[Samba] Is samba FIPS compliant plus MAC OS X issue ?

Tompkins, Michael Michael.Tompkins at xerox.com
Wed Nov 26 08:46:06 MST 2014

Thanks, Andrew. We set "client ntlmv2 auth = yes" in the smb.conf file, as well as "client min protocol = SMB2" when we go to FIPS 140-2 mode, so the two should always be in sync. As far as Kerberos, I believe that is only for Authentication, but would not be for the transfer of data. We will continue to investigate how to ensure the correct cryptography to be FIPS 140-2 compliant.

- Mike

-----Original Message-----
From: Andrew Bartlett [mailto:abartlet at samba.org] 
Sent: Wednesday, November 26, 2014 3:57 AM
To: Tompkins, Michael
Cc: samba at lists.samba.org; USA Xerox Samba; Jeremy Allison; Trent, Michael
Subject: Re: [Samba] Is samba FIPS compliant plus MAC OS X issue ?

On Tue, 2014-11-25 at 18:29 +0000, Tompkins, Michael wrote:
> We now make a call to FIPS_mode_set(1) in smbclient 4.0.7 to enter FIPS mode of operation. We would like verification that samba is using the proper FIPS compliant algorithms. 

I'm not sure what your FIPS_mode_set is meant to do, but it unlikely to have changed Samba's behaviour.  In terms of algorithms used, sadly we are constrained by some very old protocols that were not built for FIPS.  

However, you certainly could get very close to a 'FIPS mode' by using only Kerberos authentication (and running your kerberos library in a FIPS mode).  If that would qualify would really be up to your certifying body. 

> In addition, for FIPS, I set "client min protocol = SMB2", which should be the minimum for FIPS, correct !?!?

While off by default, you could still do NTLM or even LM with SMB2, so the two don't correlate.  

> Everything works fine for different MS servers, EXCEPT, when I try to connect to a MAC OS X, then the negotiate fails. In cli_session_setup_spnego_send() before it calls cli_session_setup_ntlmssp_send(), in gdb, I print *cli, and the differences with and without "client min protocol = SMB2" is:
> Without "client min protocol = SMB2"					With "client min protocol = SMB2"
> server_domain = 0x2112e688 "DTCRAPPLE",				server_domain = 0x20f63d90 "",
> smb2 = {session = 0x2112bd10,				 		smb2 = {session = 0x0,
> This test was also run with our FEDORA 20 linux version 4.1.12, and I see the same issue, so it's not particular to our 4.0.7 implementation. 

This seems to be a separate issue which is shortly to be addressed. 

Andrew Bartlett

Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba mailing list