[Samba] samba4 ad tls version
Norbert Hanke
norbert.hanke at gmx.ch
Fri Sep 17 21:03:04 UTC 2021
On 17.09.2021 22:24, Andrew Bartlett via samba wrote:
> On Fri, 2021-09-17 at 11:19 -0300, Marcos Ariel Negrini via samba
> wrote:
>> Hello:
>> I have a samba4 ad cluster, I am reading about the tls configuration
>> in
>> the smb file. I was looking into disabling the deprecated tls
>> versions.
>> I was wondering if there could be problems with older versions of
>> windows (in the cluster we have windows 7 mixed with 10) connecting
>> to
>> samba. Which tls configuration is recommended?
>> Regards
> In general we don't find Windows clients use TLS at all, they all use
> NTLM or ideally Kerberos.
>
> So you should be able to restrict this without that concern.
>
> I hope this helps clarify things,
>
> Andrew Bartlett
I checked against a Samba 4.14.5 DC running on Debian Buster (Raspberry Pi):
> openssl s_client -connect dc2.ad.mydomain.ch:636
CONNECTED(00000003)
depth=1 C = CH, O = Myorg, CN = Myorg CA 1
verify return:1
depth=0 C = CH, O = Myorg, CN = dc2.ad.mydomain.ch
verify return:1
---
...
Shared Requested Signature Algorithms:
RSA+SHA256:RSA-PSS+SHA256:RSA-PSS+SHA256:ECDSA+SHA256:Ed25519:RSA+SHA384:RSA-PSS+SHA384:RSA-PSS+SHA384:ECDSA+SHA384:RSA+SHA512:RSA-PSS+SHA512:RSA-PSS+SHA512:ECDSA+SHA512
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
...
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
...
Looks like what GnuTLS/OpenSSL on the systems offer, without any
limitations superimposed by Samba.
But as Andrew pointed out: what a Windows client will use is a different
pair of shoes.
Regards,
Norbert
More information about the samba
mailing list