David Ramos
2017-Feb-16 09:37 UTC
[Samba] Potential contribution: FUSE client w/ SMB3 encryption support
Hello, My team is in search of a way to mount SMB3/CIFS shares from a Linux client with encryption enabled (and with reasonable performance). After some research, it appears that the kernel CIFS client (mount.cifs) lacks encryption support, while the Samba client library (libsmbclient) doesn't offer mount functionality. Looking at the recent commit "examples: Add smb2mount" (https://github.com/samba-team/samba/commit/3b97211d1854b208afae711cc8804dd28ff1e532), it seems that a FUSE client may be the best avenue for implementing a Samba VFS that is compatible with newer features such as end-to-end encryption. Is there community interest in supporting such a project (and/or is smb2mount intended to become a full-fledged effort)? My team may have resources to contribute toward this project in a few months. In the meantime, I would be appreciate any thoughts or suggestions from the Samba team and community. How significant of an undertaking would this be? Are there any major pitfalls I should be aware of up front? Thanks, -David
Aurélien Aptel
2017-Feb-16 11:02 UTC
[Samba] Potential contribution: FUSE client w/ SMB3 encryption support
Hi David, David Ramos via samba <samba at lists.samba.org> writes:> My team is in search of a way to mount SMB3/CIFS shares from a Linux > client with encryption enabled (and with reasonable > performance). After some research, it appears that the kernel CIFS > client (mount.cifs) lacks encryption support, while the Samba client > library (libsmbclient) doesn't offer mount functionality.Encryption support in cifs.ko was recently merged in Steve's for-next branch, which means it will be merged in Linus tree during the v4.11 merge window. So you'll have to wait for the v4.11 release (around May ?) and/or backport it. The patch itself adds the 'seal' mount option to enforce encryption. If the share requires it, it's automatically enabled. In terms of performance you can expect a 1/3 or the xfer speed when you enable encryption on a SMB3 connexion. This could be improved if aes-128-gcm is implemented. -- Aurélien Aptel / SUSE Labs Samba Team GPG: 1839 CB5F 9F5B FB9B AA97 8C99 03C8 A49B 521B D5D3 SUSE Linux GmbH, Maxfeldstraße 5, 90409 Nürnberg, Germany GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nürnberg)
Volker Lendecke
2017-Feb-16 11:36 UTC
[Samba] Potential contribution: FUSE client w/ SMB3 encryption support
On Thu, Feb 16, 2017 at 01:37:59AM -0800, David Ramos via samba wrote:> My team is in search of a way to mount SMB3/CIFS shares from a Linux > client with encryption enabled (and with reasonable performance). > After some research, it appears that the kernel CIFS client > (mount.cifs) lacks encryption support, while the Samba client > library (libsmbclient) doesn't offer mount functionality. > > Looking at the recent commit "examples: Add smb2mount" > (https://github.com/samba-team/samba/commit/3b97211d1854b208afae711cc8804dd28ff1e532), > it seems that a FUSE client may be the best avenue for implementing > a Samba VFS that is compatible with newer features such as > end-to-end encryption.This was the initial starting point for me to start exploring this idea. Having a good client in user space makes it easier to experiment, and has the potential to also work on other platforms such as FreeBSD. Any contribution to this would be highly appreciated! Volker
Jeremy Allison
2017-Feb-16 18:26 UTC
[Samba] Potential contribution: FUSE client w/ SMB3 encryption support
On Thu, Feb 16, 2017 at 01:37:59AM -0800, David Ramos via samba wrote:> Hello, > > My team is in search of a way to mount SMB3/CIFS shares from a Linux client with encryption enabled (and with reasonable performance). After some research, it appears that the kernel CIFS client (mount.cifs) lacks encryption support, while the Samba client library (libsmbclient) doesn't offer mount functionality. > > Looking at the recent commit "examples: Add smb2mount" (https://github.com/samba-team/samba/commit/3b97211d1854b208afae711cc8804dd28ff1e532), it seems that a FUSE client may be the best avenue for implementing a Samba VFS that is compatible with newer features such as end-to-end encryption. > > Is there community interest in supporting such a project (and/or is smb2mount intended to become a full-fledged effort)? My team may have resources to contribute toward this project in a few months.Yes, any work you do here will be greatly appreciated and reviewed and merged as appropriate (i.e. I'll certainly make it a priority to get in, but can't promise anything without actually evaluating the code :-). Thanks *SO MUCH* for offering help on this, it's something that will be very valuable moving forward. Cheers, Jeremy.
Seemingly Similar Threads
- mount.cifs fails with protocol SMBv2.x on a DFS share
- Fwd: mounting a windows share on a linux client using mount.cifs with encryption
- Require SMB3 encrypted transport on share level or globally
- Encrypted samba mount on Linux
- Using Access Control Lists with SMB2/SMB3 Mounts on Linux Clients