[Samba] cifs traffic over less trusted networks

Jeremy Allison jra at samba.org
Fri Feb 13 09:35:30 MST 2015

On Fri, Feb 13, 2015 at 01:49:01PM +0100, mourik jan heupink - merit wrote:
> Hi all,
> We might need to open port 445 for some (specific) external ip's, so
> they can make a direct connection to our samba4 AD fileservers.
> I am wondering how secure that would be, as we would normally use a
> VPN connection for something like this.
> So: What smb.conf options would I need to set, to make cifs traffic
> over a less-trusted network as safe as possible? (or is cifs traffic
> by nature already encrypted/secure/safe?)

Going from Windows the answer is no/no/no.

If you are using Windows clients use a VPN.

smbclient can use -e encrypted mode, and Windows
8 or above I believe can use SMB3 + encrypted
transport, but even so it's not a good idea
to open a port to the outside world.

More information about the samba mailing list