Encrypting SMB traffic with Samba
Solution 1:
The smb.conf manual page needs to be updated! It refers to the old Samba-specific encryption mechanism that applies to SMB1 only and is done via unix extensions. This can be used by smbclient
.
Nowadays, the "smb encrypt
" options also controls the SMB-level encryption that is part of SMB version 3.0 and newer. Windows 8 (and newer) clients should encrypt traffic with these settings.
Have you tried to use the same settings (smb encrypt = mandatory
in the [global]
section) on a Samba domain member or standalone server?
Make sure to set smb encrypt = auto
in [global]
section (not the [profiles]
section). Then the general availability of encryption is still announced.
It is very possible that this is a bug in Samba. So this should probably be discussed on samba's samba-technial mailing list or samba's bugzilla. If you're using the Ubuntu version of Samba then you might also want to check the package page. I suspect that this a genuine Samba upstream issue.
Solution 2:
This is a new feature introduced with Samba 3.2 and above. It is an extension to the SMB/CIFS protocol negotiated as part of the UNIX extensions. SMB encryption uses the GSSAPI (SSPI on Windows) ability to encrypt and sign every request/response in a SMB protocol stream. When enabled it provides a secure method of SMB/CIFS communication, similar to an ssh protected session, but using SMB/CIFS authentication to negotiate encryption and signing keys. Currently this is only supported by Samba 3.2 smbclient, and hopefully soon Linux CIFSFS and MacOS/X clients. Windows clients do not support this feature.
This controls whether the remote client is allowed or required to use SMB encryption. Possible values are auto, mandatory and disabled. This may be set on a per-share basis, but clients may chose to encrypt the entire session, not just traffic to a specific share. If this is set to mandatory then all traffic to a share must must be encrypted once the connection has been made to the share. The server would return "access denied" to all non-encrypted requests on such a share. Selecting encrypted traffic reduces throughput as smaller packet sizes must be used (no huge UNIX style read/writes allowed) as well as the overhead of encrypting and signing all the data.
If SMB encryption is selected, Windows style SMB signing (see the server signing option) is no longer necessary, as the GSSAPI flags use select both signing and sealing of the data.
When set to auto, SMB encryption is offered, but not enforced. When set to mandatory, SMB encryption is required and if set to disabled, SMB encryption can not be negotiated.
Default: smb encrypt = auto
Source: https://www.samba.org/samba/docs/man/manpages-3/smb.conf.5.html