Re: [Samba] Encryption
On Tue, 01 Dec 2009 08:23:01 -0800, Jeremy Allison wrote: On Tue, Dec 01, 2009 at 10:01:57AM -0600, Cameron Laird wrote: What are the prospects for smb transport encryption? Where can I learn more? It's implemented via the UNIX extension mechanism between smbclient and smbd for versions of Samba 3.2.x and greater. Not yet implemented in the Linux CIFSFS client or MacOSX client. The encryption feature of smbclient seems really great! But it is too bad that it is only in smbclient and not in smbmount/mount.cifs. Is there any technical barrier to implementing it in smbmount? I used to use sshfs to remotely mount my home directories between different computers running Linux, but I have switched to Samba for better performance. I would like to be able to keep using Samba without worrying about the relative lack of security. (I know this isn't really Samba's fault, but a legacy of its origins.) Dan Lenski -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Encryption
On Fri, Jun 25, 2010 at 06:44:17PM +, Dan Lenski wrote: On Tue, 01 Dec 2009 08:23:01 -0800, Jeremy Allison wrote: On Tue, Dec 01, 2009 at 10:01:57AM -0600, Cameron Laird wrote: What are the prospects for smb transport encryption? Where can I learn more? It's implemented via the UNIX extension mechanism between smbclient and smbd for versions of Samba 3.2.x and greater. Not yet implemented in the Linux CIFSFS client or MacOSX client. The encryption feature of smbclient seems really great! But it is too bad that it is only in smbclient and not in smbmount/mount.cifs. Is there any technical barrier to implementing it in smbmount? No technical barrier, just the willingness of someone to write the code :-). I used to use sshfs to remotely mount my home directories between different computers running Linux, but I have switched to Samba for better performance. I would like to be able to keep using Samba without worrying about the relative lack of security. (I know this isn't really Samba's fault, but a legacy of its origins.) Steve French and Jeff Layton are the experts in the Linux CIFS kernel code, try bugging them :-). Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Encryption
On Sun, 18 Apr 2010 10:29:38 -0400, simo wrote: On Sun, 2010-04-18 at 10:05 -0400, Nico Kadel-Garcia wrote: Reviewing the docs, this tool requires Samba 3.2 or later on both the client and server sides. I'm therefore assuming that it's not compatible with a contemporary Windows fileserver: can you confirm this? Does anyone know if NetApp supports such encryption? It is an extension created by the Samba Team as part of unix extensions, and at the moment the only client that implements it is smbclient. Not even the in kernel cifs driver implements it. And we have no knowledge of any other implementer adopting it yet. Does anyone know a time-frame for inclusion of transport encryption in the kernel CIFS driver? I'm really looking forward to this feature! Dan -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Encryption
On Fri, Jun 25, 2010 at 06:54:08PM +, Dan Lenski wrote: On Sun, 18 Apr 2010 10:29:38 -0400, simo wrote: On Sun, 2010-04-18 at 10:05 -0400, Nico Kadel-Garcia wrote: Reviewing the docs, this tool requires Samba 3.2 or later on both the client and server sides. I'm therefore assuming that it's not compatible with a contemporary Windows fileserver: can you confirm this? Does anyone know if NetApp supports such encryption? It is an extension created by the Samba Team as part of unix extensions, and at the moment the only client that implements it is smbclient. Not even the in kernel cifs driver implements it. And we have no knowledge of any other implementer adopting it yet. Does anyone know a time-frame for inclusion of transport encryption in the kernel CIFS driver? I'm really looking forward to this feature! Steve, Jeff ping ? :-) -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Encryption
On Fri, 25 Jun 2010 12:20:41 -0700 Jeremy Allison j...@samba.org wrote: On Fri, Jun 25, 2010 at 06:54:08PM +, Dan Lenski wrote: On Sun, 18 Apr 2010 10:29:38 -0400, simo wrote: On Sun, 2010-04-18 at 10:05 -0400, Nico Kadel-Garcia wrote: Reviewing the docs, this tool requires Samba 3.2 or later on both the client and server sides. I'm therefore assuming that it's not compatible with a contemporary Windows fileserver: can you confirm this? Does anyone know if NetApp supports such encryption? It is an extension created by the Samba Team as part of unix extensions, and at the moment the only client that implements it is smbclient. Not even the in kernel cifs driver implements it. And we have no knowledge of any other implementer adopting it yet. Does anyone know a time-frame for inclusion of transport encryption in the kernel CIFS driver? I'm really looking forward to this feature! Steve, Jeff ping ? :-) Sadly, there are enough bugs in this area that it may be a bit before we get around to adding new features. I know Shirish was poking around in here a while back, but I think he's working on other stuff now. I think before we can reasonably add that we really need to move all of the cifs crypto to use the kernel's standard crypto libs rather than the homegrown routines they use now. There are some definite problems wrt to unicode in there (not directly related to crypto, but it needs fixing). NTLMSSP auth is also busted which is a rather important item. -- Jeff Layton jlay...@samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Encryption
On Fri, Jun 25, 2010 at 2:34 PM, Jeff Layton jlay...@samba.org wrote: On Fri, 25 Jun 2010 12:20:41 -0700 Jeremy Allison j...@samba.org wrote: On Fri, Jun 25, 2010 at 06:54:08PM +, Dan Lenski wrote: On Sun, 18 Apr 2010 10:29:38 -0400, simo wrote: On Sun, 2010-04-18 at 10:05 -0400, Nico Kadel-Garcia wrote: Reviewing the docs, this tool requires Samba 3.2 or later on both the client and server sides. I'm therefore assuming that it's not compatible with a contemporary Windows fileserver: can you confirm this? Does anyone know if NetApp supports such encryption? It is an extension created by the Samba Team as part of unix extensions, and at the moment the only client that implements it is smbclient. Not even the in kernel cifs driver implements it. And we have no knowledge of any other implementer adopting it yet. Does anyone know a time-frame for inclusion of transport encryption in the kernel CIFS driver? I'm really looking forward to this feature! Steve, Jeff ping ? :-) Sadly, there are enough bugs in this area that it may be a bit before we get around to adding new features. I know Shirish was poking around in here a while back, but I think he's working on other stuff now. I think before we can reasonably add that we really need to move all of the cifs crypto to use the kernel's standard crypto libs rather than the homegrown routines they use now. There are some definite problems wrt to unicode in there (not directly related to crypto, but it needs fixing). NTLMSSP auth is also busted which is a rather important item. -- Jeff Layton jlay...@samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba Right now, I am at a stage where NTLMv2 authentication using NTMSSP works. (It definitely was broken against Windows 7 and Windows 2008 server). But signing does not. I am working on making NTLM2 Session Security work. For signing, as I understand, I am attempting to use kernel crypto APIs (for things like the key exchanged in type 3 message in ntlmssp) Point of this is, I am trying to use kernel crypto APIs henceforth. Along the way, I would consider converting existing mac generation routine to crypto kernel APIs. I am definitely considering implementing encryption also. If I am generating all these server and client signing and sealing keys, it may be little easier to go one step further and implement both, signing and sealing. I was mainly focussing on signing but will start investigating sealing also. NTLM2 session security implementation looks daunting though, I am just beginging to look into arc4 encryption to genereate ciphertext. I do not see a problem with existing mac routines but converting them to standard kernel crypto APIs should be way to go. There are definitely issues in how cifs vfs client module implements ntlmssp protocol like how we decide/choose flags in type 1 message and how we react to flags in type 2 message etc. Signing for ntlmv2 is definitely busted. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Encryption
On Sun, Apr 18, 2010 at 9:00 PM, Jeremy Allison j...@samba.org wrote: On Sun, Apr 18, 2010 at 09:20:54AM -0400, Nico Kadel-Garcia wrote: Samba is a very helpful implementation of CIFS, and I congratulate its authors. But CIFS was *not* built for data security. Encrypting such traffic would be an amazing performance hit on the server side. If you need secure data transfer, and do not need the kind of live sharing that CIFS or UNIX protocols like NFS provide, I'd urge you to use git for SSH based access to a central repository with local editing and full source control features. It's still a performance hit over direct file sharing, but it works well for interrupted connections to the primary document source, and I really like it for laptop or remote data center operation. Ahem. We *do* implement encryption on the CIFS stream in the Samba server. Works well with smbclient -e option. All it needs is for the kernel client to implement it. It's not such a bad hit on the server side of things :-). Jeremy. Thank you, yes, I saw those notes from Volker and simo. This is what I get for working professionally with old releases. I also noticed that it relies on Samba 3.2 or later on both ends, and so isn't compatible with Windows servers or clients or older clients. Now if I can just shoot all the old versions in use out there. ;'-) -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Encryption
Thanks for helpful comments and suggestions. In our situation we can't use smbclient -e because the data sources are not Samba/Linux, they're running various versions of Windows. But also, what we're doing is not file access but event log access. We aren't using CIFS but calling into ndr subroutines. As I said, we are using Samba code, not just being Samba users. The behaviour is this. When connecting and retrieving event logs (using dcerpc_eventlog_ReadEventLogW and friends) the traffic is encrypted when talking to e.g. Windows 2000 (I think actually anything before Win2003 SP 2) but unencrypted when talking e.g. to Server 2008. We are, of course, never talking to Samba servers as such. Authorization seems to be encrypted in both cases, that isn't the issue. (We are on Samba 4 for some purposes. In Samba 4, there's a torture test covering the event log API that exhibits the same behaviour we have seen by our client.) A Malton -- Dr. Andrew Malton e•sentire Critical Security Solutions 260 Holiday Inn Drive Building A Suite 29 Cambridge Canada N3C 4E8 AIM:ajmal...@mac.com tel: +1 519 651 2299 x 119 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Encryption
On Mon, Apr 19, 2010 at 09:57:53AM -0400, Andrew Malton wrote: Thanks for helpful comments and suggestions. In our situation we can't use smbclient -e because the data sources are not Samba/Linux, they're running various versions of Windows. But also, what we're doing is not file access but event log access. We aren't using CIFS but calling into ndr subroutines. As I said, we are using Samba code, not just being Samba users. The behaviour is this. When connecting and retrieving event logs (using dcerpc_eventlog_ReadEventLogW and friends) the traffic is encrypted when talking to e.g. Windows 2000 (I think actually anything before Win2003 SP 2) but unencrypted when talking e.g. to Server 2008. We are, of course, never talking to Samba servers as such. Authorization seems to be encrypted in both cases, that isn't the issue. This is RPC encryption, not SMB transport encryption. This can be negotiated on the traffic being carried within the SMB transport. Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Encryption
On Mon, April 19, 2010 11:13, Jeremy Allison wrote: This is RPC encryption, not SMB transport encryption. This can be negotiated on the traffic being carried within the SMB transport. Are OpenSSL's routines for all of this? If you have hardware support for encryption (add-in card, CPU a la UltraSPARC-T2), is it possible to use OpenSSL's engine support for acceleration? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Encryption
On Mon, Apr 19, 2010 at 02:49:52PM -0400, David Magda wrote: On Mon, April 19, 2010 11:13, Jeremy Allison wrote: This is RPC encryption, not SMB transport encryption. This can be negotiated on the traffic being carried within the SMB transport. Are OpenSSL's routines for all of this? If you have hardware support for encryption (add-in card, CPU a la UltraSPARC-T2), is it possible to use OpenSSL's engine support for acceleration? Nope. The code either uses the GSSAPI encryption code (for krb5) or Samba's own arc4 code. Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Encryption
On Sat, Apr 17, 2010 at 7:32 PM, Rob Townley rob.town...@gmail.com wrote: On Sat, Apr 17, 2010 at 6:24 AM, Andrew Malton andrew.mal...@esentire.com wrote: I want to (continue to) use Samba code to obtain data needed by my Linux client. This is currently done by calls into Samba's libraries. Unfortunately the resulting rpc traffic is unencrypted. I think this has to do with the configuration of encryption mechanisms on both sides, but perhaps (since when talking to older Windows systems, e.g. Windows 2000) encryption (with NTLM SSP I suppose) is used. Does Samba always use encryption when it can? or are there mechanisms that Windows can now insist on that Samba cannot use? If the latter, is improved support for protocol encryption a future plan for Samba development? Thanks for any help (in the form of pointers to documentation if there are things I've missed). -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba Are you talking about calling mount -t cifs //samba/share /mnt/win ? Are you talking about kerberos user login? Kerberos is designed for authentication, not encryption of data. The difference is pretty important for secure file sharing, although getting the password management into Kerberos is usually a very useful first step towards protecting your data, and it's lower hanging fruit: if your client or site cannot be convinced to even use this, your chances of implementing full secure file sharing are very low. Samba is a very helpful implementation of CIFS, and I congratulate its authors. But CIFS was *not* built for data security. Encrypting such traffic would be an amazing performance hit on the server side. If you need secure data transfer, and do not need the kind of live sharing that CIFS or UNIX protocols like NFS provide, I'd urge you to use git for SSH based access to a central repository with local editing and full source control features. It's still a performance hit over direct file sharing, but it works well for interrupted connections to the primary document source, and I really like it for laptop or remote data center operation. Alternatively, you might consider setting up VPN connections, especially for remote access to your Samba server. There's still a performance hit with a VPN, but it keeps the fun and games out of the file sharing software and leaves it in a hopefully lighter, cleaner, faster toolkit. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Encryption
On Sun, Apr 18, 2010 at 09:20:54AM -0400, Nico Kadel-Garcia wrote: Samba is a very helpful implementation of CIFS, and I congratulate its authors. But CIFS was *not* built for data security. Encrypting such traffic would be an amazing performance hit on the server side. If you need secure data transfer, and do not need the kind of live sharing that CIFS or UNIX protocols like NFS provide, I'd urge you to use git for SSH based access to a central repository with local editing and full source control features. It's still a performance hit over direct file sharing, but it works well for interrupted connections to the primary document source, and I really like it for laptop or remote data center operation. Have you tried smbclient -e against a Samba server? :-) Volker -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Encryption
On Sun, Apr 18, 2010 at 9:24 AM, Volker Lendecke volker.lende...@sernet.de wrote: On Sun, Apr 18, 2010 at 09:20:54AM -0400, Nico Kadel-Garcia wrote: Samba is a very helpful implementation of CIFS, and I congratulate its authors. But CIFS was *not* built for data security. Encrypting such traffic would be an amazing performance hit on the server side. If you need secure data transfer, and do not need the kind of live sharing that CIFS or UNIX protocols like NFS provide, I'd urge you to use git for SSH based access to a central repository with local editing and full source control features. It's still a performance hit over direct file sharing, but it works well for interrupted connections to the primary document source, and I really like it for laptop or remote data center operation. Have you tried smbclient -e against a Samba server? :-) Volker -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Encryption
On Sun, Apr 18, 2010 at 9:24 AM, Volker Lendecke volker.lende...@sernet.de wrote: On Sun, Apr 18, 2010 at 09:20:54AM -0400, Nico Kadel-Garcia wrote: Samba is a very helpful implementation of CIFS, and I congratulate its authors. But CIFS was *not* built for data security. Encrypting such traffic would be an amazing performance hit on the server side. If you need secure data transfer, and do not need the kind of live sharing that CIFS or UNIX protocols like NFS provide, I'd urge you to use git for SSH based access to a central repository with local editing and full source control features. It's still a performance hit over direct file sharing, but it works well for interrupted connections to the primary document source, and I really like it for laptop or remote data center operation. Have you tried smbclient -e against a Samba server? :-) Volker *OH*. Thank youf for the corrction. This is what I get for being a busy camper for a few years: this was apparently introduced at Samba 3.2, and only made it to the RedHat Enterprise releases with RHEL 5. If I could get back all the time I've wasted supporting out of date stable servers in mixed environments, and being prevented from releasing new features because they're stable, I'd well, I'd have a lot more time for the Samba-3.5 testing I'm trying right now. Thanks. Reviewing the docs, this tool requires Samba 3.2 or later on both the client and server sides. I'm therefore assuming that it's not compatible with a contemporary Windows fileserver: can you confirm this? Does anyone know if NetApp supports such encryption? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Encryption
On Sun, 2010-04-18 at 10:05 -0400, Nico Kadel-Garcia wrote: Reviewing the docs, this tool requires Samba 3.2 or later on both the client and server sides. I'm therefore assuming that it's not compatible with a contemporary Windows fileserver: can you confirm this? Does anyone know if NetApp supports such encryption? It is an extension created by the Samba Team as part of unix extensions, and at the moment the only client that implements it is smbclient. Not even the in kernel cifs driver implements it. And we have no knowledge of any other implementer adopting it yet. Simo. -- Simo Sorce Samba Team GPL Compliance Officer s...@samba.org Principal Software Engineer at Red Hat, Inc. s...@redhat.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Encryption
On Sun, Apr 18, 2010 at 09:20:54AM -0400, Nico Kadel-Garcia wrote: Samba is a very helpful implementation of CIFS, and I congratulate its authors. But CIFS was *not* built for data security. Encrypting such traffic would be an amazing performance hit on the server side. If you need secure data transfer, and do not need the kind of live sharing that CIFS or UNIX protocols like NFS provide, I'd urge you to use git for SSH based access to a central repository with local editing and full source control features. It's still a performance hit over direct file sharing, but it works well for interrupted connections to the primary document source, and I really like it for laptop or remote data center operation. Ahem. We *do* implement encryption on the CIFS stream in the Samba server. Works well with smbclient -e option. All it needs is for the kernel client to implement it. It's not such a bad hit on the server side of things :-). Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Encryption
On Sat, Apr 17, 2010 at 6:24 AM, Andrew Malton andrew.mal...@esentire.com wrote: I want to (continue to) use Samba code to obtain data needed by my Linux client. This is currently done by calls into Samba's libraries. Unfortunately the resulting rpc traffic is unencrypted. I think this has to do with the configuration of encryption mechanisms on both sides, but perhaps (since when talking to older Windows systems, e.g. Windows 2000) encryption (with NTLM SSP I suppose) is used. Does Samba always use encryption when it can? or are there mechanisms that Windows can now insist on that Samba cannot use? If the latter, is improved support for protocol encryption a future plan for Samba development? Thanks for any help (in the form of pointers to documentation if there are things I've missed). -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba Are you talking about calling mount -t cifs //samba/share /mnt/win ? Are you talking about kerberos user login? Linux kerberos can talk any of the encryption protocols, including aes256. Fact is, WinXP cannot do AES for this, but it can talk the less secure RC4. At a win2000 domain level, you can talk RC4 or DES which was broken in 1998 by the EFF. A win2000 domain will offer DES as a kerberos option but will tell winclients via Group Policy Objects to never user DES. http://blogs.msdn.com/alextch/archive/tags/AD+Interop/default.aspx Watch this video. http://blogs.msdn.com/alextch/archive/2006/07/18/MITtoADRC4.aspx Samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Encryption
On Tue, Dec 01, 2009 at 10:01:57AM -0600, Cameron Laird wrote: What are the prospects for smb transport encryption? Where can I learn more? It's implemented via the UNIX extension mechanism between smbclient and smbd for versions of Samba 3.2.x and greater. Not yet implemented in the Linux CIFSFS client or MacOSX client. Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Encryption
On Tue, 5 Nov 2002, Howard Huntley Jr. wrote: I compiled the source, My understand is that the encryption support has to be compiled into the binary. If not the encrypt passwords = Yes function in smb.conf. is meaning less, No. Encryption support is native to Samba since version 2.0.x. You need to add your root account to smbpasswd: smbpasswd -a root then do the same for every user who needs to use samba. - John T. - Original Message - From: John H Terpstra [EMAIL PROTECTED] To: Howard Huntley Jr [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Monday, November 04, 2002 11:27 PM Subject: Re: [Samba] Encryption On Tue, 5 Nov 2002, Howard Huntley Jr wrote: I got my Samba compiled and I am seeing the Sun v9 shears in win2k. I basically have an open samba system. I do not have encryption support compiled into the binaries. I have looked high and low for the instructions, Will any one tell me which changes to make in the make file in order to get the encryption support compiled into the binary? When and how or do I need to get the Smbpassword going?? Why is there so much of the old documentation included with the samba files and so little regarding getting the encryption going? The encryption config should be the default. Please check the man page for smb.conf - it is up to date. You want to check for encrypt passwords = Yes function in smb.conf. - John T. -- John H Terpstra Email: [EMAIL PROTECTED] -- John H Terpstra Email: [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba