[PATCH] smb encrypt - new value desired
Michael Adam
obnox at samba.org
Wed Jul 1 10:22:07 MDT 2015
On 2015-07-01 at 16:30 +0200, Michael Adam wrote:
> On 2015-06-30 at 21:45 +0200, Michael Adam wrote:
> > On 2015-06-30 at 18:07 +0200, Stefan (metze) Metzmacher wrote:
> > > Am 30.06.2015 um 17:58 schrieb Michael Adam:
> > > >
> > > > - if ((lp_smb_encrypt(-1) > SMB_SIGNING_OFF) &&
> > > > + if ((lp_smb_encrypt(-1) >= SMB_SIGNING_DESIRED) &&
> > > > (xconn->smb2.client.capabilities & SMB2_CAP_ENCRYPTION)) {
> > > > x->global->encryption_required = true;
> > > > }
> > > > diff --git a/source3/smbd/smb2_tcon.c b/source3/smbd/smb2_tcon.c
> > > > index eb66ea0..0e3f580 100644
> > > > --- a/source3/smbd/smb2_tcon.c
> > > > +++ b/source3/smbd/smb2_tcon.c
> > > > @@ -266,7 +266,7 @@ static NTSTATUS smbd_smb2_tree_connect(struct smbd_smb2_request *req,
> > > > return NT_STATUS_BAD_NETWORK_NAME;
> > > > }
> > > >
> > > > - if ((lp_smb_encrypt(snum) > SMB_SIGNING_OFF) &&
> > > > + if ((lp_smb_encrypt(snum) >= SMB_SIGNING_DESIRED) &&
> > > > (conn->smb2.client.capabilities & SMB2_CAP_ENCRYPTION)) {
> > > > encryption_required = true;
> > > > }
> > >
> > > We should not set 'encryption_required', smbd_smb2_request_dispatch()
> > > would then reject non encrypted requests.
> >
> > Practice shows that this works, though:
> > smbclient -mSMB2 against a samba configured with DESIRED
> > works without problems.
> >
> > Setting encryption_required is also not added in this
> > patch, I just raise the bar. And it had worked before... :-)
> >
> > Also note that we only set encryption_required = true if
> > - SMB_SIGNING_DESIRED is set and
> > - the client supports encryption
> > ==> This is precisely what we want to achieve. We want to enforce
> > encryption for those clients who support it.
> >
> > > We should add a new bool encryption_requested, which just enounce
> > > the flags to the client.
> >
> > Maybe we can add it as a code improvement for master?
> > I think this minimal patch would work well for 4.2 and 4.1.
>
> Update:
>
> The difference in behaviour is in treating a 'disobedient'
> client that does not send encrypted requests although we
> (the server) send ENCRYPT_DATA in tree connect or session
> setup response.
>
> I just tested against windows.
> Windows is generous in that it permits unencrypted request
> packets, but sends encrypted responses.
>
> With the proposed patch we would be less generous and
> deny unecrypted requests after having sent ENCRYPT_DATA.
>
> With Metze's proposed change, we would accept unencrypted
> requests but without further changes send unencrypted
> responses to those.
>
> I'll see what I can do regarding this last approach to
> match windows behaviour more exactly...
Attached find an updated patchset that implements the
exact windows behaviour described above.
It is not sooo big after all. Maybe we can take and
backport it.
Feedback/Review welcome!
Thanks - Michael
-------------- next part --------------
From 90bac2253a24fe18df32e55c082ea5ea2046ba32 Mon Sep 17 00:00:00 2001
From: Michael Adam <obnox at samba.org>
Date: Tue, 30 Jun 2015 14:16:19 +0200
Subject: [PATCH 1/9] Introduce setting "desired" for 'smb encrypt' and
'client/server signing'
This should trigger the behaviour where the server requires
signing when the client supports it, but does not reject
clients that don't support it.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11372
Signed-off-by: Michael Adam <obnox at samba.org>
---
lib/param/loadparm.c | 1 +
lib/param/param_table.c | 1 +
libcli/smb/smbXcli_base.c | 6 ++++++
libcli/smb/smb_constants.h | 1 +
source4/smb_server/smb2/negprot.c | 1 +
5 files changed, 10 insertions(+)
diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
index bb215b2..0e11428 100644
--- a/lib/param/loadparm.c
+++ b/lib/param/loadparm.c
@@ -3207,6 +3207,7 @@ bool lpcfg_server_signing_allowed(struct loadparm_context *lp_ctx, bool *mandato
case SMB_SIGNING_REQUIRED:
*mandatory = true;
break;
+ case SMB_SIGNING_DESIRED:
case SMB_SIGNING_IF_REQUIRED:
break;
case SMB_SIGNING_DEFAULT:
diff --git a/lib/param/param_table.c b/lib/param/param_table.c
index 287839f..ff31038 100644
--- a/lib/param/param_table.c
+++ b/lib/param/param_table.c
@@ -115,6 +115,7 @@ static const struct enum_list enum_smb_signing_vals[] = {
{SMB_SIGNING_IF_REQUIRED, "On"},
{SMB_SIGNING_IF_REQUIRED, "enabled"},
{SMB_SIGNING_IF_REQUIRED, "auto"},
+ {SMB_SIGNING_DESIRED, "desired"},
{SMB_SIGNING_REQUIRED, "required"},
{SMB_SIGNING_REQUIRED, "mandatory"},
{SMB_SIGNING_REQUIRED, "force"},
diff --git a/libcli/smb/smbXcli_base.c b/libcli/smb/smbXcli_base.c
index c8ae5b0..6c35430 100644
--- a/libcli/smb/smbXcli_base.c
+++ b/libcli/smb/smbXcli_base.c
@@ -376,6 +376,12 @@ struct smbXcli_conn *smbXcli_conn_create(TALLOC_CTX *mem_ctx,
conn->desire_signing = false;
conn->mandatory_signing = false;
break;
+ case SMB_SIGNING_DESIRED:
+ /* if the server desires it */
+ conn->allow_signing = true;
+ conn->desire_signing = true;
+ conn->mandatory_signing = false;
+ break;
case SMB_SIGNING_REQUIRED:
/* always */
conn->allow_signing = true;
diff --git a/libcli/smb/smb_constants.h b/libcli/smb/smb_constants.h
index 589b1a63..c4cca15 100644
--- a/libcli/smb/smb_constants.h
+++ b/libcli/smb/smb_constants.h
@@ -98,6 +98,7 @@ enum smb_signing_setting {
SMB_SIGNING_DEFAULT = -1,
SMB_SIGNING_OFF = 0,
SMB_SIGNING_IF_REQUIRED = 1,
+ SMB_SIGNING_DESIRED = 2,
SMB_SIGNING_REQUIRED = 3,
};
diff --git a/source4/smb_server/smb2/negprot.c b/source4/smb_server/smb2/negprot.c
index 81f2547..b48b170 100644
--- a/source4/smb_server/smb2/negprot.c
+++ b/source4/smb_server/smb2/negprot.c
@@ -150,6 +150,7 @@ static NTSTATUS smb2srv_negprot_backend(struct smb2srv_request *req, struct smb2
case SMB_SIGNING_OFF:
io->out.security_mode = 0;
break;
+ case SMB_SIGNING_DESIRED:
case SMB_SIGNING_IF_REQUIRED:
io->out.security_mode = SMB2_NEGOTIATE_SIGNING_ENABLED;
break;
--
2.4.3
From dbf904a33c6278aae4cf1cdf71bdc7348d06f51b Mon Sep 17 00:00:00 2001
From: Michael Adam <obnox at samba.org>
Date: Wed, 1 Jul 2015 17:34:45 +0200
Subject: [PATCH 2/9] smbXsrv: add bools encryption_desired to session and tcon
This is to indicate that we should sen the ENCRYPT_DATA
flag on session or tcon replies.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11372
Signed-off-by: Michael Adam <obnox at samba.org>
---
source3/librpc/idl/smbXsrv.idl | 2 ++
1 file changed, 2 insertions(+)
diff --git a/source3/librpc/idl/smbXsrv.idl b/source3/librpc/idl/smbXsrv.idl
index 4367d72..2e9dc3b 100644
--- a/source3/librpc/idl/smbXsrv.idl
+++ b/source3/librpc/idl/smbXsrv.idl
@@ -141,6 +141,7 @@ interface smbXsrv
auth_session_info *auth_session_info;
uint16 connection_dialect;
boolean8 signing_required;
+ boolean8 encryption_desired;
boolean8 encryption_required;
[noprint] DATA_BLOB signing_key;
[noprint] DATA_BLOB encryption_key;
@@ -245,6 +246,7 @@ interface smbXsrv
server_id server_id;
NTTIME creation_time;
[charset(UTF8),string] char share_name[];
+ boolean8 encryption_desired;
boolean8 encryption_required;
/*
* for SMB1 this is the session that the tcon was opened on
--
2.4.3
From 3ff4c654c8aae0450ba8144fda09a45e838f2fb2 Mon Sep 17 00:00:00 2001
From: Michael Adam <obnox at samba.org>
Date: Wed, 1 Jul 2015 18:07:26 +0200
Subject: [PATCH 3/9] smbd:smb2: only enable encryption in session if desired
Don't enforce it but only announce ENCRYPT_DATA, using the
encryption_desired flag in session setup.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11372
Signed-off-by: Michael Adam <obnox at samba.org>
---
source3/smbd/smb2_sesssetup.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/source3/smbd/smb2_sesssetup.c b/source3/smbd/smb2_sesssetup.c
index da7adb3..f19ded2 100644
--- a/source3/smbd/smb2_sesssetup.c
+++ b/source3/smbd/smb2_sesssetup.c
@@ -262,12 +262,13 @@ static NTSTATUS smbd_smb2_auth_generic_return(struct smbXsrv_session *session,
x->global->signing_required = true;
}
- if ((lp_smb_encrypt(-1) > SMB_SIGNING_OFF) &&
+ if ((lp_smb_encrypt(-1) >= SMB_SIGNING_DESIRED) &&
(xconn->smb2.client.capabilities & SMB2_CAP_ENCRYPTION)) {
- x->global->encryption_required = true;
+ x->global->encryption_desired = true;
}
if (lp_smb_encrypt(-1) == SMB_SIGNING_REQUIRED) {
+ x->global->encryption_desired = true;
x->global->encryption_required = true;
}
@@ -294,7 +295,7 @@ static NTSTATUS smbd_smb2_auth_generic_return(struct smbXsrv_session *session,
}
}
- if (x->global->encryption_required) {
+ if (x->global->encryption_desired) {
*out_session_flags |= SMB2_SESSION_FLAG_ENCRYPT_DATA;
}
--
2.4.3
From ec8bde72f2ad72e9dd3bbbce051f04dd38646eea Mon Sep 17 00:00:00 2001
From: Michael Adam <obnox at samba.org>
Date: Wed, 1 Jul 2015 18:07:52 +0200
Subject: [PATCH 4/9] smbd:smb2: only enable encryption in tcon if desired
Don't enforce it but only announce DATA_ENCRYPT,
making use of encryption_desired in tcon.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11372
Signed-off-by: Michael Adam <obnox at samba.org>
---
source3/smbd/smb2_tcon.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/source3/smbd/smb2_tcon.c b/source3/smbd/smb2_tcon.c
index eb66ea0..21c1e61 100644
--- a/source3/smbd/smb2_tcon.c
+++ b/source3/smbd/smb2_tcon.c
@@ -193,6 +193,7 @@ static NTSTATUS smbd_smb2_tree_connect(struct smbd_smb2_request *req,
connection_struct *compat_conn = NULL;
struct user_struct *compat_vuser = req->session->compat;
NTSTATUS status;
+ bool encryption_desired = req->session->global->encryption_desired;
bool encryption_required = req->session->global->encryption_required;
bool guest_session = false;
bool require_signed_tcon = false;
@@ -266,12 +267,13 @@ static NTSTATUS smbd_smb2_tree_connect(struct smbd_smb2_request *req,
return NT_STATUS_BAD_NETWORK_NAME;
}
- if ((lp_smb_encrypt(snum) > SMB_SIGNING_OFF) &&
+ if ((lp_smb_encrypt(snum) >= SMB_SIGNING_DESIRED) &&
(conn->smb2.client.capabilities & SMB2_CAP_ENCRYPTION)) {
- encryption_required = true;
+ encryption_desired = true;
}
if (lp_smb_encrypt(snum) == SMB_SIGNING_REQUIRED) {
+ encryption_desired = true;
encryption_required = true;
}
@@ -296,6 +298,7 @@ static NTSTATUS smbd_smb2_tree_connect(struct smbd_smb2_request *req,
return status;
}
+ tcon->global->encryption_desired = encryption_desired;
tcon->global->encryption_required = encryption_required;
compat_conn = make_connection_smb2(req,
@@ -366,7 +369,7 @@ static NTSTATUS smbd_smb2_tree_connect(struct smbd_smb2_request *req,
*out_share_flags |= SMB2_SHAREFLAG_ACCESS_BASED_DIRECTORY_ENUM;
}
- if (encryption_required) {
+ if (encryption_desired) {
*out_share_flags |= SMB2_SHAREFLAG_ENCRYPT_DATA;
}
--
2.4.3
From f2e5c02279b2f0481befd3fe99d02bd7d71c7b45 Mon Sep 17 00:00:00 2001
From: Michael Adam <obnox at samba.org>
Date: Wed, 1 Jul 2015 17:41:38 +0200
Subject: [PATCH 5/9] smbd:smb2: use encryption_desired in send_break
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11372
Signed-off-by: Michael Adam <obnox at samba.org>
---
source3/smbd/smb2_server.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/source3/smbd/smb2_server.c b/source3/smbd/smb2_server.c
index a8d54cb..0ffe89e 100644
--- a/source3/smbd/smb2_server.c
+++ b/source3/smbd/smb2_server.c
@@ -2843,8 +2843,8 @@ static NTSTATUS smbd_smb2_send_break(struct smbXsrv_connection *xconn,
if (session != NULL) {
session_wire_id = session->global->session_wire_id;
- do_encryption = session->global->encryption_required;
- if (tcon->global->encryption_required) {
+ do_encryption = session->global->encryption_desired;
+ if (tcon->global->encryption_desired) {
do_encryption = true;
}
}
--
2.4.3
From 4157b806d58e83e7bb75230587c62dd5e9a31ef3 Mon Sep 17 00:00:00 2001
From: Michael Adam <obnox at samba.org>
Date: Wed, 1 Jul 2015 17:42:58 +0200
Subject: [PATCH 6/9] smbd:smb2: do encrypt responses if encryption_desired is
set in the session
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11372
Signed-off-by: Michael Adam <obnox at samba.org>
---
source3/smbd/smb2_server.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/source3/smbd/smb2_server.c b/source3/smbd/smb2_server.c
index 0ffe89e..0801bc4 100644
--- a/source3/smbd/smb2_server.c
+++ b/source3/smbd/smb2_server.c
@@ -2000,6 +2000,7 @@ NTSTATUS smbd_smb2_request_dispatch(struct smbd_smb2_request *req)
NTSTATUS return_value;
struct smbXsrv_session *x = NULL;
bool signing_required = false;
+ bool encryption_desired = false;
bool encryption_required = false;
inhdr = SMBD_SMB2_IN_HDR_PTR(req);
@@ -2047,6 +2048,7 @@ NTSTATUS smbd_smb2_request_dispatch(struct smbd_smb2_request *req)
x = req->session;
if (x != NULL) {
signing_required = x->global->signing_required;
+ encryption_desired = x->global->encryption_desired;
encryption_required = x->global->encryption_required;
}
@@ -2075,6 +2077,9 @@ NTSTATUS smbd_smb2_request_dispatch(struct smbd_smb2_request *req)
req->do_encryption = true;
}
+ if (encryption_desired) {
+ req->do_encryption = true;
+ }
if (encryption_required && !req->do_encryption) {
return smbd_smb2_request_error(req,
--
2.4.3
From 2f91a023a906a31a7b0adbb6b8f6092ee4f8afde Mon Sep 17 00:00:00 2001
From: Michael Adam <obnox at samba.org>
Date: Wed, 1 Jul 2015 17:47:06 +0200
Subject: [PATCH 7/9] smbd:smb2: move need_session/tcon checks up
This is a preparation for handling encryption_desired
because we need to finally set req->do_encryption
before setting it.
Furthermore, there seems no good reason not to move
them up a bit.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11372
Signed-off-by: Michael Adam <obnox at samba.org>
---
source3/smbd/smb2_server.c | 56 +++++++++++++++++++++++-----------------------
1 file changed, 28 insertions(+), 28 deletions(-)
diff --git a/source3/smbd/smb2_server.c b/source3/smbd/smb2_server.c
index 0801bc4..6ae9f3a 100644
--- a/source3/smbd/smb2_server.c
+++ b/source3/smbd/smb2_server.c
@@ -2121,6 +2121,34 @@ NTSTATUS smbd_smb2_request_dispatch(struct smbd_smb2_request *req)
req->compat_chain_fsp = NULL;
}
+ if (call->need_session) {
+ if (!NT_STATUS_IS_OK(session_status)) {
+ return smbd_smb2_request_error(req, session_status);
+ }
+ }
+
+ if (call->need_tcon) {
+ SMB_ASSERT(call->need_session);
+
+ /*
+ * This call needs to be run as user.
+ *
+ * smbd_smb2_request_check_tcon()
+ * calls change_to_user() on success.
+ */
+ status = smbd_smb2_request_check_tcon(req);
+ if (!NT_STATUS_IS_OK(status)) {
+ return smbd_smb2_request_error(req, status);
+ }
+ if (req->tcon->global->encryption_required) {
+ encryption_required = true;
+ }
+ if (encryption_required && !req->do_encryption) {
+ return smbd_smb2_request_error(req,
+ NT_STATUS_ACCESS_DENIED);
+ }
+ }
+
if (req->do_encryption) {
signing_required = false;
} else if (signing_required || (flags & SMB2_HDR_FLAG_SIGNED)) {
@@ -2188,34 +2216,6 @@ NTSTATUS smbd_smb2_request_dispatch(struct smbd_smb2_request *req)
req->compound_related = true;
}
- if (call->need_session) {
- if (!NT_STATUS_IS_OK(session_status)) {
- return smbd_smb2_request_error(req, session_status);
- }
- }
-
- if (call->need_tcon) {
- SMB_ASSERT(call->need_session);
-
- /*
- * This call needs to be run as user.
- *
- * smbd_smb2_request_check_tcon()
- * calls change_to_user() on success.
- */
- status = smbd_smb2_request_check_tcon(req);
- if (!NT_STATUS_IS_OK(status)) {
- return smbd_smb2_request_error(req, status);
- }
- if (req->tcon->global->encryption_required) {
- encryption_required = true;
- }
- if (encryption_required && !req->do_encryption) {
- return smbd_smb2_request_error(req,
- NT_STATUS_ACCESS_DENIED);
- }
- }
-
if (call->fileid_ofs != 0) {
size_t needed = call->fileid_ofs + 16;
const uint8_t *body = SMBD_SMB2_IN_BODY_PTR(req);
--
2.4.3
From 218b52c30710fe207d8c9f953698d5f5608c7526 Mon Sep 17 00:00:00 2001
From: Michael Adam <obnox at samba.org>
Date: Wed, 1 Jul 2015 17:51:18 +0200
Subject: [PATCH 8/9] smbd:smb2: do encrypt responses if encryption_desired is
set in the tcon
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11372
Signed-off-by: Michael Adam <obnox at samba.org>
---
source3/smbd/smb2_server.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/source3/smbd/smb2_server.c b/source3/smbd/smb2_server.c
index 6ae9f3a..38b9d0c 100644
--- a/source3/smbd/smb2_server.c
+++ b/source3/smbd/smb2_server.c
@@ -2140,6 +2140,9 @@ NTSTATUS smbd_smb2_request_dispatch(struct smbd_smb2_request *req)
if (!NT_STATUS_IS_OK(status)) {
return smbd_smb2_request_error(req, status);
}
+ if (req->tcon->global->encryption_desired) {
+ req->do_encryption = true;
+ }
if (req->tcon->global->encryption_required) {
encryption_required = true;
}
--
2.4.3
From 96ca9a1f9b6478633cb5d9c9ecd9811d63fa9a90 Mon Sep 17 00:00:00 2001
From: Michael Adam <obnox at samba.org>
Date: Tue, 30 Jun 2015 17:46:36 +0200
Subject: [PATCH 9/9] docs:smb.conf: explain effect of new setting 'desired' of
smb encrypt
Thereby clarify some details.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11372
Signed-off-by: Michael Adam <obnox at samba.org>
---
docs-xml/smbdotconf/security/smbencrypt.xml | 66 ++++++++++++++++++++---------
1 file changed, 47 insertions(+), 19 deletions(-)
diff --git a/docs-xml/smbdotconf/security/smbencrypt.xml b/docs-xml/smbdotconf/security/smbencrypt.xml
index 17248e6..ae0682b 100644
--- a/docs-xml/smbdotconf/security/smbencrypt.xml
+++ b/docs-xml/smbdotconf/security/smbencrypt.xml
@@ -30,11 +30,15 @@
<para>
This parameter can be set globally and on a per-share bases.
Possible values are
- <emphasis>off</emphasis> or <emphasis>disabled</emphasis>,
- <emphasis>auto</emphasis> or <emphasis>enabled</emphasis>, and
- <emphasis>mandatory</emphasis> or <emphasis>required</emphasis>.
+ <emphasis>off</emphasis> (or <emphasis>disabled</emphasis>),
+ <emphasis>enabled</emphasis> (or <emphasis>auto</emphasis>, or
+ <emphasis>if_required</emphasis>),
+ <emphasis>desired</emphasis>,
+ and
+ <emphasis>required</emphasis>
+ (or <emphasis>mandatory</emphasis>).
A special value is <emphasis>default</emphasis> which is
- the implicit default setting.
+ the implicit default setting of <emphasis>enabled</emphasis>.
</para>
<variablelist>
@@ -103,7 +107,7 @@
<listitem>
<para>
The capability to perform SMB encryption can be
- negotiated during prorocol negotiation.
+ negotiated during protocol negotiation.
</para>
</listitem>
@@ -145,8 +149,9 @@
<itemizedlist>
<listitem>
<para>
- Leaving it as default or explicitly setting
- <emphasis>default</emphasis> globally will enable
+ Leaving it as default, explicitly setting
+ <emphasis>default</emphasis>, or setting it to
+ <emphasis>enabled</emphasis> globally will enable
negotiation of encryption but will not turn on
data encryption globally or per share.
</para>
@@ -154,16 +159,20 @@
<listitem>
<para>
- Setting it to <emphasis>enabled</emphasis> globally will
- enable negotiation and turn on data encryption globally.
+ Setting it to <emphasis>desired</emphasis> globally
+ will enable negotiation and will turn on data encryption
+ on sessions and share connections for those clients
+ that support it.
</para>
</listitem>
<listitem>
<para>
Setting it to <emphasis>required</emphasis> globally
- will enable negotiation and enforce data encryption
- globally.
+ will enable negotiation and turn on data encryption
+ on sessions and share connections. Clients that do
+ not support encryption will be denied access to the
+ server.
</para>
</listitem>
@@ -176,9 +185,10 @@
<listitem>
<para>
- Setting it to <emphasis>enabled</emphasis> on a share
- will turn on data encryption for this share if
- negotiation has been enabled globally.
+ Setting it to <emphasis>desired</emphasis> on a share
+ will turn on data encryption for this share for clients
+ that support encryption if negotiation has been
+ enabled globally.
</para>
</listitem>
@@ -186,16 +196,34 @@
<para>
Setting it to <emphasis>required</emphasis> on a share
will enforce data encryption for this share if
- negotiation has been enabled globally. Note that this
- allows enforcing to be controlled in Samba more
- fine-grainedly than in Windows. This is a small
- deviation from the MS-SMB2 protocol document.
+ negotiation has been enabled globally. I.e. clients that
+ do not support encryption will be denied access to the
+ share.
+ </para>
+ <para>
+ Note that this allows per-share enforcing to be
+ controlled in Samba differently from Windows:
+ In Windows, <emphasis>RejectUnencryptedAccess</emphasis>
+ is a global setting, and if it is set, all shares with
+ data encryption turned on
+ are automatically enforcing encryption. In order to
+ achieve the same effect in Samba, one
+ has to globally set <emphasis>smb encrypt</emphasis> to
+ <emphasis>enabled</emphasis>, and then set all shares
+ that should be encrypted to
+ <emphasis>required</emphasis>.
+ Additionally, it is possible in Samba to have some
+ shares with encryption <emphasis>required</emphasis>
+ and some other shares with encryption only
+ <emphasis>desired</emphasis>, which is not possible in
+ Windows.
</para>
</listitem>
<listitem>
<para>
- Setting it to <emphasis>off</emphasis> for a share has
+ Setting it to <emphasis>off</emphasis> or
+ <emphasis>enabled</emphasis> for a share has
no effect.
</para>
</listitem>
--
2.4.3
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20150701/9e68ed05/attachment-0001.pgp>
More information about the samba-technical
mailing list