default value of server signing
smfrench at gmail.com
Thu Jun 2 22:32:24 UTC 2016
On Thu, Jun 2, 2016 at 3:30 AM, Stefan Metzmacher <metze at samba.org> wrote:
> Hi Steve,
>> Any idea why we turn off support for cifs signing by default? I would
>> have thought that this one of the more common values to override in
>> distros default smb.conf (to turn "server signing = default" rather
>> than leave it disabled for cifs), but I see it left out of Fedora's
>> smb.conf. The excerpt from the smb.conf man page doesn't explain why
>> it is off for cifs (shouldn't it be set to auto in most distros?)
> For all Samba 4.* and recent Windows versions signing is always possible
> if the client requires it even if it's disabled in the config.
> The client needs to send FLAGS2_SMB_SECURITY_SIGNATURES_REQUIRED in the
> session setup request.
>> server signing (G)
>> This controls whether the client is allowed or required to use SMB1
>> and SMB2 signing. Possible values are auto, mandatory and disabled.
>> When set to auto, SMB1 signing is offered, but not enforced. When set
>> to mandatory, SMB1 signing is required and if set to disabled, SMB
>> signing is not offered either.
>> For the SMB2 protocol, by design, signing cannot be disabled. In the
>> case where SMB2 is negotiated, if this parameter is set to disabled,
>> it will be treated as auto. Setting it to mandatory will still require
>> SMB2 clients to use signing.
>> Default: server signing = Disabled
> So the effective bahavior is the same for SMB1 and SMB2/3.
Not exactly -
It is the same for a windows client because they ignore the negprot
response signing capabilities (but it is different for cifs.ko when
mounting with cifs vs. smb2/smb3)
Looks like I will have to change the cifs client to not bail out on
CIFS/SMB negprot when signing is required (on mount options) but
negprot response does not include signing enabled in secmode. If
server really doesn't support signing we will error later.
More information about the samba-technical