| blob | 05df152e7342e7070dddc7620445e43b7dc6c5eb |
1 <samba:parameter name="client smb encrypt"
2 context="G"
3 type="enum"
4 enumlist="enum_smb_encryption_vals"
5 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
6 <description>
7 <para>
8 This parameter controls whether a client should try or is required
9 to use SMB encryption. It has different effects depending on whether
10 the connection uses SMB1 or SMB3:
11 </para>
13 <itemizedlist>
14 <listitem>
15 <para>
16 If the connection uses SMB1, then this option controls the use
17 of a Samba-specific extension to the SMB protocol introduced in
18 Samba 3.2 that makes use of the Unix extensions.
19 </para>
20 </listitem>
22 <listitem>
23 <para>
24 If the connection uses SMB2 or newer, then this option controls
25 the use of the SMB-level encryption that is supported in SMB
26 version 3.0 and above and available in Windows 8 and newer.
27 </para>
28 </listitem>
29 </itemizedlist>
31 <para>
32 This parameter can be set globally. Possible values are
34 <emphasis>off</emphasis>,
35 <emphasis>if_required</emphasis>,
36 <emphasis>desired</emphasis>,
37 and
38 <emphasis>required</emphasis>.
39 A special value is <emphasis>default</emphasis> which is
40 the implicit default setting of <emphasis>if_required</emphasis>.
41 </para>
43 <variablelist>
44 <varlistentry>
45 <term><emphasis>Effects for SMB1</emphasis></term>
46 <listitem>
47 <para>
48 The Samba-specific encryption of SMB1 connections is an
49 extension to the SMB protocol negotiated as part of the UNIX
50 extensions. SMB encryption uses the GSSAPI (SSPI on Windows)
51 ability to encrypt and sign every request/response in a SMB
52 protocol stream. When enabled it provides a secure method of
53 SMB/CIFS communication, similar to an ssh protected session, but
54 using SMB/CIFS authentication to negotiate encryption and
55 signing keys. Currently this is only supported smbclient of by
56 Samba 3.2 and newer. Windows does not support this feature.
57 </para>
59 <para>
60 When set to default, SMB encryption is probed, but not
61 enforced. When set to required, SMB encryption is required and
62 if set to disabled, SMB encryption can not be negotiated.
63 </para>
64 </listitem>
65 </varlistentry>
67 <varlistentry>
68 <term><emphasis>Effects for SMB3 and newer</emphasis></term>
69 <listitem>
70 <para>
71 Native SMB transport encryption is available in SMB version 3.0
72 or newer. It is only used by Samba if
73 <emphasis>client max protocol</emphasis> is set to
74 <emphasis>SMB3</emphasis> or newer.
75 </para>
77 <para>
78 These features can be controlled with settings of
79 <emphasis>client smb encrypt</emphasis> as follows:
80 </para>
82 <itemizedlist>
83 <listitem>
84 <para>
85 Leaving it as default, explicitly setting
86 <emphasis>default</emphasis>, or setting it to
87 <emphasis>if_required</emphasis> globally will enable
88 negotiation of encryption but will not turn on
89 data encryption globally.
90 </para>
91 </listitem>
93 <listitem>
94 <para>
95 Setting it to <emphasis>desired</emphasis> globally
96 will enable negotiation and will turn on data encryption
97 on sessions and share connections for those servers
98 that support it.
99 </para>
100 </listitem>
102 <listitem>
103 <para>
104 Setting it to <emphasis>required</emphasis> globally
105 will enable negotiation and turn on data encryption
106 on sessions and share connections. Clients that do
107 not support encryption will be denied access to the
108 server.
109 </para>
110 </listitem>
112 <listitem>
113 <para>
114 Setting it to <emphasis>off</emphasis> globally will
115 completely disable the encryption feature for all
116 connections.
117 </para>
118 </listitem>
119 </itemizedlist>
120 </listitem>
121 </varlistentry>
122 </variablelist>
123 </description>
125 <value type="default">default</value>
126 </samba:parameter>