[PATCH]: SMB3 Encryption and "smb encrypt" option

Shekhar Amlekar samlekar at in.ibm.com
Mon Sep 8 13:28:43 MDT 2014 

Hi,

I just changed the documentation a bit - please see the attached patches.

Hi Stefan,

The use case is described in section 5.2 here -
http://blogs.technet.com/b/filecab/archive/2012/05/03/smb-3-security-enhancements-in-windows-server-2012.aspx

===
By default, once SMB Encryption is turned on for a share or server, only 
SMB 3 clients will be allowed to access the affected shares. The reason 
for this restriction is to ensure that the administrator’s intent of 
safeguarding the data is maintained for all accesses. However there might 
be situations (for example, a transition period where mixed client OS 
versions will be in use) where an admin may want to allow unencrypted 
access for clients not supporting SMB 3 
===

Comments ?

thanks,
shekhar.




"Stefan (metze) Metzmacher" <metze at samba.org> wrote on 09/09/2014 12:28:28 
AM:

> From: "Stefan (metze) Metzmacher" <metze at samba.org>
> To: Shekhar Amlekar/India/IBM at IBMIN, samba-technical <samba-
> technical at lists.samba.org>
> Date: 09/09/2014 12:26 AM
> Subject: Re: [PATCH]: SMB3 Encryption and "smb encrypt" option
> 
> Hi  Shekhar,
> 
> > Currently, the smb encrypt option in Samba offers less flexibility in 
> > configuring smb3 encryption against Win8/Win2k12 clients. Win2k12 
offers 
> > two options, EncryptData and RestrictUnencryptedAccess to enable, 
disable 
> > and mandate encryption. However, the auto and disabled setting of smb 
> > encrypt  behave the same against win8/win2k12 clients.
> > 
> > Please find attached patches that change the behavior of smb encrypt 
> > option as follows -
> > 
> > disabled -->    EncryptData = no
> > auto -->                EncryptData =yes, RejectUnencryptedAccess = no
> > mandatory -->   EncryptData = yes, RejectEncryptedAccess = yes
> > 
> > I've changed the default to disabled. Would you please review and let 
me 
> > know any comments that you may have,
> 
> We should not change the default to disabled.
> 
> What would be the use case for "EncryptData =yes,
> RejectUnencryptedAccess = no"?
> 
> metze
> 
> [attachment "signature.asc" deleted by Shekhar Amlekar/India/IBM] 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: patches
Type: application/octet-stream
Size: 7883 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20140909/431849f7/attachment.obj>

More information about the samba-technical mailing list