[Samba] Is samba FIPS compliant plus MAC OS X issue ?

Tue Nov 25 11:29:25 MST 2014

We now make a call to FIPS_mode_set(1) in smbclient 4.0.7 to enter FIPS mode of operation. We would like verification that samba is using the proper FIPS compliant algorithms. 

In addition, for FIPS, I set "client min protocol = SMB2", which should be the minimum for FIPS, correct !?!?

Everything works fine for different MS servers, EXCEPT, when I try to connect to a MAC OS X, then the negotiate fails. In cli_session_setup_spnego_send() before it calls cli_session_setup_ntlmssp_send(), in gdb, I print *cli, and the differences with and without "client min protocol = SMB2" is:

Without "client min protocol = SMB2"					With "client min protocol = SMB2"
server_domain = 0x2112e688 "DTCRAPPLE",				server_domain = 0x20f63d90 "",
smb2 = {session = 0x2112bd10,				 		smb2 = {session = 0x0,

This test was also run with our FEDORA 20 linux version 4.1.12, and I see the same issue, so it's not particular to our 4.0.7 implementation. 

Regards,
- Mike

-----Original Message-----
From: Jeremy Allison [mailto:jra at samba.org] 
Sent: Wednesday, November 19, 2014 12:10 PM
To: Tompkins, Michael
Cc: samba at lists.samba.org; USA Xerox Samba; Trent, Michael
Subject: Re: [Samba] Is samba FIPS compliant ?

On Wed, Nov 19, 2014 at 04:53:46PM +0000, Tompkins, Michael wrote:
> Is samba FIPS compliant ? If so, does it need to use SMB2/SMB3 to be FIPS compliant ? We do not use the Heimdal Kerberos libraries that can be compiled with the samba release. We are use samba 4.0.7.

Samba *can be* FIPS compliant. I believe Red Hat have certified a distro using Samba.

But FIPS compliance is complex :-).

It also depends on what level of FIPS
compliance.

I'm sure Xerox has a whole department
of people who sell to the US Government, and who can tell you more about this :-).

But yeah, the basic requirements are there !