Add smb encrypt option

[7CqKcKvfAf]

Adds option to set "smb encrypt" to off/desired/required. If set to required, all traffic between client and server will be encrypted instead of plain text message traffic.
Encryption requires to use SMB3 and cannot be used in combination with compatibility mode option.

Summary by CodeRabbit

• New Features

  • Added SMB encryption option with three settings — off, desired (default), required — to control encryption of client-server traffic; "required" enforces SMB3 and restricts guest access.

• Documentation

  • Added docs and translation strings for the encryption option and expanded guidance on server signing and compatibility mode behavior.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[home-assistant]

Hi @7CqKcKvfAf

It seems you haven't yet signed a CLA. Please do so here.

Once you do that we will be able to review and accept this pull request.

Thanks!

[home-assistant]

Please take a look at the requested changes, and use the Ready for review button when you are done, thanks 👍

Learn more about our pull request process.

Stale

[coderabbitai]

📝 Walkthrough

Walkthrough

Adds a new SMB encryption option (off|desired|required), bumps version to 12.5.5, updates schema, docs, translation, and templates to conditionally emit smb encrypt and related SMB3 settings when encryption is required.

Changes

Cohort / File(s)	Summary
Changelog & Docs samba/CHANGELOG.md, samba/DOCS.md, samba/translations/en.yaml	Add 12.5.5 changelog entry; document new encryption option, values, and default; add translation configuration.encryption with name and description.
Config Schema samba/config.yaml	Bump version to 12.5.5; add top-level options.encryption default "desired" and schema allowing off|desired|required.
SMB Template samba/rootfs/usr/share/tempio/smb.gtpl	Replace unconditional server signing with conditional block that emits smb encrypt = {{ .encryption }}; when required, apply SMB3-specific protocol/sign settings and ignore compatibility_mode; otherwise apply server signing and preserve compatibility_mode handling.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately reflects the main change: adding a new SMB encryption configuration option with off/desired/required values across all relevant files.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

Tip

Issue Planner is now in beta. Read the docs and try it out! Share your feedback on Discord.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

samba/rootfs/usr/share/tempio/smb.gtpl (1)

22-34: Consider using server signing = mandatory instead of auto when encryption is required.

The logic correctly enforces SMB3 protocols when encryption is required and properly ignores compatibility_mode in this case. However, Samba best practices recommend server signing = mandatory when using SMB3 with encryption enabled. While signing becomes implicit with encryption at the transport level, explicitly setting it to mandatory ensures consistent security enforcement and aligns with documented hardening guidance.

📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to data retention organization setting

📥 Commits

Reviewing files that changed from the base of the PR and between 104349e and 044015c.

📒 Files selected for processing (5)

• samba/CHANGELOG.md
• samba/DOCS.md
• samba/config.yaml
• samba/rootfs/usr/share/tempio/smb.gtpl
• samba/translations/en.yaml

🧰 Additional context used

📓 Path-based instructions (1)

*/**(html|markdown|md)

⚙️ CodeRabbit configuration file

*/**(html|markdown|md): - For instructional content in documentation, use a direct and authoritative tone. Avoid expressions of politeness such as 'may' or 'please', and ensure the goal of the instruction is fronted.

• Apply the Microsoft Style Guide to ensure documentation maintains clarity and conciseness.
• In step-by-step instructions, front the location phrase in the instructional sentence.
• In step-by-step instructions, front the 'goal' in the instructional sentence.
• In step-by-step instructions, if in doubt what to front, front the 'goal' before the location phrase in the instructional sentence.
• do not hyphenate terms like 'top-right' or 'bottom-left' with 'corner'

*/**(html|markdown|md): - Use bold to mark UI strings.

• If "" are used to mark UI strings, replace them by bold.

• Be brief in your replies and don't add fluff like "thank you for..." and "Please let me know if"

• Use sentence-style capitalization also in headings.

do not comment on HTML used for icons

Avoid flagging inline HTML for embedding videos in future reviews for this repository.

Files:

• samba/CHANGELOG.md
• samba/config.yaml
• samba/DOCS.md

🔇 Additional comments (7)

samba/CHANGELOG.md (1)

3-6: LGTM!

The changelog entry follows the established format and accurately describes the new feature.

samba/translations/en.yaml (1)

36-41: LGTM!

The translation entry accurately describes the encryption feature and its interaction with compatibility mode.

samba/DOCS.md (2)

110-116: LGTM!

The documentation is clear, direct, and follows the Microsoft Style Guide. UI values are properly bolded, and the explanation is concise.

---

117-122: LGTM!

The documentation enhancement is clear and follows guidelines. The security explanation is valuable, and values are properly formatted.

samba/config.yaml (3)

2-2: LGTM!

Version bump is consistent with the changelog entry.

---

40-40: LGTM!

The default value "desired" is appropriate and aligns with the documentation.

---

64-64: LGTM!

The schema correctly defines the three allowed encryption values.

[agners]

The documentation of Samba 4.18 (as shipped with the current app version) lists if_required as well (see smb.conf man). Maybe it also makes sense to add default (see above).

[agners]

According to Samba 4.18 smb.conf man the default is if_required. Is there a reason you choose desired here? I fear that this might cause existing setups to break.

Also, smb.conf also knows the default string, maybe this is the safest choice, as it relies on the Samba maintainers judgment what is the best default.

[krikk]

default == if_required: will only enable encrytion if the client requires it
desired: will always enable encryption, except in the case the client does not support it

so desired is better because it encrypts all possible connections, while still supporting clients which can't encrypt

...and this is a server service, which should be shipped with "secure" defaults, SMB 3 was introduced with Windows 10 / Server 2016, so every supported windows Client today will support SMB Encryption, if one need access with older clients, he can still use compability mode

[agners]

Do you know why the Samba developers did not choose this option by default?

[krikk]

the developer of this addon is setting up a smb-server, as such he is indirectly the admin of a samba server, and as admin he is responsible do setup the server with secure defaults, because the end-user who is installing this addon/app does not care/does not know how to do a secure setup...

running unencrypted services, even on LAN is NOT secure and should not be embraced by unsecure defaults, especially as there are practically no more clients which do not support smb encryption, even Windows 8 and Windows Server 2012 do support it, also all smbclients on linux support it

.../me is voting for secure defaults ...but this are just my 2 cents :)

[agners]

Yeah I get that you want to pick a good, secure default. I generally agree with that principle.

It just strikes me as odd that this is not the default in Samba 🤔Makes me wonder if there are reasons 🤷 .

I way more towards least surprise: This PR as it stands today changes the default for existing users. At the very least, this should be made clear in the changlog.

Also, no matter what default we are going with, at the very least let's add the old default if_required, and I'd also add default as an option as well.

[7CqKcKvfAf]

I believe we should provide the end user options which make it easy to understand what will be the achieved effect. This is why I decided to only expose off/desired/required as global options.

Concerning the default value: you can imagine I was a little bit surprised when I observed local network traffic between my linux client and HA server with wireshark and found out that I was able to ready everything in plaintext.

If we provide default as option, many people might just use it without reading smb.conf documentation, not knowing that encryption will not be enabled on many or most connections. Personally I often trust (or hope) that developers/publishers pick safe config defaults.

Furthermore I think it would be good if the user could supply his own smb.conf to the app without being forced to build a custom HA app. But that is a little bit offtopic.

[agners]

If we provide default as option, many people might just use it without reading smb.conf documentation, not knowing that encryption will not be enabled on many or most connections.

If that is the concern, then let's add a quick note in the option description: "Note: default will only encrypt if clients require encryption."

Not having today's default as a possible option is a no-go from my point of view. At the very least it is useful to regression test in case something doesn't work the way users expect after upgrading the Samba app to this new version.

[agners]

This can be interpreted as if SMB3 is not used if this is not set to required. But that is not the case: "SMB protocol takes care of choosing the appropriate protocol." so SMB3 might be used even without this.

[agners]

Client features are not used by the add-on so this doesn't really do anything.

[agners]

To align with the other config uses:

Suggested change

	smb encrypt = {{ .encryption }}
	server smb encrypt = {{ .encryption }}

[agners]

Why is this needed? With smb encrypt From smb.conf man it sounds like this is anyways required when smb encrypt is set to required

[agners]

This needs a note that the default changes.

[agners]

If we provide default as option, many people might just use it without reading smb.conf documentation, not knowing that encryption will not be enabled on many or most connections.

If that is the concern, then let's add a quick note in the option description: "Note: default will only encrypt if clients require encryption."

Not having today's default as a possible option is a no-go from my point of view. At the very least it is useful to regression test in case something doesn't work the way users expect after upgrading the Samba app to this new version.