[Samba] Strong cryptography for Kerberos available?

Andrew Bartlett abartlet at samba.org
Fri Jul 4 05:09:48 MDT 2014

On Thu, 2014-07-03 at 22:54 +0200, Lars Hanke wrote:
> If I query the AD DC I see:
> root at samba4:/# ldapsearch -H  ldap://samba.ad.microsult.de -Y GSSAPI 
> '(sAMAccountName=mgr)'
> SASL/GSSAPI authentication started
> SASL username: Administrator at AD.MICROSULT.DE
> SASL SSF: 56
> SASL data security layer installed.
> I would like to see SASL SSF: 112. Does anyone know whether and where 
> this can be configured?

I don't think it's actually that weak, but the SASL libs probably don't
know how to tell any better.  At the very least it would be using
arcfour-hmac-md5, perhaps AES if provisioned at a high enough functional

Andrew Bartlett

Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba mailing list