summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJeremy Allison <jra@samba.org>2007-12-31 02:22:27 +0000
committerGerald W. Carter <jerry@samba.org>2008-04-23 08:47:41 -0500
commit2c695bb59f4540ddc36c4ec08d5992f758633888 (patch)
treea5f2368bd1b97accc452138da434b9dcb8daba28
parent47e79c73d8608341fff95ce58b01322af35ba144 (diff)
downloadsamba-2c695bb59f4540ddc36c4ec08d5992f758633888.tar.gz
samba-2c695bb59f4540ddc36c4ec08d5992f758633888.tar.bz2
samba-2c695bb59f4540ddc36c4ec08d5992f758633888.zip
Add "smb encrypt" to smb.conf.
Jeremy. (This used to be commit e43e7fccf1eb6295f23a0adb4b6a84868c7cd7b9)
-rw-r--r--docs/smbdotconf/security/smbencrypt.xml45
1 files changed, 45 insertions, 0 deletions
diff --git a/docs/smbdotconf/security/smbencrypt.xml b/docs/smbdotconf/security/smbencrypt.xml
new file mode 100644
index 0000000000..eb91ce51fa
--- /dev/null
+++ b/docs/smbdotconf/security/smbencrypt.xml
@@ -0,0 +1,45 @@
+<samba:parameter name="smb encrypt"
+ context="S"
+ type="enum"
+ basic="1"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+
+ <para>This is a new feature introduced with Samba 3.2 and above. It is an
+ extension to the SMB/CIFS protocol negotiated as part of the UNIX extensions.
+ SMB encryption uses the GSSAPI (SSPI on Windows) ability to encrypt
+ and sign every request/response in a SMB protocol stream. When
+ enabled it provides a secure method of SMB/CIFS communication,
+ similar to an ssh protected session, but using SMB/CIFS authentication
+ to negotiate encryption and signing keys. Currently this is only
+ supported by Samba 3.2 smbclient, and hopefully soon Linux CIFSFS
+ and MacOS/X clients. Windows clients do not support this feature.
+ </para>
+
+ <para>This controls whether the server offers or requires
+ the client it talks to to use SMB encryption. Possible values
+ are <emphasis>auto</emphasis>, <emphasis>mandatory</emphasis>
+ and <emphasis>disabled</emphasis>. This may be set on a per-share
+ basis, but clients may chose to encrypt the entire session, not
+ just traffic to a specific share. If this is set to mandatory
+ then all traffic to a share <emphasis>must</emphasis> must
+ be encrypted once the connection has been made to the share.
+ The server would return "access denied" to all non-encrypted
+ requests on such a share. Selecting encrypted traffic reduces
+ throughput as smaller packet sizes must be used (no huge UNIX
+ style read/writes allowed) as well as the overhead of encrypting
+ and signing all the data.
+ </para>
+
+ <para>If SMB encryption is selected, Windows style SMB signing (see
+ the <smbconfoption name="server signing"/> option) is no longer necessary,
+ as the GSSAPI flags use select both signing and sealing of the data.
+ </para>
+
+ <para>When set to auto, SMB encryption is offered, but not enforced.
+ When set to mandatory, SMB encryption is required and if set
+ to disabled, SMB encryption can not be negotiated.</para>
+</description>
+
+<value type="default">auto</value>
+</samba:parameter>