1 <samba:parameter name="smb encrypt"
4 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
7 This parameter controls whether a remote client is allowed or required
8 to use SMB encryption. It has different effects depending on whether
9 the connection uses SMB1 or SMB2 and newer:
15 If the connection uses SMB1, then this option controls the use
16 of a Samba-specific extension to the SMB protocol introduced in
17 Samba 3.2 that makes use of the Unix extensions.
23 If the connection uses SMB2 or newer, then this option controls
24 the use of the SMB-level encryption that is supported in SMB
25 version 3.0 and above and available in Windows 8 and newer.
31 This parameter can be set globally and on a per-share bases.
33 <emphasis>off</emphasis> (or <emphasis>disabled</emphasis>),
34 <emphasis>enabled</emphasis> (or <emphasis>auto</emphasis>, or
35 <emphasis>if_required</emphasis>),
36 <emphasis>desired</emphasis>,
38 <emphasis>required</emphasis>
39 (or <emphasis>mandatory</emphasis>).
40 A special value is <emphasis>default</emphasis> which is
41 the implicit default setting of <emphasis>enabled</emphasis>.
46 <term><emphasis>Effects for SMB1</emphasis></term>
49 The Samba-specific encryption of SMB1 connections is an
50 extension to the SMB protocol negotiated as part of the UNIX
51 extensions. SMB encryption uses the GSSAPI (SSPI on Windows)
52 ability to encrypt and sign every request/response in a SMB
53 protocol stream. When enabled it provides a secure method of
54 SMB/CIFS communication, similar to an ssh protected session, but
55 using SMB/CIFS authentication to negotiate encryption and
56 signing keys. Currently this is only supported smbclient of by
57 Samba 3.2 and newer, and hopefully soon Linux CIFSFS and MacOS/X
58 clients. Windows clients do not support this feature.
61 <para>This may be set on a per-share
62 basis, but clients may chose to encrypt the entire session, not
63 just traffic to a specific share. If this is set to mandatory
64 then all traffic to a share <emphasis>must</emphasis>
65 be encrypted once the connection has been made to the share.
66 The server would return "access denied" to all non-encrypted
67 requests on such a share. Selecting encrypted traffic reduces
68 throughput as smaller packet sizes must be used (no huge UNIX
69 style read/writes allowed) as well as the overhead of encrypting
70 and signing all the data.
74 If SMB encryption is selected, Windows style SMB signing (see
75 the <smbconfoption name="server signing"/> option) is no longer
76 necessary, as the GSSAPI flags use select both signing and
81 When set to auto or default, SMB encryption is offered, but not
82 enforced. When set to mandatory, SMB encryption is required and
83 if set to disabled, SMB encryption can not be negotiated.
89 <term><emphasis>Effects for SMB2</emphasis></term>
92 Native SMB transport encryption is available in SMB version 3.0
93 or newer. It is only offered by Samba if
94 <emphasis>server max protocol</emphasis> is set to
95 <emphasis>SMB3</emphasis> or newer.
96 Clients supporting this type of encryption include
98 Windows server 2012 and newer,
99 and smbclient of Samba 4.1 and newer.
103 The protocol implementation offers various options:
109 The capability to perform SMB encryption can be
110 negotiated during protocol negotiation.
116 Data encryption can be enabled globally. In that case,
117 an encryption-capable connection will have all traffic
118 in all its sessions encrypted. In particular all share
119 connections will be encrypted.
125 Data encryption can also be enabled per share if not
126 enabled globally. For an encryption-capable connection,
127 all connections to an encryption-enabled share will be
134 Encryption can be enforced. This means that session
135 setups will be denied on non-encryption-capable
136 connections if data encryption has been enabled
137 globally. And tree connections will be denied for
138 non-encryption capable connections to shares with data
145 These features can be controlled with settings of
146 <emphasis>smb encrypt</emphasis> as follows:
152 Leaving it as default, explicitly setting
153 <emphasis>default</emphasis>, or setting it to
154 <emphasis>enabled</emphasis> globally will enable
155 negotiation of encryption but will not turn on
156 data encryption globally or per share.
162 Setting it to <emphasis>desired</emphasis> globally
163 will enable negotiation and will turn on data encryption
164 on sessions and share connections for those clients
171 Setting it to <emphasis>required</emphasis> globally
172 will enable negotiation and turn on data encryption
173 on sessions and share connections. Clients that do
174 not support encryption will be denied access to the
181 Setting it to <emphasis>off</emphasis> globally will
182 completely disable the encryption feature.
188 Setting it to <emphasis>desired</emphasis> on a share
189 will turn on data encryption for this share for clients
190 that support encryption if negotiation has been
197 Setting it to <emphasis>required</emphasis> on a share
198 will enforce data encryption for this share if
199 negotiation has been enabled globally. I.e. clients that
200 do not support encryption will be denied access to the
204 Note that this allows per-share enforcing to be
205 controlled in Samba differently from Windows:
206 In Windows, <emphasis>RejectUnencryptedAccess</emphasis>
207 is a global setting, and if it is set, all shares with
208 data encryption turned on
209 are automatically enforcing encryption. In order to
210 achieve the same effect in Samba, one
211 has to globally set <emphasis>smb encrypt</emphasis> to
212 <emphasis>enabled</emphasis>, and then set all shares
213 that should be encrypted to
214 <emphasis>required</emphasis>.
215 Additionally, it is possible in Samba to have some
216 shares with encryption <emphasis>required</emphasis>
217 and some other shares with encryption only
218 <emphasis>desired</emphasis>, which is not possible in
225 Setting it to <emphasis>off</emphasis> or
226 <emphasis>enabled</emphasis> for a share has
236 <value type="default">default</value>