[PATCH]: SMB3 Encryption and "smb encrypt" option
Stefan (metze) Metzmacher
metze at samba.org
Fri Sep 12 04:12:20 MDT 2014
Hi Shekhar,
> I just changed the documentation a bit - please see the attached patches.
I think it's time add a new SMB_SIGNING_DESIRED value.
And also set SMB2_SHAREFLAG_ENCRYPT_DATA with "smb encrypt = desired"
in order to indicate that clients should use encryption, but would not
enforce it.
But I think our current default is good and should not change.
metze
> Hi Stefan,
>
> The use case is described in section 5.2 here -
> http://blogs.technet.com/b/filecab/archive/2012/05/03/smb-3-security-enhancements-in-windows-server-2012.aspx
>
> ===
> By default, once SMB Encryption is turned on for a share or server, only
> SMB 3 clients will be allowed to access the affected shares. The reason
> for this restriction is to ensure that the administrator’s intent of
> safeguarding the data is maintained for all accesses. However there might
> be situations (for example, a transition period where mixed client OS
> versions will be in use) where an admin may want to allow unencrypted
> access for clients not supporting SMB 3
> ===
>
> Comments ?
>
> thanks,
> shekhar.
>
>
>
>
> "Stefan (metze) Metzmacher" <metze at samba.org> wrote on 09/09/2014 12:28:28
> AM:
>
>> From: "Stefan (metze) Metzmacher" <metze at samba.org>
>> To: Shekhar Amlekar/India/IBM at IBMIN, samba-technical <samba-
>> technical at lists.samba.org>
>> Date: 09/09/2014 12:26 AM
>> Subject: Re: [PATCH]: SMB3 Encryption and "smb encrypt" option
>>
>> Hi Shekhar,
>>
>>> Currently, the smb encrypt option in Samba offers less flexibility in
>>> configuring smb3 encryption against Win8/Win2k12 clients. Win2k12
> offers
>>> two options, EncryptData and RestrictUnencryptedAccess to enable,
> disable
>>> and mandate encryption. However, the auto and disabled setting of smb
>>> encrypt behave the same against win8/win2k12 clients.
>>>
>>> Please find attached patches that change the behavior of smb encrypt
>>> option as follows -
>>>
>>> disabled --> EncryptData = no
>>> auto --> EncryptData =yes, RejectUnencryptedAccess = no
>>> mandatory --> EncryptData = yes, RejectEncryptedAccess = yes
>>>
>>> I've changed the default to disabled. Would you please review and let
> me
>>> know any comments that you may have,
>>
>> We should not change the default to disabled.
>>
>> What would be the use case for "EncryptData =yes,
>> RejectUnencryptedAccess = no"?
>>
>> metze
>>
>> [attachment "signature.asc" deleted by Shekhar Amlekar/India/IBM]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20140912/4af72387/attachment.pgp>
More information about the samba-technical
mailing list