[cifs-protocol] GUI and AD LDAP settings required to enable FAST
abartlet at samba.org
Tue Apr 27 05:28:16 UTC 2021
Gary (CCed) has been building on Samba's raw protocol testsuite for
Kerberos to include tests for the new FAST protection for the AS-REQ /
However despite provisioning a domain (and new forest) in Windows 2016
functional level and setting the group polity settings to enable FAST,
he has not been having any success.
I have to say I was a little surprised, I thought it would be on
automatically one the functional level was reached (being such an
important security upgrade and all).
Despite Gary's best efforts, he hasn't been able to get FAST enabled
when talking to his (manually ASN.1 marshalled python-based) test
Also, for interoperability in a mixed-implementation domain, it will be
important for Samba to honour the same domain-wide state to learn if we
should enable FAST. Presumably, like for password policies, the GPO is
adjusting a setting in LDAP?
If you could let us know the GUI settings (GPOs I think) and the
matching/underlying LDAP behaviours that would be really helpful.
Please feel free to ask Gary for any further details you need, as he is
most keen to get an example Windows server running so he can complete
Andrew Bartlett (he/him) https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead, Catalyst IT https://catalyst.net.nz/services/samba
Samba Development and Support, Catalyst IT - Expert Open Source
More information about the cifs-protocol