Forcing Samba Encryption from the Server

(This article corresponded to the best of my knowledge, on February 16, 2016. Please forgive me as I will correct some of my mistakes, and yield a more-satisfying answer to my own question… )

I have recently been digging into the settings of my /etc/samba/smb.conf file, in an effort to tighten up its security.

One fact about Samba which I don’t particularly like, is that too many options are controlled from the client. Thus, on my Samba 3.2 client I had the [Global] option set as a default:

client use spnego = yes

What this did successfully, was secure the way in which the password is authenticated, without exposing it. It causes the server to invoke Kerberos. Additionally, it is possible to set

client NTLMv2 auth = yes

which is default on Samba 4, but which was not set by default on Samba 3 clients. This asks the server for NTLMv2 if available, which is the Windows default for SMB2. It was not set in older Samba clients, to improve compatibility with older SMB shares.

( 03/26/2018 :

The above paragraph really just stated a misconception of mine. The order in which authentication schemes have evolved, are something like:

  1. LAN-Man, aka NTLMv1, NTLMv2,
  2. SMB1, aka NT1,
  3. SMB2 and SMB3 Under One Hat.

The first of these three authentication schemes should really be avoided these days, unless we need to network Windows 98 machines, because NTLMv2 etc., are really quite insecure.

The second scheme has represented the mainstream of how Linux has adopted SMB in its Samba software-suite. But, because the Windows version of SMB1 lacked transport encryption, Linux specifically devised its own solution to that, which only works with Linux implementations of SMB1. This is what the ‘smbclient’ command-line program will use, as well as the ‘Smb4K’ GUI-application.

The third flavor of Samba, is what has come to Samba v4 anew, which is an attempt to keep up with the Windows version of ‘SMB with encryption’. If configured to do so, Dolphin will attempt to emulate SMB3. But Dolphin currently fails to query the Master-Browser, if the Master-Browser is just a Linux, Samba 4 server, that has been configured to insist on implementing SMB3. In that case, an error can take place in which Dolphin can connect to specific Servers if their Names are known, but just not view the entire network neighborhood. )

But all that these options allow, is for the initial negotiation to be secured, by which an SMB share is connected. Further, it allows for a possible, later encryption key to be determined in a secure way.

A commonly-known fact about Samba, is that whether the actual exchange of data is encrypted, is determined by default by the client. The actual ‘smbclient’ command-line under Linux accepts the -e flag to do so. And under Windows 7 and 8, the use of 128-bit encryption is default, again set on the client. There are some people who cannot use this, because they are connecting to an older Samba server from Win 7 or 8 as the client, but I like the fact that this is enabled.

Yet, when I connected to my Samba server from a Linux client, not from the command-line, but from within the KDE browser, either ‘Konqueror’ or ‘Dolphin’, these GUI network browsers did not set encryption by default.

Therefore, the possibility still existed that I could be using a Linux client, and not benefiting from encryption in those cases. And so one setting on the server which I found could be helpful, was

smb encrypt = mandatory

This is a [Share] section setting on the server to force encryption, instead of the client deciding. In the case of my Windows clients, this produces no new behavior. But in the case of my Linux (Samba 3) client, it does produce new behavior.

My only personal problem with this setting is, that I don’t know of any Android SMB browsers that support share-level, data encryption. Putting this setting on my server, and then giving the command

smbcontrol smbd reload-config

simply causes all my Android SMB browsers to fail at connecting, apparently. And so one thing I needed to do after all, was to disable this setting, and consciously leave myself open to the possibility, that some of my exchanged data will not be encrypted (especially data exchanged with an Android device).


(Edit : ) I have been trying to obtain some sort of closure on this subject, by putting the configuration lines

smb encrypt = mandatory
guest ok = no

Into the [Homes] section.

However, I found that this does not resolve my issue completely, for three reasons:

1) The [Homes] section works differently from how I had thought. It actually determines which service is being asked for explicitly by the client, and then either clones the section specific to that share, or creates one on-the-fly.

2) Even if I create a different share specifically to have these options, the KDE 3 Konqueror GUI and the KDE 4 Dolphin GUI seem unable to abide by it, while the ‘smbclient’ command-line does so without problems. And so what I’ll need to accept, is that KDE 3/4 Samba browsing will simply need to remain without data encryption…

3) What this option does seems to differ, depending on whether the client is asking for SMB1, SMB2, or SMB3.

With SMB1, a form of encryption is possible, which only exists in the case of Linux, and which is invoked by the ‘smbclient’ command-line as described above.

With SMB2, this feature either seems to be broken or isn’t available.

And with SMB3, this feature actually works. Thus, the only client which seems to be fully compatible with this special share, is my Windows 8.1 laptop.


(Edit 03/15/2016 : ) Due to recent upgrades to the Samba server suite (v 2:4.1.17+dfsg-2+deb8u2 ), I can no longer recommend that older clients bet set to use NTLMv2. On the newer server, this mode only exists to provide compatibility with Windows clients. It only seems to work for me if password encryption is generally required by the server, but if the protocol is left open on the client. That way, a specific negotiation can use ‘Kerberos’ if necessary.

(Update 03/26/2018 : )

By now I have both v4.2 and v4.5 Samba Servers, and reasonably current Dolphin file-browsers. The solution that works best for me now is, to set:

smb encrypt = enabled

Globally, but to set:

smb encrypt = desired

on a Per-Share basis.

What this will do, if I’ve configured each Dolphin file-browser to use SMB3, is announce to the server that the client is SMB3 -capable. In response, the server will enforce encryption. In that case, older clients, Android clients, or the ‘smbclient’ command-line, will only announce SMB1 -capability, and encryption will not take effect. And this mixed result is my replacement, for GUI-based clients that would allow their user to select encryption, and which do not seem available.

In order to force my Dolphin clients to offer SMB3 in this way, I have created the file ‘~/.smb/smb.conf’, which contains the following lines of text:


   client max protocol = SMB3




Print Friendly, PDF & Email

A Potential Solution to DynDNS Update Client

This posting is about the error messages which many users of “DynDNS” Automatic Update Client have reported, and which were also preventing my own update client from doing its job. The error messages were of the form:

API Request Failed. Status 500 Method ipaddress.get

Some sources on the Web suggested this had to do with their user-names and passwords on the DynDNS server being corrupted, and performed a reset of those. Other sources reported, that if they switched the configuration of their IPv4 and IPv6 fields to ‘Static’, and then back to ‘Automatic’, they could get the updates to resume.

Unfortunately, neither of those solutions worked for me. And in order to illustrate why, and what can go wrong, I must first explain my configuration in greater detail.

I have the internal loopback interface named ‘lo’, the real interface named ‘eth0′ (which only has an invalid, LAN IPv4 address), and the virtual interface named ‘teredo’ (which offers a tunneled IPv6 address). In the configuration of my DynDNS host, on the client program version 5.2.0-2, the choices for both IPv4 and IPv6 are ‘Disable’, ‘Automatic’, ‘Local Interface’, and ‘Static’. They key to understanding the problem in my case only became obvious, when I tried to configure ‘Local Interface’. The drop-down menu only offered me the choice between interfaces ‘lo’ and ‘eth0′, with ‘lo’ being the default.

Hence, the Python script was written to disregard the virtual interfaces on my host, including the interface ‘teredo’, which is providing IPv6. And additionally, with both IP versions set to ‘Automatic’, it did not recognize which of my interfaces to use for IPv4.

The solution for me was, to set the IPv4 resolution to ‘Automatic’. Next, the only way for me to set my IPv6, is manually through ‘Static’, which I can read from the root command

ifconfig -a

Granted, to have to set my IPv6 address manually is not ideal. But what was worse, was the fact that my IPv4 was not being updated automatically, which it now knows how to do.

I hope this insight helps some other users, who may have run into this ubiquitous error message for different reasons. I don’t really see, why we wouldn’t at least want to set the ‘Interface’ manually – except for cases where that has been NATted – and I guess IPv6 resolution is meant for users, who have a ‘Native IPv6′ and not a ‘Teredo Tunnel’.



Print Friendly, PDF & Email

I no longer have an IPv6 address.

This morning, the Teredo server I subscribed to, refused permission to my client, to obtain an IPv6 address via proxy, with no explanation given. Therefore, I have discontinued my use of IPv6 addresses.

It’s no big deal, because nobody was connecting to my server anyway, using IPv6.



Print Friendly, PDF & Email