailing list