RPi4 support for Samba SMB encryption

I’m trying to configure OSMC (on RPi4) to use a secure (encrypted) connection to a local Samba server.
However it appears SMB encryption is not supported even though SMB 3.xx is supported.

I have been able to successfully configure OMSC and access media following the instructions here File sharing with a NAS, media server, windows share or other device - General - OSMC
/etc/fstab configuration

/dev/mmcblk0p1  /boot    vfat     defaults,noatime,noauto,x-systemd.automount    0   0
# rootfs is not mounted in fstab as we do it via initramfs. Uncomment for remount (slower boot)
#/dev/mmcblk0p2  /    ext4      defaults,noatime    0   0
//server/media1 /mnt/storage/media1 cifs x-systemd.automount,noauto,vers=3.11,iocharset=utf8,credentials=/home/osmc/.credentials,uid=osmc,gid=osmc,file_mode=0700,dir_mode=0700 0 0

The Samba configuration (smb.conf) is default with following additions:

    ntlm auth = no
    lanman auth = no
 
    server min protocol = SMB3_11
    server smb3 encryption algorithms = AES-256-GC

Using smbstatus I can see the OSMC connection and the latest smb protocol version 3.11 is used however Encryption and Signing values are not populated.

root@down:~# smbstatus

Samba version 4.17.12-Debian
PID     Username     Group        Machine                                   Protocol Version  Encryption           Signing              
----------------------------------------------------------------------------------------------------------------------------------------
1928    nobody       nogroup      xx.xx.xx.xx (ipv4:xx.xx.xx.xx:56992)      SMB3_11           -                    -                    

Service      pid     Machine       Connected at                     Encryption   Signing     
---------------------------------------------------------------------------------------------
media1       1928    xx.xx.xx.xx   Thu Jan  9 15:41:58 2025 NZDT    -            -           
IPC$         1928    xx.xx.xx.xx   Thu Jan  9 15:41:58 2025 NZDT    -            -           

Locked files:
Pid          User(ID)   DenyMode   Access      R/W        Oplock           SharePath   Name   Time
--------------------------------------------------------------------------------------------------
1928         65534      DENY_NONE  0x120089    RDONLY     LEASE(RWH)       /mnt/storage/media1   video.mp4   Thu Jan  9 15:52:27 2025

However if I add either of the below to smb.conf (and restart smbd) OSMC connections fail.

 server smb encrypt = required
 server smb3 signing algorithms = AES-128-GMAC

The error shown in OSMC cli is:

osmc@osmc:/mnt$ ls
ls: cannot access 'media1': Invalid argument

I’m confident the Samba configuration is correct as a laptop (Linux Mint) is able to connect using the same credentials as shown by smbstatus.
Note that Encryption and Signing values are populated when connecting via the laptop.

root@server:~# smbstatus

Samba version 4.17.12-Debian
PID     Username     Group        Machine                                   Protocol Version  Encryption           Signing              
----------------------------------------------------------------------------------------------------------------------------------------
8118    osmc         osmc         laptop (ipv4:xx.xx.xx.xx:52568)            SMB3_11           AES-256-GCM          partial(AES-128-GMAC)

Service      pid     Machine       Connected at                     Encryption   Signing     
---------------------------------------------------------------------------------------------
IPC$         8118    laptop        Thu Jan  9 15:59:36 2025 NZDT    ???          AES-128-GMAC

So it looks like OSMC on RPi4 doesn’t support Samba encryption.
Which surprises me as I (naively) expected it to have sufficiently recently samba libraries to support this like SMBv3.11

Am I missing something?

Environment

  • OSMC running Kodi 21.1 installed from OSMC_TGT_rbp4_20240825.img.gz
  • Samba version 4.17.12 running on Debian 12.7 (Proxmox container)
  • OSMC uses the credentials “osmc” for smb access
  • All updates applied to OSMC and Samber server via apt update && apt full-upgrade

SMB 3.0 encryption support seems to be added to the Linux kernel since version 4.11. Our current Pi kernel is 5.15, with an expectation to update to a 6.x kernel shortly.

Perhaps a CONFIG_ option for encryption is missing in the kernel configuration, but I’d be surprised as we haven’t had reports of this yet. You could check the current kernel configuration here: https://raw.githubusercontent.com/osmc/osmc/refs/heads/master/package/kernel-osmc/patches/rbp464-000-add-kernel-config.patch.

Samba is not SMB, but a userspace implementation.

If you are mounting using an /etc/fstab mount, you are bypassing Samba / libsmb which operates in userspace and you’re trying a kernel based mount.

Does it work via Kodi (as a test)?

Thanks for educating me and pointing out there are separate kernel (fstab) and userspace (Kodi/Nemo-file explorer) implementations Sam. :slightly_smiling_face:

I’ve done some testing by applying each of the following smb.conf options in isolation (and restarting smbd) and then trying to connect with different clients (OSMC vs laptop, smb client vs kernel fstab).

server smb encrypt = required
server smb3 signing algorithms = AES-128-GMAC
server smb3 signing algorithms = AES-128-CMAC
server smb3 signing algorithms = HMAC-SHA256
server smb3 encryption algorithms = AES-128-GCM
server smb3 encryption algorithms = AES-128-CCM
server smb3 encryption algorithms = AES-256-GCM
server smb3 encryption algorithms = AES-256-CCM

Environment

  • OSMC October 2024 2024.10-1
    Running Kodi 21.1 installed from OSMC_TGT_rbp4_20240825.img.gz
    Linux osmc 5.15.92-1-osmc #1 SMP PREEMPT Tue Jul 25 00:03:42 UTC 2023 aarch64 GNU/Linux
    libsmbclient:armhf 2:4.13.13+dfsg-1~deb11u6

  • Linux Mint 22 Wilma
    Linux left 6.8.0-51-generic #52-Ubuntu SMP PREEMPT_DYNAMIC Thu Dec 5 13:09:44 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux
    libsmbclient0:amd64 2:4.19.5+dfsg-4ubuntu9

  • Debian GNU/Linux 12.7 running in Proxmox
    Samba version 4.17.12-Debian
    Linux down 6.8.12-5-pve #1 SMP PREEMPT_DYNAMIC PMX 6.8.12-5 (2024-12-03T10:26Z) x86_64 GNU/Linux

The table below provides results from the output of smbstatus command.
Successful connections show the Encryption then Signing algorithm values of the connection.

smb.conf option applied OSMC - Kodi client result Laptop - Nemo/file explorer client result OSMC - fstab/kernel result Laptop - fstab/kernel result
server smb encrypt = required AES-128-GCM partial(AES-128-CMAC) AES-128-GCM partial(AES-128-GMAC) Path not found or invalid AES-128-GCM partial(AES-128-CMAC)
server smb3 signing algorithms = AES-128-GMAC Software cause connection abort Couldn’t connect to network server AES-128-GCM partial(AES-128-GMAC) Path not found or invalid Invalid argument CIFS: VFS: cifs_mount failed w/return code = -22
server smb3 signing algorithms = AES-128-CMAC AES-128-GCM partial(AES-128-CMAC) AES-128-GCM partial(AES-128-CMAC) - - AES-128-GCM partial(AES-128-CMAC)
server smb3 signing algorithms = HMAC-SHA256 invalid argument Couldn’t connect to network server AES-128-GCM partial(HMAC-SHA256) Path not found or invalid Invalid argument CIFS: VFS: cifs_mount failed w/return code = -22
server smb3 encryption algorithms = AES-128-GCM AES-128-GCM partial(AES-128-CMAC) AES-128-GCM partial(AES-128-GMAC) - - AES-128-GCM partial(AES-128-CMAC)
server smb3 encryption algorithms = AES-128-CCM AES-128-GCM partial(AES-128-CMAC) AES-128-CCM partial(AES-128-GMAC) - - AES-128-CCM partial(AES-128-CMAC)
server smb3 encryption algorithms = AES-256-GCM Operation not permitted Couldn’t connect to network server AES-256-GCM partial(AES-128-GMAC) - - AES-256-GCM partial(AES-128-CMAC)
server smb3 encryption algorithms = AES-256-CCM Operation not permitted Couldn’t connect to network server AES-256-CCM partial(AES-128-GMAC) - - mount error(13): Permission denied CIFS: VFS: cifs_mount failed w/return code = -13

From this I see

  • OSMC Kodi client only supports Encryption = AES-128-GCM, Signing = partial(AES-128-CMAC)
  • Laptop Nemo (file explorer) client supports all
  • OSMC kernel doesn’t support any Encryption/Signing (but does support v3.11)
  • Laptop kernel supports most but not
    • signing algorithms = AES-128-GMAC (not yet implemented???)
    • signing algorithms = HMAC-SHA256 (because smb.conf set with server min protocol = SMB3_11 and removal of AES-128-CMAC from allowed will result in SMB3_00 and SMB3_02 being unavailable (and SMB3_11???))
    • encryption algorithms = AES-256-CCM (because smb.conf set with server min protocol = SMB3_11 and removal of AES-128-CCM from allowed will result in SMB3_00 and SMB3_02 (and SMB3_11???) being unavailable, as it is the default and only available algorithm for these dialects

See smb.conf for more info about dialects being disabled.

Looking at the release notes LinuxCIFSKernel - SambaWiki and SMB3 kernel status - SambaWiki there is doesn’t appear to be anything noted for releases between 5.15 (osmc) and 6.8 (laptop).
It appears most changes were completed between releases 3.11 and 5.0 so I’d guess a 5.15 kernel should support Encryption and Signing.

Given the difference in kernel/fstab behaviour between OSMC/5.15 and laptop/6.8 I’d hazard a guess the cause is kernel configuration.
Looking at https://raw.githubusercontent.com/osmc/osmc/refs/heads/master/package/kernel-osmc/patches/rbp464-000-add-kernel-config.patch I’m only seeing these values which appear to be relevant. But sorry I have no idea if anything is missing/incorrect or not.

+CONFIG_CIFS=m
+# CONFIG_CIFS_STATS2 is not set
+CONFIG_CIFS_ALLOW_INSECURE_LEGACY=y
+CONFIG_CIFS_UPCALL=y
+CONFIG_CIFS_XATTR=y
+CONFIG_CIFS_POSIX=y
+CONFIG_CIFS_DEBUG=y
+# CONFIG_CIFS_DEBUG2 is not set
+# CONFIG_CIFS_DEBUG_DUMP_KEYS is not set
+CONFIG_CIFS_DFS_UPCALL=y
+# CONFIG_CIFS_SWN_UPCALL is not set
+CONFIG_CIFS_FSCACHE=y
+# CONFIG_SMB_SERVER is not set
+CONFIG_SMBFS_COMMON=m

You’re in the process of updating to a 6.x kernel so how about we park this until you/I can test again with a 6.x kernel?

And I’m not surprised no one has checked the smb encryption. It’s a bit obscure, and if it works people aren’t likely to bother.
At the end of the day I’m just trying to get the most modern/secure connection:

  • smb v3.11
  • Encryption = AES-128-GMAC
  • Signing = AES-256-GCM

But only because it’s part of my day job and I figure I should do it at home as well. :stuck_out_tongue:
And yes I could change kernel/fstab to be sshfs but now I’m feeling the need to get this working. :sweat_smile:

This would make the most sense because I am also updating to a newer Debian userland which will give you updated Samba as well

Best

Sam

Sweet, that’s a plan.
If you can advise when/how you want the testing to occur I’m happy to do that. :slightly_smiling_face:

I will

Sam