[cifs-protocol] GUI and AD LDAP settings required to enable FAST

Andrew Bartlett abartlet at samba.org
Tue Apr 27 05:28:16 UTC 2021

G'Day Dochelp,

Gary (CCed) has been building on Samba's raw protocol testsuite for
Kerberos to include tests for the new FAST protection for the AS-REQ /
TGS-REQ etc.

However despite provisioning a domain (and new forest) in Windows 2016
functional level and setting the group polity settings to enable FAST,
he has not been having any success.

I have to say I was a little surprised, I thought it would be on
automatically one the functional level was reached (being such an
important security upgrade and all). 

Despite Gary's best efforts, he hasn't been able to get FAST enabled
when talking to his (manually ASN.1 marshalled python-based) test

Also, for interoperability in a mixed-implementation domain, it will be
important for Samba to honour the same domain-wide state to learn if we
should enable FAST.  Presumably, like for password policies, the GPO is
adjusting a setting in LDAP?

If you could let us know the GUI settings (GPOs I think) and the
matching/underlying LDAP behaviours that would be really helpful. 

Please feel free to ask Gary for any further details you need, as he is
most keen to get an example Windows server running so he can complete
the tests. 


Andrew Bartlett

Andrew Bartlett (he/him)       https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead, Catalyst IT   https://catalyst.net.nz/services/samba

Samba Development and Support, Catalyst IT - Expert Open Source

More information about the cifs-protocol mailing list