[PATCH]: SMB3 Encryption and "smb encrypt" option

Stefan (metze) Metzmacher metze at samba.org
Fri Sep 12 04:12:20 MDT 2014 

Hi Shekhar,

> I just changed the documentation a bit - please see the attached patches.

I think it's time add a new SMB_SIGNING_DESIRED value.

And also set SMB2_SHAREFLAG_ENCRYPT_DATA with "smb encrypt = desired"
in order to indicate that clients should use encryption, but would not
enforce it.

But I think our current default is good and should not change.

metze

> Hi Stefan,
> 
> The use case is described in section 5.2 here -
> http://blogs.technet.com/b/filecab/archive/2012/05/03/smb-3-security-enhancements-in-windows-server-2012.aspx
> 
> ===
> By default, once SMB Encryption is turned on for a share or server, only 
> SMB 3 clients will be allowed to access the affected shares. The reason 
> for this restriction is to ensure that the administrator’s intent of 
> safeguarding the data is maintained for all accesses. However there might 
> be situations (for example, a transition period where mixed client OS 
> versions will be in use) where an admin may want to allow unencrypted 
> access for clients not supporting SMB 3 
> ===
> 
> Comments ?
> 
> thanks,
> shekhar.
> 
> 
> 
> 
> "Stefan (metze) Metzmacher" <metze at samba.org> wrote on 09/09/2014 12:28:28 
> AM:
> 
>> From: "Stefan (metze) Metzmacher" <metze at samba.org>
>> To: Shekhar Amlekar/India/IBM at IBMIN, samba-technical <samba-
>> technical at lists.samba.org>
>> Date: 09/09/2014 12:26 AM
>> Subject: Re: [PATCH]: SMB3 Encryption and "smb encrypt" option
>>
>> Hi  Shekhar,
>>
>>> Currently, the smb encrypt option in Samba offers less flexibility in 
>>> configuring smb3 encryption against Win8/Win2k12 clients. Win2k12 
> offers 
>>> two options, EncryptData and RestrictUnencryptedAccess to enable, 
> disable 
>>> and mandate encryption. However, the auto and disabled setting of smb 
>>> encrypt  behave the same against win8/win2k12 clients.
>>>
>>> Please find attached patches that change the behavior of smb encrypt 
>>> option as follows -
>>>
>>> disabled -->    EncryptData = no
>>> auto -->                EncryptData =yes, RejectUnencryptedAccess = no
>>> mandatory -->   EncryptData = yes, RejectEncryptedAccess = yes
>>>
>>> I've changed the default to disabled. Would you please review and let 
> me 
>>> know any comments that you may have,
>>
>> We should not change the default to disabled.
>>
>> What would be the use case for "EncryptData =yes,
>> RejectUnencryptedAccess = no"?
>>
>> metze
>>
>> [attachment "signature.asc" deleted by Shekhar Amlekar/India/IBM] 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20140912/4af72387/attachment.pgp>

More information about the samba-technical mailing list