[Samba] samba-ad with FIPS enabled??

Andrew Bartlett abartlet at samba.org
Tue Oct 5 23:48:44 UTC 2021

On Tue, 2021-10-05 at 17:40 -0400, Edward M. Kutrzyba III via samba
> I made the mistake of upgrading our Samba-ad to 4.12 on REL7.  FIPS
> was 
> enabled, so I discovered that I had to disable FIPS to get my AD
> domain 
> back.  Is there a version of samba-ad I can run on REL8 that is FIPS 
> compliant?

Not at this time.  Later versions of Samba do better at using GnuTLS
for cryptography, which means more of Samba honours the FIPS mode
signals from the system (this makes actual operation harder however).

Looking at master we do test the Samba AD DC in FIPS mode, so do try
the most current releases, but there will be things that just won't
work, like NTLM.

Andrew Bartlett

Andrew Bartlett (he/him)       https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead, Catalyst IT   https://catalyst.net.nz/services/samba

Samba Development and Support, Catalyst IT - Expert Open Source

More information about the samba mailing list