[Samba] Strong cryptography for Kerberos available?

Lars Hanke debian at lhanke.de
Sat Jul 5 10:11:14 MDT 2014

Am 04.07.2014 13:09, schrieb Andrew Bartlett:
> On Thu, 2014-07-03 at 22:54 +0200, Lars Hanke wrote:
>> If I query the AD DC I see:
>> root at samba4:/# ldapsearch -H  ldap://samba.ad.microsult.de -Y GSSAPI
>> '(sAMAccountName=mgr)'
>> SASL/GSSAPI authentication started
>> SASL username: Administrator at AD.MICROSULT.DE
>> SASL SSF: 56
>> SASL data security layer installed.
>> I would like to see SASL SSF: 112. Does anyone know whether and where
>> this can be configured?
> I don't think it's actually that weak, but the SASL libs probably don't
> know how to tell any better.  At the very least it would be using
> arcfour-hmac-md5, perhaps AES if provisioned at a high enough functional
> level.

Well, single DES can be brute-forced in less than a day using hardware 
available at several universities. And there are people driving cars 
worth more than such a hardware. This is weak!

Do I interpret your answer correctly that the choice of algorithms is 
driven by SASL?

Kind regards,
  - lars.

More information about the samba mailing list