[Samba] Is samba FIPS compliant plus MAC OS X issue ?

Andrew Bartlett abartlet at samba.org
Wed Nov 26 01:57:29 MST 2014

On Tue, 2014-11-25 at 18:29 +0000, Tompkins, Michael wrote:
> We now make a call to FIPS_mode_set(1) in smbclient 4.0.7 to enter FIPS mode of operation. We would like verification that samba is using the proper FIPS compliant algorithms. 

I'm not sure what your FIPS_mode_set is meant to do, but it unlikely to
have changed Samba's behaviour.  In terms of algorithms used, sadly we
are constrained by some very old protocols that were not built for

However, you certainly could get very close to a 'FIPS mode' by using
only Kerberos authentication (and running your kerberos library in a
FIPS mode).  If that would qualify would really be up to your certifying

> In addition, for FIPS, I set "client min protocol = SMB2", which should be the minimum for FIPS, correct !?!?

While off by default, you could still do NTLM or even LM with SMB2, so
the two don't correlate.  

> Everything works fine for different MS servers, EXCEPT, when I try to connect to a MAC OS X, then the negotiate fails. In cli_session_setup_spnego_send() before it calls cli_session_setup_ntlmssp_send(), in gdb, I print *cli, and the differences with and without "client min protocol = SMB2" is:
> Without "client min protocol = SMB2"					With "client min protocol = SMB2"
> server_domain = 0x2112e688 "DTCRAPPLE",				server_domain = 0x20f63d90 "",
> smb2 = {session = 0x2112bd10,				 		smb2 = {session = 0x0,
> This test was also run with our FEDORA 20 linux version 4.1.12, and I see the same issue, so it's not particular to our 4.0.7 implementation. 

This seems to be a separate issue which is shortly to be addressed. 

Andrew Bartlett

Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba mailing list