I have a Canon MF645Cx printer / scanner that has the ability to upload documents via SMB to a server. I recently switched "server smb encrypt" to "desired"in the [global] section, which according to the documentation means that it "will enable negotiation and will turn on data encryption on sessions and share connections for those clients that support it". This works well for clients like default Windows 10, so instead of: ---- start ---- Samba version 4.17.10 PID Username Group Machine Protocol Version Encryption Signing ---------------------------------------------------------------------------------------------------------------------------------------- 6018 XXX users 192.168.0.10 (ipv4:192.168.0.10:54801) SMB3_11 partial(AES-128-GCM) partial(AES-128-CMAC) Service pid Machine Connected at Encryption Signing --------------------------------------------------------------------------------------------- - XXX 6018 192.168.0.10 Sat Jul 22 03:42:01 2023 CEST - - ---- end ---- I get: ---- start ---- Samba version 4.17.10 PID Username Group Machine Protocol Version Encryption Signing ---------------------------------------------------------------------------------------------------------------------------------------- 6193 XXX users 192.168.0.10 (ipv4:192.168.0.10:54806) SMB3_11 AES-128-GCM AES-128-CMAC Service pid Machine Connected at Encryption Signing --------------------------------------------------------------------------------------------- XXX 6193 192.168.0.10 Sat Jul 22 03:42:38 2023 CEST AES-128-GCM AES-128-CMAC ---- end ---- WAI ;) However, I immediately noticed that the printer is no longer able to upload documents and fails with #806 error, which according to to the documentation [1] means "Access was denied at the destination". Things work again when I remove "server smb encrypt = desired" from the config file. When scanning works (no "server smb encrypt = desired"), smbstatus shows that the printer connects using SMB3_00 dialect to upload files: ---- start ---- # smbstatus Samba version 4.17.10 PID Username Group Machine Protocol Version Encryption Signing ---------------------------------------------------------------------------------------------------------------------------------------- 5858 CanonMF645Cx users 192.168.66.12 (ipv4:192.168.66.12:49747) SMB3_00 - partial(AES-128-CMAC) Service pid Machine Connected at Encryption Signing --------------------------------------------------------------------------------------------- scan 5858 192.168.66.12 Sat Jul 22 03:34:25 2023 CEST - AES-128-CMAC Locked files: Pid User(ID) DenyMode Access R/W Oplock SharePath Name Time -------------------------------------------------------------------------------------------------- 5858 1003 DENY_ALL 0x120182 WRONLY NONE /var/scan 0814_230722033423_001.pdf Sat Jul 22 03:34:24 2023 ---- end ---- No other parameters have been changed (such as "client smb3 encryption algorithms"). Happy to provide all the debug data if you instruct me what information could be useful in this case. [1] https://oip.manual.canon/FAQ01-0004-zz-SSM_n3-enUV/contents/cmcont-msg_error-error806.html
Things still work when "server smb encrypt = desired" is only added to the share: ---- start ---- Samba version 4.17.10 PID Username Group Machine Protocol Version Encryption Signing ---------------------------------------------------------------------------------------------------------------------------------------- 20594 CanonMF645Cx users 192.168.66.12 (ipv4:192.168.66.12:49765) SMB3_00 partial(AES-128-CCM) partial(AES-128-CMAC) Service pid Machine Connected at Encryption Signing --------------------------------------------------------------------------------------------- scan 20594 192.168.66.12 Sun Jul 23 22:52:52 2023 CEST AES-128-CCM AES-128-CMAC Locked files: Pid User(ID) DenyMode Access R/W Oplock SharePath Name Time -------------------------------------------------------------------------------------------------- 20594 1003 DENY_ALL 0x120182 WRONLY NONE /var/scan 0816_230723225250_001.pdf Sun Jul 23 22:52:51 2023 ---- end ----