<samba:parameter name="smb encrypt" context="S" type="enum" basic="1" xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> <description> <para>This is a new feature introduced with Samba 3.2 and above. It is an extension to the SMB/CIFS protocol negotiated as part of the UNIX extensions. SMB encryption uses the GSSAPI (SSPI on Windows) ability to encrypt and sign every request/response in a SMB protocol stream. When enabled it provides a secure method of SMB/CIFS communication, similar to an ssh protected session, but using SMB/CIFS authentication to negotiate encryption and signing keys. Currently this is only supported by Samba 3.2 smbclient, and hopefully soon Linux CIFSFS and MacOS/X clients. Windows clients do not support this feature. </para> <para>This controls whether the remote client is allowed or required to use SMB encryption. Possible values are <emphasis>auto</emphasis>, <emphasis>mandatory</emphasis> and <emphasis>disabled</emphasis>. This may be set on a per-share basis, but clients may chose to encrypt the entire session, not just traffic to a specific share. If this is set to mandatory then all traffic to a share <emphasis>must</emphasis> must be encrypted once the connection has been made to the share. The server would return "access denied" to all non-encrypted requests on such a share. Selecting encrypted traffic reduces throughput as smaller packet sizes must be used (no huge UNIX style read/writes allowed) as well as the overhead of encrypting and signing all the data. </para> <para>If SMB encryption is selected, Windows style SMB signing (see the <smbconfoption name="server signing"/> option) is no longer necessary, as the GSSAPI flags use select both signing and sealing of the data. </para> <para>When set to auto, SMB encryption is offered, but not enforced. When set to mandatory, SMB encryption is required and if set to disabled, SMB encryption can not be negotiated.</para> </description> <value type="default">auto</value> </samba:parameter>