Potential contribution: FUSE client w/ SMB3 encryption support

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Potential contribution: FUSE client w/ SMB3 encryption support

Samba - General mailing list
Hello,

My team is in search of a way to mount SMB3/CIFS shares from a Linux client with encryption enabled (and with reasonable performance). After some research, it appears that the kernel CIFS client (mount.cifs) lacks encryption support, while the Samba client library (libsmbclient) doesn't offer mount functionality.

Looking at the recent commit "examples: Add smb2mount" (https://github.com/samba-team/samba/commit/3b97211d1854b208afae711cc8804dd28ff1e532), it seems that a FUSE client may be the best avenue for implementing a Samba VFS that is compatible with newer features such as end-to-end encryption.

Is there community interest in supporting such a project (and/or is smb2mount intended to become a full-fledged effort)? My team may have resources to contribute toward this project in a few months.

In the meantime, I would be appreciate any thoughts or suggestions from the Samba team and community. How significant of an undertaking would this be? Are there any major pitfalls I should be aware of up front?

Thanks,
-David


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Potential contribution: FUSE client w/ SMB3 encryption support

Samba - General mailing list
Hi David,

David Ramos via samba <[hidden email]> writes:
> My team is in search of a way to mount SMB3/CIFS shares from a Linux
> client with encryption enabled (and with reasonable
> performance). After some research, it appears that the kernel CIFS
> client (mount.cifs) lacks encryption support, while the Samba client
> library (libsmbclient) doesn't offer mount functionality.

Encryption support in cifs.ko was recently merged in Steve's for-next
branch, which means it will be merged in Linus tree during the v4.11
merge window. So you'll have to wait for the v4.11 release (around May
?) and/or backport it.

The patch itself adds the 'seal' mount option to enforce encryption. If
the share requires it, it's automatically enabled.

In terms of performance you can expect a 1/3 or the xfer speed when you
enable encryption on a SMB3 connexion. This could be improved if
aes-128-gcm is implemented.

--
Aurélien Aptel / SUSE Labs Samba Team
GPG: 1839 CB5F 9F5B FB9B AA97  8C99 03C8 A49B 521B D5D3
SUSE Linux GmbH, Maxfeldstraße 5, 90409 Nürnberg, Germany
GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nürnberg)

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Potential contribution: FUSE client w/ SMB3 encryption support

Samba - General mailing list
In reply to this post by Samba - General mailing list
On Thu, Feb 16, 2017 at 01:37:59AM -0800, David Ramos via samba wrote:

> My team is in search of a way to mount SMB3/CIFS shares from a Linux
> client with encryption enabled (and with reasonable performance).
> After some research, it appears that the kernel CIFS client
> (mount.cifs) lacks encryption support, while the Samba client
> library (libsmbclient) doesn't offer mount functionality.
>
> Looking at the recent commit "examples: Add smb2mount"
> (https://github.com/samba-team/samba/commit/3b97211d1854b208afae711cc8804dd28ff1e532),
> it seems that a FUSE client may be the best avenue for implementing
> a Samba VFS that is compatible with newer features such as
> end-to-end encryption.

This was the initial starting point for me to start exploring this
idea. Having a good client in user space makes it easier to
experiment, and has the potential to also work on other platforms such
as FreeBSD. Any contribution to this would be highly appreciated!

Volker

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Potential contribution: FUSE client w/ SMB3 encryption support

Samba - General mailing list
In reply to this post by Samba - General mailing list
On Thu, Feb 16, 2017 at 01:37:59AM -0800, David Ramos via samba wrote:
> Hello,
>
> My team is in search of a way to mount SMB3/CIFS shares from a Linux client with encryption enabled (and with reasonable performance). After some research, it appears that the kernel CIFS client (mount.cifs) lacks encryption support, while the Samba client library (libsmbclient) doesn't offer mount functionality.
>
> Looking at the recent commit "examples: Add smb2mount" (https://github.com/samba-team/samba/commit/3b97211d1854b208afae711cc8804dd28ff1e532), it seems that a FUSE client may be the best avenue for implementing a Samba VFS that is compatible with newer features such as end-to-end encryption.
>
> Is there community interest in supporting such a project (and/or is smb2mount intended to become a full-fledged effort)? My team may have resources to contribute toward this project in a few months.

Yes, any work you do here will be greatly
appreciated and reviewed and merged as
appropriate (i.e. I'll certainly make
it a priority to get in, but can't promise
anything without actually evaluating the
code :-).

Thanks *SO MUCH* for offering help on
this, it's something that will be very
valuable moving forward.

Cheers,

        Jeremy.

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba