diff options
author | Gerald W. Carter <jerry@samba.org> | 2008-04-22 10:09:40 -0500 |
---|---|---|
committer | Gerald W. Carter <jerry@samba.org> | 2008-04-23 08:47:48 -0500 |
commit | 8f8a9f01909ba29e2b781310baeeaaddc3f15f0d (patch) | |
tree | 90c6b720ad3a7bc815245c0ef28820424f89d658 /docs-xml/smbdotconf/security/smbencrypt.xml | |
parent | 197238246389c40edc60c6630d18d6913086e630 (diff) | |
download | samba-8f8a9f01909ba29e2b781310baeeaaddc3f15f0d.tar.gz samba-8f8a9f01909ba29e2b781310baeeaaddc3f15f0d.tar.bz2 samba-8f8a9f01909ba29e2b781310baeeaaddc3f15f0d.zip |
Moving docs tree to docs-xml to make room for generated docs in the release tarball.
(This used to be commit 9f672c26d63955f613088489c6efbdc08b5b2d14)
Diffstat (limited to 'docs-xml/smbdotconf/security/smbencrypt.xml')
-rw-r--r-- | docs-xml/smbdotconf/security/smbencrypt.xml | 45 |
1 files changed, 45 insertions, 0 deletions
diff --git a/docs-xml/smbdotconf/security/smbencrypt.xml b/docs-xml/smbdotconf/security/smbencrypt.xml new file mode 100644 index 0000000000..eb91ce51fa --- /dev/null +++ b/docs-xml/smbdotconf/security/smbencrypt.xml @@ -0,0 +1,45 @@ +<samba:parameter name="smb encrypt" + context="S" + type="enum" + basic="1" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + + <para>This is a new feature introduced with Samba 3.2 and above. It is an + extension to the SMB/CIFS protocol negotiated as part of the UNIX extensions. + SMB encryption uses the GSSAPI (SSPI on Windows) ability to encrypt + and sign every request/response in a SMB protocol stream. When + enabled it provides a secure method of SMB/CIFS communication, + similar to an ssh protected session, but using SMB/CIFS authentication + to negotiate encryption and signing keys. Currently this is only + supported by Samba 3.2 smbclient, and hopefully soon Linux CIFSFS + and MacOS/X clients. Windows clients do not support this feature. + </para> + + <para>This controls whether the server offers or requires + the client it talks to to use SMB encryption. Possible values + are <emphasis>auto</emphasis>, <emphasis>mandatory</emphasis> + and <emphasis>disabled</emphasis>. This may be set on a per-share + basis, but clients may chose to encrypt the entire session, not + just traffic to a specific share. If this is set to mandatory + then all traffic to a share <emphasis>must</emphasis> must + be encrypted once the connection has been made to the share. + The server would return "access denied" to all non-encrypted + requests on such a share. Selecting encrypted traffic reduces + throughput as smaller packet sizes must be used (no huge UNIX + style read/writes allowed) as well as the overhead of encrypting + and signing all the data. + </para> + + <para>If SMB encryption is selected, Windows style SMB signing (see + the <smbconfoption name="server signing"/> option) is no longer necessary, + as the GSSAPI flags use select both signing and sealing of the data. + </para> + + <para>When set to auto, SMB encryption is offered, but not enforced. + When set to mandatory, SMB encryption is required and if set + to disabled, SMB encryption can not be negotiated.</para> +</description> + +<value type="default">auto</value> +</samba:parameter> |