[PATCH]: SMB3 Encryption and "smb encrypt" option
Stefan (metze) Metzmacher
metze at samba.org
Fri Sep 12 04:12:20 MDT 2014
> I just changed the documentation a bit - please see the attached patches.
I think it's time add a new SMB_SIGNING_DESIRED value.
And also set SMB2_SHAREFLAG_ENCRYPT_DATA with "smb encrypt = desired"
in order to indicate that clients should use encryption, but would not
But I think our current default is good and should not change.
> Hi Stefan,
> The use case is described in section 5.2 here -
> By default, once SMB Encryption is turned on for a share or server, only
> SMB 3 clients will be allowed to access the affected shares. The reason
> for this restriction is to ensure that the administrator’s intent of
> safeguarding the data is maintained for all accesses. However there might
> be situations (for example, a transition period where mixed client OS
> versions will be in use) where an admin may want to allow unencrypted
> access for clients not supporting SMB 3
> Comments ?
> "Stefan (metze) Metzmacher" <metze at samba.org> wrote on 09/09/2014 12:28:28
>> From: "Stefan (metze) Metzmacher" <metze at samba.org>
>> To: Shekhar Amlekar/India/IBM at IBMIN, samba-technical <samba-
>> technical at lists.samba.org>
>> Date: 09/09/2014 12:26 AM
>> Subject: Re: [PATCH]: SMB3 Encryption and "smb encrypt" option
>> Hi Shekhar,
>>> Currently, the smb encrypt option in Samba offers less flexibility in
>>> configuring smb3 encryption against Win8/Win2k12 clients. Win2k12
>>> two options, EncryptData and RestrictUnencryptedAccess to enable,
>>> and mandate encryption. However, the auto and disabled setting of smb
>>> encrypt behave the same against win8/win2k12 clients.
>>> Please find attached patches that change the behavior of smb encrypt
>>> option as follows -
>>> disabled --> EncryptData = no
>>> auto --> EncryptData =yes, RejectUnencryptedAccess = no
>>> mandatory --> EncryptData = yes, RejectEncryptedAccess = yes
>>> I've changed the default to disabled. Would you please review and let
>>> know any comments that you may have,
>> We should not change the default to disabled.
>> What would be the use case for "EncryptData =yes,
>> RejectUnencryptedAccess = no"?
>> [attachment "signature.asc" deleted by Shekhar Amlekar/India/IBM]
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 181 bytes
Desc: OpenPGP digital signature
More information about the samba-technical