summaryrefslogtreecommitdiff
path: root/docs-xml/smbdotconf/security/smbencrypt.xml
blob: eb91ce51fa3ce389445ca5064c5bea2be8465750 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
<samba:parameter name="smb encrypt"
                 context="S"
				 type="enum"
                 basic="1"
		 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
<description>

    <para>This is a new feature introduced with Samba 3.2 and above. It is an
    extension to the SMB/CIFS protocol negotiated as part of the UNIX extensions.
    SMB encryption uses the GSSAPI (SSPI on Windows) ability to encrypt
    and sign every request/response in a SMB protocol stream. When
    enabled it provides a secure method of SMB/CIFS communication,
    similar to an ssh protected session, but using SMB/CIFS authentication
    to negotiate encryption and signing keys. Currently this is only
    supported by Samba 3.2 smbclient, and hopefully soon Linux CIFSFS
    and MacOS/X clients. Windows clients do not support this feature.
    </para>

    <para>This controls whether the server offers or requires
    the client it talks to to use SMB encryption. Possible values 
    are <emphasis>auto</emphasis>, <emphasis>mandatory</emphasis> 
    and <emphasis>disabled</emphasis>. This may be set on a per-share
    basis, but clients may chose to encrypt the entire session, not
    just traffic to a specific share. If this is set to mandatory
    then all traffic to a share <emphasis>must</emphasis> must
    be encrypted once the connection has been made to the share.
    The server would return "access denied" to all non-encrypted
    requests on such a share. Selecting encrypted traffic reduces
    throughput as smaller packet sizes must be used (no huge UNIX
    style read/writes allowed) as well as the overhead of encrypting
    and signing all the data.
    </para>

    <para>If SMB encryption is selected, Windows style SMB signing (see
    the <smbconfoption name="server signing"/> option) is no longer necessary,
    as the GSSAPI flags use select both signing and sealing of the data.
    </para>

    <para>When set to auto, SMB encryption is offered, but not enforced. 
    When set to mandatory, SMB encryption is required and if set 
    to disabled, SMB encryption can not be negotiated.</para>
</description>

<value type="default">auto</value>
</samba:parameter>