samba - Feb 2017 - Potential contribution: FUSE client w/ SMB3 encryption support

Hello,

My team is in search of a way to mount SMB3/CIFS shares from a Linux client with
encryption enabled (and with reasonable performance). After some research, it
appears that the kernel CIFS client (mount.cifs) lacks encryption support, while
the Samba client library (libsmbclient) doesn't offer mount functionality.

Looking at the recent commit "examples: Add smb2mount"
(https://github.com/samba-team/samba/commit/3b97211d1854b208afae711cc8804dd28ff1e532),
it seems that a FUSE client may be the best avenue for implementing a Samba VFS
that is compatible with newer features such as end-to-end encryption.

Is there community interest in supporting such a project (and/or is smb2mount
intended to become a full-fledged effort)? My team may have resources to
contribute toward this project in a few months.

In the meantime, I would be appreciate any thoughts or suggestions from the
Samba team and community. How significant of an undertaking would this be? Are
there any major pitfalls I should be aware of up front?

Thanks,
-David

Hi David,

David Ramos via samba <samba at lists.samba.org>
writes:
> My team is in search of a way to mount SMB3/CIFS shares from a Linux
> client with encryption enabled (and with reasonable
> performance). After some research, it appears that the kernel CIFS
> client (mount.cifs) lacks encryption support, while the Samba client
> library (libsmbclient) doesn't offer mount functionality.
Encryption support in cifs.ko was recently merged in Steve's for-next
branch, which means it will be merged in Linus tree during the v4.11
merge window. So you'll have to wait for the v4.11 release (around May
?) and/or backport it.

The patch itself adds the 'seal' mount option to enforce encryption. If
the share requires it, it's automatically enabled.

In terms of performance you can expect a 1/3 or the xfer speed when you
enable encryption on a SMB3 connexion. This could be improved if
aes-128-gcm is implemented.

-- 
Aurélien Aptel / SUSE Labs Samba Team
GPG: 1839 CB5F 9F5B FB9B AA97  8C99 03C8 A49B 521B D5D3
SUSE Linux GmbH, Maxfeldstraße 5, 90409 Nürnberg, Germany
GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nürnberg)

On Thu, Feb 16, 2017 at 01:37:59AM -0800, David Ramos via samba
wrote:
> My team is in search of a way to mount SMB3/CIFS shares from a Linux
> client with encryption enabled (and with reasonable performance).
> After some research, it appears that the kernel CIFS client
> (mount.cifs) lacks encryption support, while the Samba client
> library (libsmbclient) doesn't offer mount functionality.
> 
> Looking at the recent commit "examples: Add smb2mount"
>
(https://github.com/samba-team/samba/commit/3b97211d1854b208afae711cc8804dd28ff1e532),
> it seems that a FUSE client may be the best avenue for implementing
> a Samba VFS that is compatible with newer features such as
> end-to-end encryption.
This was the initial starting point for me to start exploring this
idea. Having a good client in user space makes it easier to
experiment, and has the potential to also work on other platforms such
as FreeBSD. Any contribution to this would be highly appreciated!

Volker

On Thu, Feb 16, 2017 at 01:37:59AM -0800, David Ramos via samba
wrote:
> Hello,
> 
> My team is in search of a way to mount SMB3/CIFS shares from a Linux client
with encryption enabled (and with reasonable performance). After some research,
it appears that the kernel CIFS client (mount.cifs) lacks encryption support,
while the Samba client library (libsmbclient) doesn't offer mount
functionality.
> 
> Looking at the recent commit "examples: Add smb2mount"
(https://github.com/samba-team/samba/commit/3b97211d1854b208afae711cc8804dd28ff1e532),
it seems that a FUSE client may be the best avenue for implementing a Samba VFS
that is compatible with newer features such as end-to-end encryption.
> 
> Is there community interest in supporting such a project (and/or is
smb2mount intended to become a full-fledged effort)? My team may have resources
to contribute toward this project in a few months.
Yes, any work you do here will be greatly
appreciated and reviewed and merged as
appropriate (i.e. I'll certainly make
it a priority to get in, but can't promise
anything without actually evaluating the
code :-).

Thanks *SO MUCH* for offering help on
this, it's something that will be very
valuable moving forward.

Cheers,

	Jeremy.