default value of server signing

[Steve French]

On Thu, Jun 2, 2016 at 3:30 AM, Stefan Metzmacher <metze at samba.org> wrote:
> Hi Steve,
>
>> Any idea why we turn off support for cifs signing by default?  I would
>> have thought that this one of the more common values to override in
>> distros default smb.conf (to turn "server signing = default" rather
>> than leave it disabled for cifs), but I see it left out of Fedora's
>> smb.conf.  The excerpt from the smb.conf man page doesn't explain why
>> it is off for cifs (shouldn't it be set to auto in most distros?)
>
> For all Samba 4.* and recent Windows versions signing is always possible
> if the client requires it even if it's disabled in the config.
> The client needs to send FLAGS2_SMB_SECURITY_SIGNATURES_REQUIRED in the
> session setup request.
>
>> server signing (G)
>>
>> This controls whether the client is allowed or required to use SMB1
>> and SMB2 signing. Possible values are auto, mandatory and disabled.
>>
>> When set to auto, SMB1 signing is offered, but not enforced. When set
>> to mandatory, SMB1 signing is required and if set to disabled, SMB
>> signing is not offered either.
>>
>> For the SMB2 protocol, by design, signing cannot be disabled. In the
>> case where SMB2 is negotiated, if this parameter is set to disabled,
>> it will be treated as auto. Setting it to mandatory will still require
>> SMB2 clients to use signing.
>>
>> Default: server signing = Disabled
>
> So the effective bahavior is the same for SMB1 and SMB2/3.

Not exactly -

It is the same for a windows client because they ignore the negprot
response signing capabilities (but it is different for cifs.ko when
mounting with cifs vs. smb2/smb3)

Looks like I will have to change the cifs client to not bail out on
CIFS/SMB negprot when signing is required (on mount options) but
negprot response does not include signing enabled in secmode.  If
server really doesn't support signing we will error later.

-- 
Thanks,

Steve