[Samba] Is samba FIPS compliant plus MAC OS X issue ?

[Andrew Bartlett]

On Tue, 2014-11-25 at 18:29 +0000, Tompkins, Michael wrote:
> We now make a call to FIPS_mode_set(1) in smbclient 4.0.7 to enter FIPS mode of operation. We would like verification that samba is using the proper FIPS compliant algorithms. 

I'm not sure what your FIPS_mode_set is meant to do, but it unlikely to
have changed Samba's behaviour.  In terms of algorithms used, sadly we
are constrained by some very old protocols that were not built for
FIPS.  

However, you certainly could get very close to a 'FIPS mode' by using
only Kerberos authentication (and running your kerberos library in a
FIPS mode).  If that would qualify would really be up to your certifying
body. 

> In addition, for FIPS, I set "client min protocol = SMB2", which should be the minimum for FIPS, correct !?!?

While off by default, you could still do NTLM or even LM with SMB2, so
the two don't correlate.  

> Everything works fine for different MS servers, EXCEPT, when I try to connect to a MAC OS X, then the negotiate fails. In cli_session_setup_spnego_send() before it calls cli_session_setup_ntlmssp_send(), in gdb, I print *cli, and the differences with and without "client min protocol = SMB2" is:
> 	
> Without "client min protocol = SMB2"					With "client min protocol = SMB2"
> server_domain = 0x2112e688 "DTCRAPPLE",				server_domain = 0x20f63d90 "",
> smb2 = {session = 0x2112bd10,				 		smb2 = {session = 0x0,
> 
> This test was also run with our FEDORA 20 linux version 4.1.12, and I see the same issue, so it's not particular to our 4.0.7 implementation. 

This seems to be a separate issue which is shortly to be addressed. 

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba