| 1 | <samba:parameter name="smb encrypt"
|
|---|
| 2 | context="S"
|
|---|
| 3 | type="enum"
|
|---|
| 4 | basic="1"
|
|---|
| 5 | xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
|
|---|
| 6 | <description>
|
|---|
| 7 |
|
|---|
| 8 | <para>This is a new feature introduced with Samba 3.2 and above. It is an
|
|---|
| 9 | extension to the SMB/CIFS protocol negotiated as part of the UNIX extensions.
|
|---|
| 10 | SMB encryption uses the GSSAPI (SSPI on Windows) ability to encrypt
|
|---|
| 11 | and sign every request/response in a SMB protocol stream. When
|
|---|
| 12 | enabled it provides a secure method of SMB/CIFS communication,
|
|---|
| 13 | similar to an ssh protected session, but using SMB/CIFS authentication
|
|---|
| 14 | to negotiate encryption and signing keys. Currently this is only
|
|---|
| 15 | supported by Samba 3.2 smbclient, and hopefully soon Linux CIFSFS
|
|---|
| 16 | and MacOS/X clients. Windows clients do not support this feature.
|
|---|
| 17 | </para>
|
|---|
| 18 |
|
|---|
| 19 | <para>This controls whether the remote client is allowed or required to use SMB encryption. Possible values
|
|---|
| 20 | are <emphasis>auto</emphasis>, <emphasis>mandatory</emphasis>
|
|---|
| 21 | and <emphasis>disabled</emphasis>. This may be set on a per-share
|
|---|
| 22 | basis, but clients may chose to encrypt the entire session, not
|
|---|
| 23 | just traffic to a specific share. If this is set to mandatory
|
|---|
| 24 | then all traffic to a share <emphasis>must</emphasis> must
|
|---|
| 25 | be encrypted once the connection has been made to the share.
|
|---|
| 26 | The server would return "access denied" to all non-encrypted
|
|---|
| 27 | requests on such a share. Selecting encrypted traffic reduces
|
|---|
| 28 | throughput as smaller packet sizes must be used (no huge UNIX
|
|---|
| 29 | style read/writes allowed) as well as the overhead of encrypting
|
|---|
| 30 | and signing all the data.
|
|---|
| 31 | </para>
|
|---|
| 32 |
|
|---|
| 33 | <para>If SMB encryption is selected, Windows style SMB signing (see
|
|---|
| 34 | the <smbconfoption name="server signing"/> option) is no longer necessary,
|
|---|
| 35 | as the GSSAPI flags use select both signing and sealing of the data.
|
|---|
| 36 | </para>
|
|---|
| 37 |
|
|---|
| 38 | <para>When set to auto, SMB encryption is offered, but not enforced.
|
|---|
| 39 | When set to mandatory, SMB encryption is required and if set
|
|---|
| 40 | to disabled, SMB encryption can not be negotiated.</para>
|
|---|
| 41 | </description>
|
|---|
| 42 |
|
|---|
| 43 | <value type="default">auto</value>
|
|---|
| 44 | </samba:parameter>
|
|---|
