This global option configures Samba to use SSL for communication between itself and clients. The default value of this option is no. You can reset it as follows:

[global]
	ssl = yes

Note that in order to use this option, you must have a proxy for Windows 95/98 clients, such as in the model presented earlier in this chapter.

This option specifies the hosts that will be forced into using SSL. The syntax for specifying hosts and addresses is the same as the hosts allow and the hosts deny configuration options. For example:

[global]
	ssl = yes
	ssl hosts = 192.168.220.

This example specifies that all hosts that fall into the 192.168.220 subnet must use SSL connections with the client. This type of structure is useful if you know that various connections will be made by a subnet that lies across an untrusted network, such as the Internet. If neither this option nor the ssl hosts resign option has been specified, and ssl is set to yes, Samba will allow only SSL connections from all clients.

This option specifies the hosts that will not be forced into SSL mode. The syntax for specifying hosts and addresses is the same as the hosts allow and the hosts deny configuration options. For example:

[global]
	ssl = yes
	ssl hosts resign = 160.2.310. 160.2.320.

This example specifies that all hosts that fall into the 160.2.310 or 160.2.320 subnets will not use SSL connections with the client. If neither this option nor the ssl hosts option has been specified, and ssl is set to yes, Samba will allow only SSL connections from all clients.

This option specifies the directory containing the certificate authority’s certificates that Samba will use to authenticate clients. There must be one file in this directory for each certificate authority, named as specified earlier in this chapter. Any other files in this directory are ignored. For example:

[global]
	ssl = yes
	ssl hosts = 192.168.220.
	ssl CA certDir = /usr/local/samba/cert

There is no default for this option. You can alternatively use the option ssl CA certFile if you wish to place all the certificate authority information in the same file.

This option specifies a file that contains the certificate authority’s certificates that Samba will use to authenticate clients. This option differs from ssl CA certDir in that there is only one file used for all the certificate authorities. An example of its usage follows:

[global]
	ssl = yes
	ssl hosts = 192.168.220.
	ssl CA certFile = /usr/local/samba/cert/certFile

There is no default for this option. You can also use the option ssl CA certDir if you wish to have a separate file for each certificate authority that Samba trusts.

This option specifies the location of the server’s certificate. This option is mandatory; the server must have a certificate in order to use SSL. For example:

[global]
	ssl = yes
	ssl hosts = 192.168.220.
	ssl CA certFile = /usr/local/samba/cert/certFile
	ssl server cert = /usr/local/samba/private/server.pem

There is no default for this option. Note that the certificate may contain the private key for the server.

This option specifies the location of the server’s private key. You should ensure that the location of the file cannot be accessed by anyone other than root. For example:

[global]
	ssl = yes
	ssl hosts = 192.168.220.
	ssl CA certFile = /usr/local/samba/cert/certFile
	ssl server key = /usr/local/samba/private/samba.pem

There is no default for this option. Note that the private key may be contained in the certificate for the server.

This option specifies the location of the client’s certificate. The certificate may be requested by the Samba server with the ssl require clientcert option; the certificate is also used by smbclient. For example:

[global]
    ssl = yes
    ssl hosts = 192.168.220.
    ssl CA certFile = /usr/local/samba/cert/certFile
    ssl server cert = /usr/local/ssl/private/server.pem
    ssl client cert= /usr/local/ssl/private/clientcert.pem

There is no default for this option.

This option specifies the location of the client’s private key. You should ensure that the location of the file cannot be accessed by anyone other than root. For example:

[global]
	ssl = yes
	ssl hosts = 192.168.220.
	ssl CA certDir = /usr/local/samba/cert/
	ssl server key = /usr/local/ssl/private/samba.pem
	ssl client key = /usr/local/ssl/private/clients.pem

There is no default for this option. This option is only needed if the client has a certificate.

This option specifies whether the client is required to have a certificate. The certificates listed with either the ssl CA certDir or the ssl CA certFile will be searched to confirm that the client has a valid certificate and is authorized to connect to the Samba server. The value of this option is a simple boolean. For example:

[global]
	ssl = yes
	ssl hosts = 192.168.220.
	ssl CA certFile = /usr/local/samba/cert/certFile
	ssl require clientcert = yes

We recommend that you require certificates from all clients that could be connecting to the Samba server. The default value for this option is no.

This option specifies whether the server is required to have a certificate. Again, this will be used by the smbclient program. The value of this option is a simple boolean. For example:

[global]
	ssl = yes
	ssl hosts = 192.168.220.
	ssl CA certFile = /usr/local/samba/cert/certFile
	ssl require clientcert = yes
	ssl require servercert = yes

Although we recommend that you require certificates from all clients that could be connecting to the Samba server, a server certificate is not required. It is, however, recommended. The default value for this option is no.

This option sets the ciphers on which SSL will decide during the negotiation phase of the SSL connection. Samba can use any of the following ciphers:

DEFAULT
DES-CFB-M1
NULL-MD5
RC4-MD5
EXP-RC4-MD5
RC2-CBC-MD5
EXP-RC2-CBC-MD5
IDEA-CBC-MD5
DES-CBC-MD5
DES-CBC-SHA
DES-CBC3-MD5
DES-CBC3-SHA
RC4-64-MD5
NULL

It is best not to set this option unless you are familiar with the SSL protocol and want to mandate a specific cipher suite.

This global option specifies the version of SSL that Samba will use when handling encrypted connections. The default value is ssl2or3, which specifies that either version 2 or 3 of the SSL protocol can be used, depending on which version is negotiated in the handshake between the server and the client. However, if you want Samba to use only a specific version of the protocol, you can specify the following:

[global]
	ssl version = ssl3

Again, it is best not to set this option unless you are familiar with the SSL protocol and want to mandate a specific version.

This global option specifies whether Samba should be configured to use other versions of SSL. However, because no other versions exist at this writing, the issue is moot and the variable should always be left at the default.