On 07/28/2011 09:11 PM, Dominic Dougherty wrote:
Thanks guys,
I know this is a interesting one and more than one way to solve it.
1.) install a vpn server which is natively support by any windows machine (PPTP or L2TP or IPSEC) on the samba server and establish a vpn connection to the samba server.
I actually prefer OpenVPN, since it runs well on so many platforms, but it's
important to go with whichever technology you are most comfortable running.
2.) the newer version of samba supports SSL. However, the only valid client for this is smbclient. Not support by the "net use" command.
This, as Jeremy so rightly pointed out, is based on the Unix extensions to SMB.
I whined earlier that there is no specification for this feature, but we
spent almost twenty years without a real specification for SMB itself. Even
now, the [MS-SMB] and [MS-CIFS] docs from Microsoft are written to reflect
Windows behavior. That is, the spec. has to match the product, not the
other way 'round.
3.) use sshfs on the samba server and install putty on the local windows box and use port forwarding to connect to the samba share.
4.) configure ipsec on the windows network
These are really just alternative ways of setting up a VPN.
5.) use webdav on apache with https
That would move you away from the SMB protocol entirely.
6.) using stunnel and Microsoft loopback adapter encrypt traffic.
Same as 1, 3, and 4.
I was hoping to get something working without installing anything extra on the client and which could be natively support by windows.
No such puppy.
CIFS is supposed to support encryption, I would have to check up on that.
If you mean CIFS the Linux file system, then you are correct. It supports
the Unix extensions to SMB and so, therefore, should support encrypted SMB
traffic. There just hasn't been time to add that feature yet.
If you mean CIFS the alternative name for the SMB protocol, then no. I was
lead author of Microsoft's [MS-CIFS] and [MS-SMB] specifications so I am
quite sure about this. There's no encryption of file data in the
protocol...dangit.
Chris -)-----
-----Original Message-----
From: Steve French [mailto:smfrench@xxxxxxxxx]
Sent: Thursday, July 28, 2011 9:23 PM
To: Christopher R. Hertel
Cc: Jeremy Allison; Dominic Dougherty; samba-technical@xxxxxxxxxxxxxxx; linux-cifs@xxxxxxxxxxxxxxx
Subject: Re: encryption on network
On Thu, Jul 28, 2011 at 7:26 PM, Christopher R. Hertel<crh@xxxxxxxxxxxx> wrote:
Jeremy Allison wrote:
:
Right, but the question particularly listed WinXP as one of the
participating clients. Windows clients don't support the Unix extensions,
so they don't support encrypted SMB and that kinda ruins the whole thing,
eh? [sad face]
Yes I realize that. But that's not what you said. You said:
"The SMB protocol does not provide any mechanism for encrypting traffic
between clients and servers." - but that's not generically true,
only between *Microsoft* clients and servers.
Well... technically the SMB protocol (as it exists today) is defined by the
Microsoft specifications, and they don't include any support for encryption.
There is, unfortunately, no "official" specification of the Unix extensions
for SMB (only an old draft that doesn't include encryption, IIRC). Also, as
their name suggests, they're extensions to the protocol which means that
they're not part of the protocol itself.
You made it sound like that was definitive, and you are the
acknowledged authority on CIFS/SMB, so I couldn't let that
stand. People link to your posts here :-).
Absolutely right to set the record straight. I should have added the caveat
that the Unix extensions include support for encryption.
Please allow me to join the choir on that. (I'll sit at the back and not
get in anyone's way.) [winky face]
Maybe if we all wish REALLY HARD, Steve and Jeff will hear
us.. :-).
Don't forget to click your heels together and burn the tana leaves when the
moon is full over Vermont. ;)
I haven't forgotten ... just queued up behind reviewing ~10 other patches.
--
"Implementing CIFS - the Common Internet FileSystem" ISBN: 013047116X
Samba Team -- http://www.samba.org/ -)----- Christopher R. Hertel
jCIFS Team -- http://jcifs.samba.org/ -)----- ubiqx development, uninq.
ubiqx Team -- http://www.ubiqx.org/ -)----- crh@xxxxxxxxxxxx
OnLineBook -- http://ubiqx.org/cifs/ -)----- crh@xxxxxxxxx
--
To unsubscribe from this list: send the line "unsubscribe linux-cifs" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
