Encrypting SMB traffic with Samba

security samba encryption samba4 domain-controller
58,014

Solution 1

The smb.conf manual page needs to be updated! It refers to the old Samba-specific encryption mechanism that applies to SMB1 only and is done via unix extensions. This can be used by smbclient.

Nowadays, the "smb encrypt" options also controls the SMB-level encryption that is part of SMB version 3.0 and newer. Windows 8 (and newer) clients should encrypt traffic with these settings.

Have you tried to use the same settings (smb encrypt = mandatory in the [global] section) on a Samba domain member or standalone server?

Make sure to set smb encrypt = auto in [global] section (not the [profiles] section). Then the general availability of encryption is still announced.


It is very possible that this is a bug in Samba. So this should probably be discussed on samba's samba-technial mailing list or samba's bugzilla. If you're using the Ubuntu version of Samba then you might also want to check the package page. I suspect that this a genuine Samba upstream issue.

Solution 2

This is a new feature introduced with Samba 3.2 and above. It is an extension to the SMB/CIFS protocol negotiated as part of the UNIX extensions. SMB encryption uses the GSSAPI (SSPI on Windows) ability to encrypt and sign every request/response in a SMB protocol stream. When enabled it provides a secure method of SMB/CIFS communication, similar to an ssh protected session, but using SMB/CIFS authentication to negotiate encryption and signing keys. Currently this is only supported by Samba 3.2 smbclient, and hopefully soon Linux CIFSFS and MacOS/X clients. Windows clients do not support this feature.

This controls whether the remote client is allowed or required to use SMB encryption. Possible values are auto, mandatory and disabled. This may be set on a per-share basis, but clients may chose to encrypt the entire session, not just traffic to a specific share. If this is set to mandatory then all traffic to a share must must be encrypted once the connection has been made to the share. The server would return "access denied" to all non-encrypted requests on such a share. Selecting encrypted traffic reduces throughput as smaller packet sizes must be used (no huge UNIX style read/writes allowed) as well as the overhead of encrypting and signing all the data.

If SMB encryption is selected, Windows style SMB signing (see the server signing option) is no longer necessary, as the GSSAPI flags use select both signing and sealing of the data.

When set to auto, SMB encryption is offered, but not enforced. When set to mandatory, SMB encryption is required and if set to disabled, SMB encryption can not be negotiated.

Default: smb encrypt = auto

Source: https://www.samba.org/samba/docs/man/manpages-3/smb.conf.5.html

Share:
58,014

Related videos on Youtube

Kai Petzke
Author by

Kai Petzke

Updated on September 18, 2022

Comments

  • Kai Petzke
    Kai Petzke almost 2 years

    We use Samba on Ubuntu 14.04 LTS as a PDC (primary domain controller) with roaming profiles. Everything works fine, except for if we try to enforce encryption via setting:

        server signing = mandatory
    smb encrypt = mandatory

    in the [global] section of /etc/samba/smb.conf . After doing so, win 8.0 and win 8.1 clients (haven't tried any other) complain: Die Vertrauensstellung zwischen dieser Arbeitsstation und der primären Domäne konnte nicht hergestellt werden. English translation of this text: The trust relationship between this workstation and the primary domain could not be established.

    If we add the two options server signing and smb encrypt only to the [profiles] section of smb.conf, then tcpdump shows, that the actual traffic is not encrypted!

    The full smb.conf:

    [global]
    workgroup = DOMAIN
    server string = %h PDC
    netbios name = HOSTNAME
    wins support = true
    dns proxy = no
    allow dns updates = False
    dns forwarder = IP

    deadtime = 15

    log level = 2
    log file = /var/log/samba/log.%m
    max log size = 5000
    debug pid = yes
    debug uid = yes
    syslog = yes
    utmp = yes

    security = user
    domain logons = yes
    domain master = yes
    os level = 64
    logon path = \\%N\profiles\%U
    logon home = \\%N\%U
    logon drive = H:
    logon script =

    passdb backend = ldapsam:ldap://localhost
    ldap ssl = start tls
    ldap admin dn = cn=admin,dc=DOMAIN,dc=de
    ldap delete dn = no

    encrypt passwords = yes
    server signing = mandatory
    smb encrypt = mandatory

    ## Sync UNIX password with Samba password
    ldap password sync = yes

    ldap suffix = dc=intra,dc=DOMAIN,dc=de
    ldap user suffix = ou=People
    ldap group suffix = ou=Groups
    ldap machine suffix = ou=Computers
    ldap idmap suffix = ou=Idmap

    add user script = /usr/sbin/smbldap-useradd -m '%u' -t 1
    rename user script = /usr/sbin/smbldap-usermod -r '%unew' '%uold'
    delete user script = /usr/sbin/smbldap-userdel '%u'
    set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u'
    add group script = /usr/sbin/smbldap-groupadd -p '%g'
    delete group script = /usr/sbin/smbldap-groupdel '%g'
    add user to group script = /usr/sbin/smbldap-groupmod -m '%u' '%g'
    delete user from group script = /usr/sbin/smbldap-groupmod -x '%u' '%g'
    add machine script = /usr/sbin/smbldap-useradd -W '%m' -t 1

[homes]
    comment = Home Directories
    valid users = %S
    read only = No
    browseable = No

[netlogon]
    comment = Network Logon Service
    path = /var/lib/samba/netlogon
    admin users = root
    guest ok = Yes
    browseable = No

[profiles]
    comment = Roaming Profile Share
    path = /var/lib/samba/profiles
    read only = No
    profile acls = Yes
    browsable = No
    valid users = %U
    create mode = 0600
    directory mode = 0700

    Any help?

    • Kai Petzke
      Kai Petzke over 9 years
      Sorry, rejoining a win 8 or win 8.1 client to the domain doesn't solve the problem. We tried that several times.
  • Kai Petzke
    Kai Petzke over 9 years
    Sorry, I can read the man page myself. About the quote, that you highlighted: Some pages, like blogs.technet.com/b/filecab/archive/2012/05/03/… indicate, that Win 8 can also do SMB encryption. As written at the top of that page: "Everything here also applies to Windows 8". Is that info surely wrong?
  • integratorIT
    integratorIT over 9 years
    Alternatively you can use Windows Server 2012 wich supports encrypted smb traffic
  • Kai Petzke
    Kai Petzke over 9 years
    But wouldn't that require the Windows Server edition on all clients?
  • Michael Adam
    Michael Adam about 9 years
    I have updated the manual page in Samba's core repository to explain the different meaning of smb encrypt for SMB2 and SMB3: (git.samba.org/…)

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

What is the best way to encrypt files in AES-256 with PHP?
Nodejs createCipher vs createCipheriv
Check if Android filesystem is encrypted
How do I integrate HSM encryption with JAVA?
How to store private encrypted user data in the database, but make them available to other chosen users?
Password hashing (non-SSL)
How to hash a password with SHA512
Retrieve text from Bcrypt hashed password
writing a variable to a text file and encrypting it?
Securing REST Web Service using token (Java)