default value of server signing

Stefan Metzmacher metze at samba.org
Thu Jun 2 08:30:15 UTC 2016


Hi Steve,

> Any idea why we turn off support for cifs signing by default?  I would
> have thought that this one of the more common values to override in
> distros default smb.conf (to turn "server signing = default" rather
> than leave it disabled for cifs), but I see it left out of Fedora's
> smb.conf.  The excerpt from the smb.conf man page doesn't explain why
> it is off for cifs (shouldn't it be set to auto in most distros?)

For all Samba 4.* and recent Windows versions signing is always possible
if the client requires it even if it's disabled in the config.
The client needs to send FLAGS2_SMB_SECURITY_SIGNATURES_REQUIRED in the
session setup request.

> server signing (G)
> 
> This controls whether the client is allowed or required to use SMB1
> and SMB2 signing. Possible values are auto, mandatory and disabled.
> 
> When set to auto, SMB1 signing is offered, but not enforced. When set
> to mandatory, SMB1 signing is required and if set to disabled, SMB
> signing is not offered either.
> 
> For the SMB2 protocol, by design, signing cannot be disabled. In the
> case where SMB2 is negotiated, if this parameter is set to disabled,
> it will be treated as auto. Setting it to mandatory will still require
> SMB2 clients to use signing.
> 
> Default: server signing = Disabled

So the effective bahavior is the same for SMB1 and SMB2/3.

metze

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20160602/adce043f/signature.sig>


More information about the samba-technical mailing list